diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ar_SA.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ar_SA.properties index dab27c3ce17..22d07137b15 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ar_SA.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ar_SA.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] \u0627\u0644\u062d\u0642\u0644\: [{1}]\u060c \u0627\u0644\u0642\u064a\u0645\u0629 [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] \u0627\u0644\u062d\u0642\u0644\: [{1}]\u060c \u0627\u0644\u0642\u064a\u0645\u0629 [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_az_AZ.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_az_AZ.properties index 311a8b352a4..0292fa43a39 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_az_AZ.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_az_AZ.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buferin a\u015fmas\u0131 -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = S\u0259tir format\u0131 s\u0259hvi ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = K\u0259nar fayl\u0131n y\u00fckl\u0259nm\u0259si -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Sours kodun if\u015fa olunmas\u0131 - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = sah\u0259\: [{0}], qiym\u0259t [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] sah\u0259\: [{1}], qiym\u0259t [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] sah\u0259\: [{1}], qiym\u0259t [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_bn_BD.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_bn_BD.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_bn_BD.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_bn_BD.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_bs_BA.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_bs_BA.properties index 86f23bc774c..1d26155dd85 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_bs_BA.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_bs_BA.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] polje\: [{1}], vrijednost [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] polje\: [{1}], vrijednost [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ceb_PH.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ceb_PH.properties index eb5c15fb7f6..9b537e49774 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ceb_PH.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ceb_PH.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Ang mga sayup nga nagaawas sa pag-buffer kay gihulagway ang talamayon sa luna sa panumduman sa background nga pag-proseso sa web, nga kinahanglan nga wala pa gayud kini usba nga tinuyo o wala tuyoa. Ang pag-talamayon sa mga bili sa IP (Instruksiyon sa Pointer), BP (Base sa Pointer) ug uban pang mga rehistro ang hinungdan sa mga eksepsyon, kasaypanan sa sigmetasyon, ug uban pang mga proseso nga mga sayup nga mahitabo. Kasagaran kini nga mga sayop sa pagtapos sa paggamit sa aplikasyon sa usa ka wala damha nga paagi. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Ang Buffer Overflow -ascanrules.bufferoverflow.other = Potensyal sa nagaawas nga pag-buffer. Ang iskrip kay gisirhan ang koneksyon ug gilabay ang 500 sayup sa sulod nga server +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Balikag suwat ang programa sa background gamit ang husto nga pagbalik sa pagsusi. Nagkinahanglan kini og pagtipon ug balik sa mga background nga pwedeng ipatuman. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = Ang usa ka kasayanan sa string sa format kay nahitabo sa diha nga ang gisumiter nga datos sa input string gi-evaluate ingon nga usa ka sugo sa aplikasyon. -ascanrules.formatstring.error1 = Kasaypanan sa potensyal na format sa string. Ang iskrip kay gisarhan ang koneksyon sa usa ka /%s -ascanrules.formatstring.error2 = Kasaypanan sa potensyal na format sa string. Ang iskrip kay gisarhan ang koneksyon sa usa ka /%s and /%x -ascanrules.formatstring.error3 = Kasaypanan sa potensyal na format sa string. Ang iskrip kay gisarhan ang koneksyon sa usa ka kasaypanan nga format sa string sa microsoft +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Kasaypanan sa Format sa String ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Balikag suwat ang programa sa background gamit ang husto nga pagtangtang sa dili maayo nga kinaiya sa mga string. Kini nagkinahanglan ug pagtipon ug usab sa mga background nga pwedeng ipatuman. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Agi-anan sa Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File nga Gilakip -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_da_DK.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_da_DK.properties index f700adc5a44..3db0833d48b 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_da_DK.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_da_DK.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] felt\: [{1}], v\u00e6rdi [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] felt\: [{1}], v\u00e6rdi [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_de_DE.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_de_DE.properties index dda63f32d27..d45a8703ad5 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_de_DE.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_de_DE.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Puffer\u00fcberlauf -ascanrules.bufferoverflow.other = Potenzieller Puffer\u00fcberlauf. Das Skript hat die Verbindung geschlossen und hast einen 500 internen Server-Fehler gemeldet +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Schreiben sie das Hintergrundprogramm neu mit der richtigen \u00dcberpr\u00fcfung des R\u00fcckgabewertes. Danach m\u00fcssen sie das Hintergrundprogramm neu kompilieren. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = Feld\: [{0}], Wert [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] Feld\: [{1}], Wert [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Originalwert\: [{0}]. Ver\u00e4nderter Wert\: [{1}]. Kontrollwert\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unver\u00e4nderte Nachricht gab HTTP-Status [{0}], Body-Gr\u00f6\u00dfe [{1}], ge\u00e4ndert Nachricht gab HTTP-Status [{2}], Body-Gr\u00f6\u00dfe [{3}]. Eine dritte (nicht-SQL Injektion fehlertr\u00e4chtiger Nachricht) ergab HTTP-Status [{4}], Body-Gr\u00f6\u00dfe [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unver\u00e4nderte Nachricht ergab HTTP-Status [{0}], ver\u00e4nderte Nachricht ergab HTTP-Status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = Die Abfragezeit ist durch Parameterwert [{0}] manipulierbar, was die Zeit f\u00fcr einen Request um [{1}] Millisekunden verl\u00e4ngert hat. Die urspr\u00fcngliche unver\u00e4nderte Abfrage mit Wert [{2}] dauerte [{3}] Millisekunden +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] Feld\: [{1}], Wert [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_el_GR.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_el_GR.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_el_GR.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_el_GR.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_es_ES.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_es_ES.properties index ada9b778a8c..6c047b8a717 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_es_ES.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_es_ES.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Los errores de Buffer Overflow se caracterizan por la sobrescritura de espacios de memoria del proceso web en segundo plano, que no deber\u00edan haber sido modificados, intencionadamente o no. Sobrescribir los valores de IP (Instruction Pointer), BP (Base Pointer) y otros registros causan excepciones, violaciones del segmento y otros errores. Normalmente estos errores terminan la ejecuci\u00f3n de la aplicaci\u00f3n de manera inseperada. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potencial Buffer Overflow. El script ha cerrado la conexi\u00f3n y ha lanzado un error interno del servidor 500 +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Reescribir el programa en segundo plano realizando una correcta comprobaci\u00f3n de la longitud de retorno. Esto requerir\u00e1 el recompilado del ejecutable en segundo plano. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = El Ataque a los Metadatos de la Nube intenta abusar de un servidor NGINX mal configurado para acceder a la instancia de los metadatos mantenidos por proveedores de servicios en la nube como AWS, GCP y Azure.\nTodos estos proveedores proporcionan metadatos a trav\u00e9s de una direcci\u00f3n IP interna no enrutable '169.254.169.254' - esta puede ser expuesta por servidores NGINX configurados incorrectamente y accedida utilizando esta direcci\u00f3n IP en el campo head Host.\n\nTraducci\u00f3n realizada con la versi\u00f3n gratuita del traductor www.DeepL.com/Translator ascanrules.cloudmetadata.name = Metadatos de la Nube Potencialmente Expuestos @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Seg\u00fan el c\u00f3digo de estado de la r ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = No conf\u00ede en ning\u00fan dato de usuario en las configuraciones de NGINX. En este caso, probablemente sea el uso de la variable $host que se establece desde el encabezado (header) 'Host' y puede estar controlado por un atacante. -ascanrules.codeinjection.desc = Una inyecci\u00f3n de c\u00f3digo puede ser posible, que incluya un c\u00f3digo personalizado que ser\u00e1 evaluado por el motor de secuencias de comandos +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Inyecci\u00f3n de C\u00f3digo en el Lado del Servidor - Inyecci\u00f3n de c\u00f3digo ASP ascanrules.codeinjection.name.php = Inyecci\u00f3n de C\u00f3digo en el Lado del Servidor - Inyecci\u00f3n de c\u00f3digo PHP ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = No conf\u00ede en los valores de entrada del lado del cliente, incluso si en el lado del cliente se realice una validaci\u00f3n.\nEn general, comprobar todos los datos de entrada en el lado del servidor y escapar de todos los datos recibidos desde el cliente.\nEvite el uso de funciones eval() combinados con los datos de entrada del usuario. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = T\u00e9cnica de ataque utilizada para la ejecuci\u00f3n no autorizada de comandos del sistema operativo. Este ataque es posible cuando una aplicaci\u00f3n acepta datos de entrada que no son de confianza para crear comandos del sistema operativo de manera insegura, lo que implica que tiene un filtro de datos inadecuado y/o una llamada incorrecta de programas externos. ascanrules.commandinjection.name = Remote OS Command Injection (Inyecci\u00f3n Remota de Comandos del Sistema Operativo) -ascanrules.commandinjection.otherinfo.feedback-based = La regla de escaneo pudo recuperar el contenido de un archivo o comando enviando [{0}] al sistema operativo que ejecuta esta aplicaci\u00f3n -ascanrules.commandinjection.otherinfo.time-based = La regla de escaneo pudo controlar el tiempo de respuesta de la aplicaci\u00f3n enviando [{0}] al sistema operativo que ejecuta esta aplicaci\u00f3n +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = La cookie se puede modificar con inyecci\u00f3n CRLF. Tambi\u00e9n es posible establecer encabezados de respuesta HTTP arbitrarios. Adem\u00e1s, al crear cuidadosamente la respuesta para inyectar mediante secuencias de comandos entre sitios XSS, tambi\u00e9n puede darse una vulnerabilidad de envenenamiento de cach\u00e9. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = Inyecci\u00f3n CRLF ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Verifique cuidadosamente el par\u00e1metro enviado. No permita que se inyecte CRLF filtrando CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = Se encontr\u00f3 un ataque XSS refleja ascanrules.crosssitescripting.json.name = Cross Site Scripting XSS (reflejada en la respuesta de JSON) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = El atributo accesskey especifica una tecla de atajo para activar/enfocar un elemento. Este atributo puede desencadenar cargas \u00fatiles para etiquetas no convencionales o personalizadas. -ascanrules.crosssitescripting.otherinfo.nothtml = Creado con confianza BAJA, ya que Content-Type no es HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Liberar el estado de las reglas activas de escaneo -ascanrules.directorybrowsing.desc = Es posible listar el directorio de sistema. El directorio de sistema puede mostrar scripts ocultos, archivos, archivos de copia de seguridad, etc., a los que se puede acceder para leer su informaci\u00f3n. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing (Exploraci\u00f3n de directorios) ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Deshabilita el explorador de archivos. Si es necesario, aseg\u00farate de que los archivos que pueda mostrar no sean un riesgo. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = Los M\u00f3dulos Error Logging y Handlers (ELMAH [elmah.axd]) M\u00f3dulo HTTP fue encontrado disponible. Este m\u00f3dulo puede tener fugas de una cantidad importante de informaci\u00f3n valiosa. ascanrules.elmah.name = ELMAH Information Leak (Fuga de informaci\u00f3n ELMAH) -ascanrules.elmah.otherinfo = Basado en el c\u00f3digo de estado de respuesta ELMAH podr\u00eda estar protegida por un mecanismo de autenticaci\u00f3n o autorizaci\u00f3n. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Considere si o no ELMAH es actualmente requerido en la producci\u00f3n, si no es as\u00ed entonces deshabilitarlo. Si lo es, asegurar que el acceso al mismo requiere autenticaci\u00f3n y autorizaci\u00f3n. Vea tambi\u00e9n\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = Parece que se han ubicado uno o m\u00e1s archivos .env en el servidor. Estos archivos a menudo exponen credenciales de cuentas administrativas o de infraestructura, claves de API o APP u otra informaci\u00f3n de configuraci\u00f3n confidencial. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = Fuga de informaci\u00f3n .env ascanrules.envfiles.otherinfo = Seg\u00fan el c\u00f3digo de estado de respuesta, el archivo .env puede estar protegido por un mecanismo de autenticaci\u00f3n o autorizaci\u00f3n. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No se encontr\u00f3 raz\u00f3n par ascanrules.externalredirect.reason.refresh.header = La respuesta contiene una redirecci\u00f3n en su encabezado Refresh (header) que permite establecer una URL externa. ascanrules.externalredirect.reason.refresh.meta = La respuesta contiene una redirecci\u00f3n en su etiqueta meta http-equiv para 'Refresh' que permite configurar una URL externa. -ascanrules.formatstring.desc = Un error de formato de cadena ocurre cuando los datos de una cadena de entrada es evaluada como un comando por la aplicaci\u00f3n. -ascanrules.formatstring.error1 = Potencial error de formato de cadena. El script cerr\u00f3 la conexi\u00f3n en /%s -ascanrules.formatstring.error2 = Potencial error de formato de cadena. El script cerr\u00f3 la conexi\u00f3n en /%s y /%x -ascanrules.formatstring.error3 = Potencial error de formato de cadena. El script cerr\u00f3 la conexi\u00f3n en una cadena de formato de error de microsoft +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error (Error de formato de cadena) ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Reescribir el programa en segundo plano usando un borrado apropiado de las cadenas de caracteres err\u00f3neas. Esto requerir\u00e1 el recompilado del ejecutable en segundo plano. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = Una solicitud que originalmente se observ\u00f3 como POST tambi\u00e9n se acept\u00f3 como GET. Este problema no representa una debilidad de seguridad en s\u00ed mismo, sin embargo, puede facilitar la simplificaci\u00f3n de otros ataques. Por ejemplo, si el POST original est\u00e1 sujeto a Cross-Site Scripting (XSS), este descubrimiento puede indicar que tambi\u00e9n es posible un ataque XSS simplificado (basado en GET). ascanrules.getforpost.name = GET para POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder (Buscador de Archivos Ocultos) ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Considera si este componente es realmente necesario en producci\u00f3n; si no es as\u00ed, desact\u00edvelo. Si es as\u00ed, asegurar que el acceso requiera la autenticaci\u00f3n y autorizaci\u00f3n adecuadas, o limita la exposici\u00f3n solo a sistemas internos o IPs de origen definidas, etc. -ascanrules.htaccess.desc = Los archivos htaccess se usan para modificar la configuraci\u00f3n del software Apache Web Server, y para habilitar/deshabilitar funciones y caracter\u00edsticas adicionales que el software Apache Web Server puede ofrecer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = Filtrado de informaci\u00f3n en .htaccess ascanrules.htaccess.otherinfo = Seg\u00fan el c\u00f3digo de estado de respuesta, el archivo htaccess puede estar protegido por un mecanismo de autenticaci\u00f3n o autorizaci\u00f3n. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Padding Oracle Gen\u00e9rico ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Actualice el software del servidor afectado o modifique los scripts para que validen correctamente los datos cifrados antes de intentar descifrarlos. -ascanrules.parametertamper.desc = La manipulaci\u00f3n de par\u00e1metros provoc\u00f3 que se mostrara una p\u00e1gina de error o un seguimiento de la pila de Java. Esto indica un fallo en como maneja las excepciones se podr\u00eda explotar en el futuro. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering (Manipulaci\u00f3n de Par\u00e1metros) -ascanrules.parametertamper.soln = Identificar la causa del error y solucionarlo. No conf\u00ede en la entrada del lado del cliente y hacer cumplir un control exhaustivo en el lado del servidor. Adem\u00e1s, detectar la excepci\u00f3n correctamente. Utilice una p\u00e1gina de error 500 gen\u00e9rico para error interno del servidor. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Ruta Transversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = Se encontr\u00f3 un ataque XSS en una ascanrules.persistentxssattack.json.name = Cross Site Scripting (Persistente en la respuesta JSON) ascanrules.persistentxssattack.name = Cross Site Scripting XSS (Persistente) ascanrules.persistentxssattack.otherinfo = Fuente URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Iniciado con BAJA confianza, ya que el contenido (Content-Type) no es HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistente) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistente) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Ciertas versiones de PHP, cuando se configuran para ejecutarse mediante CGI, no manejan correctamente las cadenas de consulta que carecen de un car\u00e1cter "\=", lo que permite la ejecuci\u00f3n arbitraria de c\u00f3digo. En este caso, un comando del sistema operativo fue causado para ser ejecutado en el servidor web, y los resultados fueron devueltos al navegador web. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Ejecuci\u00f3n Remota de C\u00f3digo - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Actualice a la \u00faltima versi\u00f3n estable de PHP o utilice el servidor web Apache y el m\u00f3dulo mod_rewrite para filtrar las peticiones maliciosas mediante las directivas "RewriteCond" y "RewriteRule". ascanrules.remotefileinclude.name = Inclusi\u00f3n Remota de Archivos -ascanrules.serversideinclude.desc = Ciertos par\u00e1metros pueden hacer que se Incluyan comandos del Lado del Servidor (SSLI) y se ejecuten. Esto puede permitir que se realice una conexi\u00f3n con la base de datos o la ejecuci\u00f3n de c\u00f3digo arbitrario. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = No conf\u00ede en la entrada del lado del cliente e imponga una comprobaci\u00f3n estricta en el lado del servidor. Deshabilitar las inclusiones del lado del servidor.\nConsulte el manual para deshabilitar las directivas Sever Side Include.\nUtilice el privilegio m\u00ednimo para ejecutar su servidor web o servidor de aplicaciones.\nPara Apache, deshabilitar lo siguiente\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Algunas versiones de PHP, cuando se configuran para ejecutarse utilizando CGI, no manejan correctamente las cadenas de consulta que carecen de un car\u00e1cter "\=" sin may\u00fasculas, lo que permite la divulgaci\u00f3n del c\u00f3digo fuente de PHP y la ejecuci\u00f3n de c\u00f3digo arbitrario. En este caso, el contenido del archivo PHP se serv\u00eda directamente al navegador web. Esta salida contendr\u00e1 t\u00edpicamente PHP, aunque tambi\u00e9n puede contener HTML directo. ascanrules.sourcecodedisclosurecve-2012-1823.name = Divulgaci\u00f3n del C\u00f3digo Fuente - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Actualice a la \u00faltima versi\u00f3n estable de PHP o utilice el servidor web Apache y el m\u00f3dulo mod_rewrite para filtrar las peticiones maliciosas mediante las directivas "RewriteCond" y "RewriteRule". -ascanrules.sourcecodedisclosurewebinf.desc = El c\u00f3digo fuente de Java fue expuesto por el servidor web en los archivos class de Java en la carpeta Web-INF. Los archivos class se pueden decompilar para producir c\u00f3digo fuente que coincida muy de cerca con el c\u00f3digo fuente original. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Divulgaci\u00f3n del c\u00f3digo fuente\: carpeta /WEB-INF -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = Un Java class de la carpeta /Web-INF expuso la presencia del archivo properties. El archivo properties no est\u00e1 dise\u00f1ado para ser de acceso p\u00fablico, y com\u00fanmente contiene la informaci\u00f3n de configuraci\u00f3n, credenciales de aplicaci\u00f3n o claves criptogr\u00e1ficas. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = La referencia al archivo properties se encontr\u00f3 en el c\u00f3digo fuente de Java decompilado para la clase Java [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Divulgaci\u00f3n del Archivo Properties -/carpeta /WEB-INF -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = El servidor web debe configurarse para que no muestre la carpeta /WEB-INF o sus contenidos a los navegadores web. Tambi\u00e9n es posible eliminar la carpeta /WEB-INF. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = Todo servidor web se debe configurar para que no muestre la carpeta /WEB-INF ni sus contenidos a los navegadores web, porque esta tiene informaci\u00f3n delicada como el c\u00f3digo fuente compilado de Java, adem\u00e1s de archivos que pueden contener credenciales como los properties. Los Java class implementados con la aplicaci\u00f3n se deben ocultar, en forma de una capa adicional de defensa, como una "defensa en profundidad (defence-in-depth)" . ascanrules.spring4shell.desc = La aplicaci\u00f3n parece ser vulnerable a CVE-2022-22965 (tambi\u00e9n conocido como Spring4Shell)\: ejecuci\u00f3n remota de c\u00f3digo (RCE) a trav\u00e9s del enlace de datos. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Deshabilite los Health Actuators y otros Actuat #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = campo\: [{0}], valor [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = Los resultados de la p\u00e1gina se manipularon con \u00e9xito utilizando las condiciones booleanas [{0}] y [{1}]\nEl valor del par\u00e1metro que est\u00e1 modificado fue {2} eliminado de la salida HTML para fines de la comparaci\u00f3n -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Se han devuelto datos para el par\u00e1metro original.\nSe ha detectado la vulnerabilidad al restringir con \u00e9xito los datos devueltos originalmente, al manipular el par\u00e1metro -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = NO se devolvieron datos para el par\u00e1metro original.\nLa vulnerabilidad se detect\u00f3 al recuperar con \u00e9xito m\u00e1s datos de los que se devolvieron originalmente, al manipular el par\u00e1metro +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] campo\: [{1}], valor [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Valor Original\: [{0}]. Valor Modificado\: [{1}]. Valor de Control\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = El mensaje sin modificar dio el status HTTP [{0}], longitud del cuerpo [{1}], el mensaje modificado dio el status HTTP [{2}], longitud del cuerpo [{3}]. Un tercero (valor inductor de inyecci\u00f3n no SQL) dio el status HTTP [{4}], longitud del cuerpo [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] probable, la expresi\u00f3n regular del mensaje de error que aparece [{1}] corresponde con los resultados HTML.\nLa vulnerabilidad fue detectada por la manipulaci\u00f3n del par\u00e1metro para causar un mensaje de error de base de datos a ser retornado y reconocido -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Mensaje no modificado retorn\u00f3 el status HTTP [{0}], mensaje modificado retorn\u00f3 el status HTTP [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = Los resultados de la p\u00e1gina original se replicaron correctamente utilizando la expresi\u00f3n [{0}] como valor de par\u00e1metro\nEl valor de par\u00e1metro que se est\u00e1 modificando {1}se elimin\u00f3 de la salida HTML a efectos de comparaci\u00f3n. -ascanrules.sqlinjection.alert.orderbybased.extrainfo = Los resultados de la p\u00e1gina original se replicaron correctamente utilizando la expresi\u00f3n "ORDER BY" [{0}] como valor de par\u00e1metro\nEl valor de par\u00e1metro que se est\u00e1 modificando {1}se elimin\u00f3 de la salida HTML a efectos de comparaci\u00f3n. -ascanrules.sqlinjection.alert.timebased.extrainfo = El tiempo de consulta es controlable a trav\u00e9s del valor del par\u00e1metro [{0}], que hace que la petici\u00f3n tarde [{1}] milisegundos, cuando la consulta original sin modificar con valor [{2}] tarda [{3}] milisegundos +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = El tiempo de consulta se puede controlar mediante el valor del par\u00e1metro [{0}], lo que ha provocado que la solicitud tardara [{1}] milisegundos, cuando la consulta original sin modificar con el valor [{2}] tarda [{3}] milisegundos. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] campo\: [{1}], valor [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] probable, la expresi\u00f3n regular del mensaje de error UNION espec\u00edficamente [{1}] corresponde con los resultados HTML\nLa vulnerabilidad fue detectada por la manipulaci\u00f3n del par\u00e1metro con una cl\u00e1usula SQL ''UNION'' para causar un mensaje de error de base de datos a ser retornado y reconocido +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = Existe la posibilidad de realizar una Inyecci\u00f3n SQL en una p\u00e1gina de inicio de sesi\u00f3n, lo que podr\u00eda permitir saltar el mecanismo de autenticaci\u00f3n de la aplicaci\u00f3n. ascanrules.sqlinjection.authbypass.name = Inyecci\u00f3n SQL - Omisi\u00f3n de Autenticaci\u00f3n ascanrules.sqlinjection.desc = Inyecci\u00f3n SQL puede ser posible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = El tiempo de consulta ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Utilizando un ataque de inyecci\u00f3n SQL basado en UNION y explotando el mecanismo de escritura din\u00e1mica de SQLite, se determin\u00f3 que la versi\u00f3n de SQLite era [{0}].\nCon puntos de inyecci\u00f3n basados en cadenas, se puede extraer informaci\u00f3n completa de la versi\u00f3n de SQLite, pero con puntos de inyecci\u00f3n num\u00e9ricos, solo se puede extraer informaci\u00f3n parcial de la versi\u00f3n de SQLite.\nM\u00e1s informaci\u00f3n sobre la versi\u00f3n SQLite [{0}] est\u00e1 disponible en https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = Inyecci\u00f3n SQL - SQLite -ascanrules.ssti.alert.otherinfo = Evidencia encontrada en [{0}]\ncontenido\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = Cuando la entrada del usuario se inserta en la plantilla en lugar de usarse como argumento en el renderizado, el motor de plantilla eval\u00faa. Dependiendo del motor de plantillas, puede producir ejecuci\u00f3n remota de c\u00f3digo. ascanrules.ssti.name = Server Side Template Injection (SSTI) Plantilla de Inyecci\u00f3n del Lado del Servidor ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = En lugar de insertar la entrada del usuario en la pl ascanrules.traceaxd.desc = Se encontr\u00f3 que ASP.NET Trace Viewer (trace.axd) est\u00e1 disponible. Este componente puede filtrar una cantidad significativa de informaci\u00f3n valiosa. ascanrules.traceaxd.name = Filtrado de informaci\u00f3n en Trace.axd -ascanrules.traceaxd.otherinfo = Seg\u00fan el c\u00f3digo de estado de respuesta, Trace Viewer puede estar protegido por un mecanismo de autenticaci\u00f3n o autorizaci\u00f3n. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Considere si Trace Viewer es realmente necesario en producci\u00f3n; si no es as\u00ed, desact\u00edvelo. Si es as\u00ed, aseg\u00farese de que el acceso requiera autenticaci\u00f3n y autorizaci\u00f3n. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fa_IR.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fa_IR.properties index 64e30855ec4..f80a5428eae 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fa_IR.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fa_IR.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = \u062e\u0637\u0627\u0647\u0627\u06cc \u0633\u0631\u0631\u06cc\u0632 \u0628\u0627\u0641\u0631 \u062a\u0648\u0633\u0637 \u0628\u0627\u0632\u0646\u0648\u06cc\u0633\u06cc \u0641\u0636\u0627\u0647\u0627\u06cc \u062d\u0627\u0641\u0638\u0647 \u0641\u0631\u0622\u06cc\u0646\u062f \u067e\u0633 \u0632\u0645\u06cc\u0646\u0647 \u0648\u0628 \u0645\u0634\u062e\u0635 \u0645\u06cc \u0634\u0648\u062f\u060c \u06a9\u0647 \u0646\u0628\u0627\u06cc\u062f \u0628\u0647 \u0635\u0648\u0631\u062a \u0639\u0645\u062f\u06cc \u0648\u06cc\u0627 \u063a\u06cc\u0631 \u0639\u0645\u062f\u06cc \u0627\u0635\u0644\u0627\u062d \u0634\u0648\u0646\u062f. \u0645\u0642\u0627\u062f\u06cc\u0631 \u0628\u0627\u0632\u0646\u0648\u06cc\u0633\u06cc IP (\u0646\u0634\u0627\u0646\u06af\u0631 \u062f\u0633\u062a\u0648\u0631\u0627\u0644\u0639\u0645\u0644)\u060cBP (\u0646\u0634\u0627\u0646\u06af\u0631 \u067e\u0627\u06cc\u0647) \u0648 \u062f\u06cc\u06af\u0631 \u062b\u0628\u0627\u062a \u06cc\u0627 \u0631\u062c\u06cc\u0633\u062a\u0631\u0647\u0627 \u0645\u0648\u062c\u0628 \u0627\u0633\u062a\u062b\u0646\u0627\u060c \u062a\u0642\u0633\u06cc\u0645 \u0634\u062f\u0646 \u0639\u06cc\u0648\u0628 \u0648 \u0633\u0627\u06cc\u0631 \u062e\u0637\u0627\u0647\u0627\u06cc \u067e\u0631\u062f\u0627\u0632\u0634\u06cc \u0645\u06cc \u0634\u0648\u0646\u062f. \u0645\u0639\u0645\u0648\u0644\u0627 \u0627\u06cc\u0646 \u062e\u0637\u0627\u0647\u0627 \u0627\u062c\u0631\u0627\u06cc \u0628\u0631\u0646\u0627\u0645\u0647 \u0631\u0627 \u0628\u0647 \u0631\u0648\u0634\u06cc \u063a\u06cc\u0631\u0645\u0646\u062a\u0638\u0631\u0647 \u067e\u0627\u06cc\u0627\u0646 \u0645\u06cc \u062f\u0647\u0646\u062f. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = \u0633\u0631\u0631\u06cc\u0632 \u0628\u0627\u0641\u0631 -ascanrules.bufferoverflow.other = \u067e\u062a\u0627\u0646\u0633\u06cc\u0644 \u0633\u0631\u0631\u06cc\u0632 \u0628\u0627\u0641\u0631. \u0627\u0633\u06a9\u0631\u06cc\u067e\u062a \u0627\u062a\u0635\u0627\u0644 \u0631\u0627 \u0642\u0637\u0639 \u06a9\u0631\u062f \u0648 \u0645\u0648\u062c\u0628 500 \u062e\u0637\u0627\u06cc \u0633\u0631\u0648\u0631 \u062f\u0627\u062e\u0644\u06cc \u0634\u062f +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = \u0628\u0631\u0646\u0627\u0645\u0647 \u067e\u0633 \u0632\u0645\u06cc\u0646\u0647 \u0631\u0627 \u0628\u0627 \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u0627\u0632 \u0628\u0631\u0631\u0633\u06cc \u0648\u06cc\u0698\u0647 \u0637\u0648\u0644 \u0628\u0627\u0632\u06af\u0634\u062a \u0628\u0627\u0632\u0646\u0648\u06cc\u0633\u06cc \u06a9\u0646\u06cc\u062f. \u0627\u06cc\u0646 \u0646\u06cc\u0627\u0632\u0645\u0646\u062f \u06a9\u0627\u0645\u067e\u0627\u06cc\u0644 \u0645\u062c\u062f\u062f \u0628\u0631\u0646\u0627\u0645\u0647 \u067e\u0633 \u0632\u0645\u06cc\u0646\u0647 \u0642\u0627\u0628\u0644 \u0627\u062c\u0631\u0627 \u062e\u0648\u0627\u0647\u062f \u0628\u0648\u062f. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = \u062e\u0637\u0627\u06cc \u0631\u0634\u062a\u0647 \u0641\u0631\u0645\u062a \u0632\u0645\u0627\u0646\u06cc \u0631\u062e \u0645\u06cc \u062f\u0647\u062f \u06a9\u0647 \u062f\u0627\u062f\u0647 \u0647\u0627\u06cc \u0627\u0631\u0627\u0626\u0647 \u0634\u062f\u0647 \u06cc \u06cc\u06a9 \u0631\u0634\u062a\u0647 \u0648\u0631\u0648\u062f\u06cc \u0628\u0647 \u0639\u0646\u0648\u0627\u0646 \u06cc\u06a9 \u062f\u0633\u062a\u0648\u0631 \u062a\u0648\u0633\u0637 \u0628\u0631\u0646\u0627\u0645\u0647 \u0633\u0646\u062c\u06cc\u062f\u0647 \u0645\u06cc \u0634\u0648\u062f. -ascanrules.formatstring.error1 = \u067e\u062a\u0627\u0646\u0633\u06cc\u0644 \u062e\u0637\u0627 \u0631\u0634\u062a\u0647 \u0641\u0631\u0645\u062a. \u0627\u0633\u06a9\u0631\u06cc\u067e\u062a \u0627\u062a\u0635\u0627\u0644 \u0631\u0627 \u062f\u0631 %s \u0628\u0633\u062a -ascanrules.formatstring.error2 = \u067e\u062a\u0627\u0646\u0633\u06cc\u0644 \u062e\u0637\u0627 \u0631\u0634\u062a\u0647 \u0641\u0631\u0645\u062a. \u0627\u0633\u06a9\u0631\u06cc\u067e\u062a \u0627\u062a\u0635\u0627\u0644 \u0631\u0627 \u062f\u0631 %s \u0648 %x \u0628\u0633\u062a -ascanrules.formatstring.error3 = \u067e\u062a\u0627\u0646\u0633\u06cc\u0644 \u062e\u0637\u0627 \u0631\u0634\u062a\u0647 \u0641\u0631\u0645\u062a. \u0627\u0633\u06a9\u0631\u06cc\u067e\u062a \u0627\u062a\u0635\u0627\u0644 \u0631\u0627 \u062f\u0631\u06cc\u06a9 \u062e\u0637\u0627\u06cc \u0631\u0634\u062a\u0647 \u0641\u0631\u0645\u062a \u0645\u0627\u06cc\u06a9\u0631\u0648\u0633\u0627\u0641\u062a \u0628\u0633\u062a +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = \u062e\u0637\u0627\u06cc \u0642\u0627\u0644\u0628 \u0631\u0634\u062a\u0647 ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = \u0628\u0631\u0646\u0627\u0645\u0647 \u067e\u0633 \u0632\u0645\u06cc\u0646\u0647 \u0631\u0627 \u0628\u0627 \u0627\u0633\u062a\u0641\u062a\u062f\u0647 \u0627\u0632 \u062d\u0630\u0641 \u0645\u0646\u0627\u0633\u0628 \u0631\u0634\u062a\u0647 \u0647\u0627\u06cc \u06a9\u0627\u0631\u0627\u06a9\u062a\u0631 \u0628\u062f \u0628\u0627\u0632\u0646\u0648\u06cc\u0633\u06cc \u06a9\u0646\u06cc\u062f. \u0627\u06cc\u0646 \u0646\u06cc\u0627\u0632\u0645\u0646\u062f \u06a9\u0627\u0645\u067e\u0627\u06cc\u0644 \u0645\u062c\u062f\u062f \u0628\u0631\u0646\u0627\u0645\u0647 \u067e\u0633 \u0632\u0645\u06cc\u0646\u0647 \u0642\u0627\u0628\u0644 \u0627\u062c\u0631\u0627 \u0645\u06cc \u0628\u0627\u0634\u062f. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fil_PH.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fil_PH.properties index 75f590fc698..0963c560d57 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fil_PH.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fil_PH.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Ang mga error sa buffer overflow ay nailalarawan sa pamamagitan ng overwriting ng mga puwang ng memorya ng proseso ng web sa background, na hindi dapat na baguhin nang sinadya o hindi sinasadya. Ang mga halaga ng overwriting ng IP (Tagubilin sa Pagtuturo), BP (Base Pointer) at iba pang mga registro ay nagdudulot ng mga pagbubukod, pagkakamali ng segmentation, at iba pang mga error sa proseso na magaganap. Kadalasan ang mga error na ito ay tumigil sa pagpapatupad ng application sa isang di-inaasahang paraan. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Pag-apaw ng Buffer -ascanrules.bufferoverflow.other = Potensyal na Buffer Overflow. Isinara ng script ang koneksyon at inihagis ang isang 500 Internal Error Server +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Muling isulat ang programang pang-background gamit ang tamang return length checking. Ito ay mangangailangan ng pag-recompile ng executable ng background. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Direktoryo ng pag-hahanap ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = Ang Mga Error Module at Handler (ELMAH [elmah.axd]) Ang HTTP Module ay natagpuan na magagamit. Ang module na ito ay maaaring tumagas ng isang malaking halaga ng mahalagang impormasyon. ascanrules.elmah.name = ELMAH tagas na inpormasyon -ascanrules.elmah.otherinfo = Batay sa code ng katayuan ng tugon Ang ELMAH ay maaaring protektado ng mekanismo ng pagpapatotoo o awtorisasyon. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Isaalang-alang kung o hindi ang ELMAH ay talagang kinakailangan sa produksyon, kung hindi pagkatapos ay huwag paganahin ito. Kung pagkatapos ay tiyakin na ang access dito ay nangangailangan ng pagpapatotoo at pahintulot. Tingnan din ang\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = Isang Format Ang error sa String ay nangyayari kapag ang naisumite na data ng input string ay sinusuri bilang isang utos ng application. -ascanrules.formatstring.error1 = Potensyal sa Pag-format ng String Error. Isinara ng script ang koneksyon sa isang /%s -ascanrules.formatstring.error2 = Potential sa Pag-format ng String Error. Isinara ng script ang koneksyon sa isang /%s at /%x -ascanrules.formatstring.error3 = Potensyal sa Pag-format ng String Error. Isinara ng script ang koneksyon sa microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Mali sa String ng Format ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Muling isulat ang programang pang-background gamit ang tamang pagtanggal ng mga masamang string ng character. Ito ay mangangailangan ng pag-recompile ng executable ng background. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = I-update ang mga apektadong server software, o baguhin ang mga script para sila ay maayos na pag-validate sa encrypted na data bago sumubok ng pag descrypton. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Ang Daanan ng Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Ang ilang mga bersyon ng PHP, kapag na-configure upang patakbuhin ang paggamit ng CGI, ay hindi tama ang humahawak ng mga string ng query na walang kakayahang magamit na "\=" na karakter, na nagpapagana ng arbitrary na pagpapatupad ng code. Sa kasong ito, ang isang utos ng operating system ay sanhi upang maisagawa sa web server, at ang mga resulta ay ibinalik sa web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Mag-upgrade sa pinakabagong matatag na bersyon ng PHP, o gamitin ang web server ng Apache at mod_rewrite module upang i-filter ang mga nakakahamak na kahilingan gamit ang direktiba ng "RewriteCond" at "RewriteRule". ascanrules.remotefileinclude.name = Pagbuo ng remote na file -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Ibang mga PHP na mga bersyon, na kung na-configure ay ito ay pinagana gamit ang CGI, huwag nang hawakan ng maayos ang query na mga string na nakukulang ng unescaped "-" na karakter, na nagpapagana ng PHP source code disclosure, at ang arbitrary code excution. sa halimbawang ito, ang mga laman ng PHP file ay maglingod ng direkta sa web browser. Ang output ay karamihan naglalaman ng PHP, Bagamat ito ay naglalaman din ng straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Mag-upgrade sa pinakabagong matatag na bersyon ng PHP, o gamitin ang web server ng Apache at mod_rewrite module upang i-filter ang mga nakakahamak na kahilingan gamit ang direktiba ng "RewriteCond" at "RewriteRule". -ascanrules.sourcecodedisclosurewebinf.desc = Java source code ay ibinunyag sa web server ng Java class na mga files na nasa WEB-INF folder. Ang class na mga file ay pwedeng ma dis-assembled sa ginawang source code na alin na naka dikit na magtutugma sa orihinal na source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = Ang Java class na nasa /WEB-INF folder ay ibinunyag ang presence sa katangian ng file. Maga katangian ng file ay hindi maging hayag sa publiko, at karaniwang ay nag lalaman ng mga kumpigurasyon ng impormasyon m ang mga kredensyal ng aplikasyon o crypyographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = Ang pagtukoy sa mga katangian ng file ay matatagpuan sa dis-nakatipong Java source code para sa mga klase ng java [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = Ang web sever na ito ay dapat nakaayos hindi maglingkod sa /WEB-INF folder o nilalaman nito sa mga web browser. Maari din itong maging posible upang alisin ang mga folder ng /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = Ang web server ay dapat nakaayos na hindi maglingkod sa /WEB-INF o nilalaman nito sa mga browser ng web. dahil ito ay naglalaman ng sensitibong impormasyon tulad ng tinipon na Java source code at mg akatangian ng file na maaring maglaman ng mga kredensyal. Mga klase ng Java na nakatalaga sa mga aplikasyon na ito ay dapat maging obfuscated, bilang isang karagdagang patong ng pagtatanggol sa isang "pagtatanggol-nang malalim" na diskarte. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = patlang\: [{0}], halaga [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] patlang\: [{1}], halaga [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Orihinal na halaga\: [{0}] Binago na halaga [{1}]. Hawak ng Halaga\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Hindi nabago ang mensahe ay ibinigay ang katayuan ng HTTP [{0}], haba ng katawan [{1}], binago na mensahe ay ibinigay sa HTTP na katayuan [{2}], haba ng katawan [{3}]. Ang pangatlong (non-SQL Injection ay naglalaman ng halaga) ibibigay ang HTTP na katayuan [{4}], haba ng katawan [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = HIndi nabago ang mensahe ay ibinigay sa katayuan ng HTTP [{0}], binago ang mensahe na ibinigay na katayuan ng HTTP [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = Ang oras ng query ay nakokontrol gamit ang parameter na halaga [{0}], na naging sanhi ng kahilingan na kumuha ng [{1}] milliseconds, kapag ang orihinal na hindi binago na query na may halaga [{2}] ay umabot sa [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] patlang\: [{1}], halaga [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fr_FR.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fr_FR.properties index 951be7abef3..9423610b199 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fr_FR.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_fr_FR.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Les erreurs de d\u00e9bordement de tampon sont caract\u00e9ris\u00e9es par la sur\u00e9criture des espaces de m\u00e9moire du processus en arri\u00e8re-plan, qui ne devraient jamais \u00eatre modifi\u00e9s, intentionnellement ou non. \u00c9craser les valeurs de l'IP (Instruction Pointer), BP (pointeur de Base) et autres registres provoque des exceptions, des erreurs de segmentation et des erreurs dans d'autres processus. Ces erreurs terminent g\u00e9n\u00e9ralement l'ex\u00e9cution de l'application d'une mani\u00e8re inattendue. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = D\u00e9bordement de tampon -ascanrules.bufferoverflow.other = D\u00e9bordement de tampon potentiel. Le script a ferm\u00e9 la connexion et a lanc\u00e9 une erreur interne du serveur 500 +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = R\u00e9\u00e9crire le programme d'arri\u00e8re-plan en utilisant une v\u00e9rification de la longueur de retour correcte. Cela n\u00e9cessitera une recompilation de l'ex\u00e9cutable d'arri\u00e8re-plan. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = De telles erreurs pourraient \u00eatre utilis\u00e9es pour contourner les sch\u00e9mas de listes autoris\u00e9es en introduisant des entr\u00e9es dangereuses apr\u00e8s leur v\u00e9rification.\n\nL'attaque de m\u00e9tadonn\u00e9es cloud tente d'abuser d'un serveur NGINX mal configur\u00e9 afin d'acc\u00e9der aux m\u00e9tadonn\u00e9es d'instance g\u00e9r\u00e9es par des fournisseurs de services cloud tels qu'AWS, GCP et Azure.\nTous ces fournisseurs fournissent des m\u00e9tadonn\u00e9es via une adresse IP interne non routable '169.254.169.254' - cela peut \u00eatre expos\u00e9 par des serveurs NGINX mal configur\u00e9s et accessible en utilisant cette adresse IP dans le champ d'en-t\u00eate Host. ascanrules.cloudmetadata.name = M\u00e9tadonn\u00e9e du Cloud potentiellement vuln\u00e9rable @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = Une injection de code peut \u00eatre possible en incluant un code sur mesure qui sera \u00e9valu\u00e9 par le moteur de script +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Injection de Code c\u00f4t\u00e9 serveur ascanrules.codeinjection.name.asp = Injection de Code c\u00f4t\u00e9 serveur - Injection de Code ASP ascanrules.codeinjection.name.php = Injection de Code c\u00f4t\u00e9 serveur - Injection de Code PHP ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Ne vous fiez pas aux entr\u00e9es du client, m\u00eame si une validation est en place c\u00f4t\u00e9 client. \nEn g\u00e9n\u00e9ral, v\u00e9rifier le type de toutes les donn\u00e9es du c\u00f4t\u00e9 serveur et \u00e9chapper toutes les donn\u00e9es re\u00e7ues du client. \u00c9vitez d'utiliser des fonctions eval() combin\u00e9es avec des donn\u00e9es d'entr\u00e9e de l'utilisateur. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Technique d'attaque utilis\u00e9e pour l'ex\u00e9cution non autoris\u00e9e de commandes du syst\u00e8me d'exploitation. Cette attaque est possible lorsqu'une application accepte des entr\u00e9es douteuses pour g\u00e9n\u00e9rer des commandes de syst\u00e8me d'exploitation vuln\u00e9rables, sans assainissement correct des donn\u00e9es et/ou sans appel correct de programmes externes. ascanrules.commandinjection.name = Injection de commande de SE \u00e0 distance -ascanrules.commandinjection.otherinfo.feedback-based = La r\u00e8gle d''analyse a r\u00e9ussi \u00e0 r\u00e9cup\u00e9rer le contenu d''un fichier ou d''une commande en envoyant [{0}] au syst\u00e8me d''exploitation ex\u00e9cutant cette application -ascanrules.commandinjection.otherinfo.time-based = La r\u00e8gle d''analyse a r\u00e9ussi \u00e0 contr\u00f4ler le temps de r\u00e9ponse de l''application en envoyant [{0}] au syst\u00e8me d''exploitation ex\u00e9cutant cette application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Le cookie peut \u00eatre renseign\u00e9 par injection CRLF. Il serait \u00e9galement possible de renseigner des en-t\u00eates de r\u00e9ponse HTTP arbitraires. En outre, la possible manipulation de la r\u00e9ponse \u00e0 l'aide de script intersite peut faire appara\u00eetre une vuln\u00e9rabilit\u00e9 par empoisonnement de cache. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = Injection CRLF ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = Une attaque XSS a \u00e9t\u00e9 r\u00e ascanrules.crosssitescripting.json.name = Faiblesse Cross Site Scripting (r\u00e9fl\u00e9chi dans la r\u00e9ponse JSON) ascanrules.crosssitescripting.name = Cross Site Scripting (r\u00e9fl\u00e9chi) ascanrules.crosssitescripting.otherinfo.accesskey = L'attribut accesskey sp\u00e9cifie une touche de raccourci pour activer/focaliser un \u00e9l\u00e9ment. Cet attribut peut d\u00e9clencher des charges utiles pour des tags non-conventionnels ou personnalis\u00e9s. -ascanrules.crosssitescripting.otherinfo.nothtml = Lev\u00e9e avec le degr\u00e9 de confiance faible, car le Content-Type n'est pas HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Statut de publication des r\u00e8gles d'analyse actives -ascanrules.directorybrowsing.desc = Il est possible d'afficher la liste de r\u00e9pertoires. Cette liste peut r\u00e9v\u00e9ler des scripts cach\u00e9s, des fichiers d'inclusion, des sauvegardes de fichiers source, etc. pouvant donner acc\u00e8s \u00e0 des informations sensibles. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = R\u00e9pertoire de navigation ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = D\u00e9sactiver la navigation dans les r\u00e9pertoires. Si la navigation est malgr\u00e9 tout n\u00e9cessaire, assurez-vous que les fichiers r\u00e9pertori\u00e9s n'induisent pas de risques. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = Le module de journalisation d'erreur et de gestionnaire HTTP (ELMAH [elmah.axd]) est disponible. Ce module peut laisser \u00e9chapper une quantit\u00e9 importante d\u2019informations pr\u00e9cieuses. ascanrules.elmah.name = Fuite d\u2019informations ELMAH -ascanrules.elmah.otherinfo = Selon le code de la r\u00e9ponse, ELMAH est peut-\u00eatre prot\u00e9g\u00e9 par un m\u00e9canisme d'authentification ou d'autorisation. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Examinez si ELMAH est r\u00e9ellement n\u00e9cessaire \u00e0 la production, et si ce n\u2019est pas le cas, d\u00e9sactivez-le. S\u2019il est n\u00e9cessaire , assurez-vous que l'acc\u00e8s \u00e0 ELMAH requiert authentification et autorisation. Voir aussi\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = Aucune raison trouv\u00e9e pour ce ascanrules.externalredirect.reason.refresh.header = La r\u00e9ponse contient une redirection dans le champ d'en-t\u00eate Refresh, ce qui permet de d\u00e9finir une Url externe. ascanrules.externalredirect.reason.refresh.meta = La r\u00e9ponse contient une redirection pour 'Refresh' dans sa balise meta http-equiv, ce qui permet de d\u00e9finir une Url externe. -ascanrules.formatstring.desc = Une erreur de format de cha\u00eene s'est produite lorsque les donn\u00e9es provenant d'une cha\u00eene d'entr\u00e9e ont \u00e9t\u00e9 \u00e9valu\u00e9es comme une commande par l'application. -ascanrules.formatstring.error1 = \u00c9ventuelle erreur de formatage de cha\u00eene. Le script a ferm\u00e9 la connexion sur un /%s -ascanrules.formatstring.error2 = \u00c9ventuelle erreur de formatage de cha\u00eene. Le script a ferm\u00e9 la connexion sur un /%s et /%x -ascanrules.formatstring.error3 = \u00c9ventuelle erreur de formatage de cha\u00eene. Le script a ferm\u00e9 la connexion sur une erreur de cha\u00eene au format microsoft +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Erreur de format de cha\u00eene ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = R\u00e9\u00e9crire le programme d'arri\u00e8re-plan en supprimant de mani\u00e8re correcte les mauvaises cha\u00eenes de caract\u00e8res. Cela n\u00e9cessitera la recompilation de l'ex\u00e9cutable d'arri\u00e8re-plan . +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = Les fichiers .htaccess peuvent \u00eatre utilis\u00e9s pour alt\u00e9rer la configuration du serveur web Apache afin d'activer/d\u00e9sactiver des fonctionnalit\u00e9s et caract\u00e9ristiques que le serveur web Apache peut offrir. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = Fuite d'information .htaccess ascanrules.htaccess.otherinfo = Selon le code de la r\u00e9ponse, le fichier .htaccess est peut-\u00eatre prot\u00e9g\u00e9 par un m\u00e9canisme d'authentification ou d'autorisation. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Bourrage Oracle g\u00e9n\u00e9rique ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Mettez \u00e0 jour le logiciel de serveur affect\u00e9, ou modifiez les scripts afin qu'ils valident correctement les donn\u00e9es chiffr\u00e9es avant toute tentative de d\u00e9chiffrement. -ascanrules.parametertamper.desc = La manipulation des param\u00e8tres a provoqu\u00e9 une page d'erreur ou l'affichage d'une trace d'appel Java. Ceci indique un d\u00e9faut de gestion des exceptions et ouvre des potentialit\u00e9s pour d'autres exploits. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Falsification de param\u00e8tre -ascanrules.parametertamper.soln = Identifiez la cause de l'erreur et corrigez-la. Ne pas faite confiance aux entr\u00e9es c\u00f4t\u00e9 client et appliquez un contr\u00f4le serr\u00e9 du c\u00f4t\u00e9 serveur. En outre, interceptez proprement les exceptions. Utilisez une page d'erreur g\u00e9n\u00e9rique 500 pour signaler les erreurs internes du serveur. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Travers\u00e9e de chemin @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = Une attaque XSS a \u00e9t\u00e9 trouv ascanrules.persistentxssattack.json.name = Faiblesse Cross Site Scripting (stock\u00e9 dans la r\u00e9ponse JSON) ascanrules.persistentxssattack.name = Cross-Site Scripting (stock\u00e9) ascanrules.persistentxssattack.otherinfo = URL de la source\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Lev\u00e9e avec le degr\u00e9 de confiance faible, car le Content-Type n'est pas HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (stock\u00e9) - premier ascanrules.persistentxssspider.name = Cross Site Scripting (stock\u00e9) - Robot -ascanrules.remotecodeexecution.cve-2012-1823.desc = Lorsqu'elles sont configur\u00e9es pour ex\u00e9cuter du code CGI, certaines versions de PHP ne traitent pas correctement les cha\u00eenes de requ\u00eate dans lesquelles manque un caract\u00e8re "\=" non \u00e9chapp\u00e9, ce qui permet l'ex\u00e9cution de code arbitraire. Dans ce cas, il est possible de faire ex\u00e9cuter une commande du syst\u00e8me d'exploitation sur le serveur internet, dont les r\u00e9sultats sont retourn\u00e9s au navigateur internet. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Ex\u00e9cution de code \u00e0 distance - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Mettez \u00e0 jour \u00e0 la derni\u00e8re version stable de PHP, ou utilisez le serveur internet Apache et son module mod_rewrite pour filtrer les requ\u00eates malicieuses utilisant les directives "RewriteCond" et "RewriteRule". ascanrules.remotefileinclude.name = Inclusion de fichiers distants -ascanrules.serversideinclude.desc = Certains param\u00e8tres peuvent conduire \u00e0 ex\u00e9cuter des commandes Server Side Include. Cela peut permettre la connexion \u00e0 des bases de donn\u00e9es ou l'ex\u00e9cution de code arbitraire. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Certaines versions PHP, lorsqu'il est configur\u00e9 pour ex\u00e9cuter \u00e0 l'aide de CGI, ne manipulez pas correctement les cha\u00eenes de requ\u00eate qui n'ont pas un caract\u00e8re de \u00ab \= \u00bb sans s\u00e9quence d'\u00e9chappement, ce qui permet la divulgation de code source PHP et l'ex\u00e9cution de code arbitraire. Dans ce cas, le contenu du fichier PHP a \u00e9t\u00e9 fourni directement au navigateur internet. Cette sortie contiendra g\u00e9n\u00e9ralement du code PHP, mais il peut \u00e9galement contenir du pur HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Mettez \u00e0 jour \u00e0 la derni\u00e8re version stable de PHP, ou utilisez le serveur internet Apache et son module mod_rewrite pour filtrer les requ\u00eates malicieuses utilisant les directives "RewriteCond" et "RewriteRule". -ascanrules.sourcecodedisclosurewebinf.desc = Du code source Java a \u00e9t\u00e9 d\u00e9voil\u00e9 par le serveur internet au travers des fichiers de classe Java du dossier WEB-INF. Les fichiers de classe peuvent \u00eatre d\u00e9compil\u00e9s pour produire un code source qui correspond tr\u00e8s \u00e9troitement au code source original. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = Une classe Java du dossier /WEB-INF a d\u00e9voil\u00e9 la pr\u00e9sence du fichier de propri\u00e9t\u00e9s. Les fichiers de propri\u00e9t\u00e9s ne sont pas sens\u00e9s \u00eatre accessibles au public, car ils contiennent g\u00e9n\u00e9ralement des informations de configuration, des informations d'identification ou des cl\u00e9s cryptographiques. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = La r\u00e9f\u00e9rence vers le fichier de propri\u00e9t\u00e9s a \u00e9t\u00e9 trouv\u00e9e dans le code source Java d\u00e9s-assembl\u00e9 de la classe Java [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Divulgation de fichier de propri\u00e9t\u00e9s - Dossier /WEB-INF -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = Le serveur internet devrait \u00eatre configur\u00e9 pour ne pas servir le dossier /WEB-INF ou son contenu aux navigateurs internet. Il serait \u00e9galement possible de supprimer le dossier /WEB-INF. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = Le serveur internet devrait \u00eatre configur\u00e9 pour ne pas fournir le dossier /WEB-INF ou son contenu aux navigateurs internet, car il contient des informations sensibles telles que des fichiers de code Java compil\u00e9s et des fichiers de propri\u00e9t\u00e9s qui peuvent contenir des informations d'identification. Les classes Java d\u00e9ploy\u00e9es avec l'application devraient \u00eatre obscurcies, en guise de couche de d\u00e9fense suppl\u00e9mentaire dans une optique de "d\u00e9fense en profondeur". ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = champ\: [{0}], valeur [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = La donn\u00e9e a \u00e9t\u00e9 retourn\u00e9e pour le param\u00e8tre d'origine.\nLa vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9tect\u00e9e en manipulant le param\u00e8tre, ce qui a restreint avec succ\u00e8s les donn\u00e9es initialement retourn\u00e9es, -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Les donn\u00e9es n'ont PAS \u00e9t\u00e9 retourn\u00e9es pour le param\u00e8tre d'origine.\nLa vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9tect\u00e9e en manipulant le param\u00e8tre pour r\u00e9cup\u00e9rer avec succ\u00e8s plus de donn\u00e9es qu'initialement retourn\u00e9es, +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] champ\: [{1}], valeur [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Valeur d''Origine\: [{0}]. Valeur Modifi\u00e9e\: [{1}]. Valeur de Contr\u00f4le\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Le message non modifi\u00e9 donne le statut HTTP [{0}], un corps d''une longueur [{1}], le message modifi\u00e9 donne le statut HTTP [{2}], un corps d''une longueur [{3}]. Un tiers (une injection non-SQL induisant une valeur) donne un statut HTTP [{4}], un corps d''une longueur [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Le message non modifi\u00e9 donne le statut HTTP [{0}], le message modifi\u00e9 donne le statut HTTP [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = Les r\u00e9sultats de la page originale ont \u00e9t\u00e9 reproduits avec succ\u00e8s en utilisant l''expression [{0}] comme valeur du param\u00e8tre\nLa valeur du param\u00e8tre {1} en cours de modification est extraite de la sortie HTML \u00e0 fin de comparaison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = Les r\u00e9sultats de la page originale ont \u00e9t\u00e9 reproduits avec succ\u00e8s en utilisant l''expression "ORDER BY" [{0}] comme valeur de param\u00e8tre\nLa valeur du param\u00e8tre {1} en cours de modification est extraite de la sortie HTML \u00e0 fin de comparaison -ascanrules.sqlinjection.alert.timebased.extrainfo = Le temps de la requ\u00eate est contr\u00f4lable \u00e0 l''aide de la valeur du param\u00e8tre [{0}], qui lui fait ainsi prendre [{1}] millisecondes, alors que la requ\u00eate d''origine, non modifi\u00e9e avec la valeur [{2}] prend, quant \u00e0 elle, [{3}] millisecondes +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] champ\: [{1}], valeur [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = Injection SQL - Contournement de l'authentification ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ha_HG.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ha_HG.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ha_HG.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ha_HG.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_he_IL.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_he_IL.properties index e9e593103ef..b536f98682f 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_he_IL.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_he_IL.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = \u05d2\u05dc\u05d9\u05e9\u05ea \u05d7\u05d5\u05e6\u05e5 -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hi_IN.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hi_IN.properties index e9c5eee2982..ce56a2842ea 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hi_IN.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hi_IN.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = \u092c\u092b\u093c\u0930 \u0913\u0935\u0930\u092b\u093c\u094d\u0932\u094b \u0924\u094d\u0930\u0941\u091f\u093f\u092f\u094b\u0902 \u092a\u0943\u0937\u094d\u0920\u092d\u0942\u092e\u093f \u0935\u0947\u092c \u092a\u094d\u0930\u0915\u094d\u0930\u093f\u092f\u093e \u0939\u0948, \u091c\u094b \u0915\u092d\u0940 \u091c\u093e\u0928\u092c\u0942\u091d\u0915\u0930 \u092f\u093e \u0905\u0928\u091c\u093e\u0928\u0947 \u0938\u0902\u0936\u094b\u0927\u093f\u0924 \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0939\u0948 \u091a\u093e\u0939\u093f\u090f \u0915\u0947 \u0938\u094d\u092e\u0943\u0924\u093f \u0930\u093f\u0915\u094d\u0924 \u0938\u094d\u0925\u093e\u0928 \u0915\u0947 overwriting \u0915\u0947 \u0926\u094d\u0935\u093e\u0930\u093e \u0935\u093f\u0936\u0947\u0937\u0924\u093e \u0939\u0948\u0902\u0964 \u0906\u0908\u092a\u0940 (\u0905\u0928\u0941\u0926\u0947\u0936 \u0938\u0942\u091a\u0915), \u092c\u0940. \u092a\u0940. (\u092c\u0947\u0938 \u0938\u0942\u091a\u0915) \u0914\u0930 \u0926\u0942\u0938\u0930\u0947 \u0915\u0947 \u092e\u093e\u0928 \u0915\u094b \u0905\u0927\u093f\u0932\u0947\u0916\u093f\u0924 \u0915\u0930\u0928\u0947 \u0915\u093e\u0930\u0923\u094b\u0902 \u0905\u092a\u0935\u093e\u0926, \u0935\u093f\u092d\u093e\u091c\u0928 \u0926\u094b\u0937, \u0914\u0930 \u0905\u0928\u094d\u092f \u092a\u094d\u0930\u0915\u094d\u0930\u093f\u092f\u093e \u0924\u094d\u0930\u0941\u091f\u093f\u092f\u094b\u0902 \u0915\u0947 \u0918\u091f\u093f\u0924 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u092a\u0902\u091c\u0940\u0915\u0943\u0924 \u0915\u0930\u0924\u093e \u0939\u0948\u0964 \u0906\u092e\u0924\u094c\u0930 \u092a\u0930 \u0907\u0928 \u0924\u094d\u0930\u0941\u091f\u093f\u092f\u093e\u0901 \u0905\u0928\u0941\u092a\u094d\u0930\u092f\u094b\u0917 \u0915\u0947 \u0928\u093f\u0937\u094d\u092a\u093e\u0926\u0928 \u092e\u0947\u0902 \u0905\u092a\u094d\u0930\u0924\u094d\u092f\u093e\u0936\u093f\u0924 \u0924\u0930\u0940\u0915\u0947 \u0905\u0902\u0924\u0964 +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = \u092c\u092b\u093c\u0930 \u0913\u0935\u0930\u092b\u093c\u094d\u0932\u094b -ascanrules.bufferoverflow.other = \u0938\u0902\u092d\u093e\u0935\u093f\u0924 \u092c\u092b\u0930 \u0905\u0924\u093f\u092a\u094d\u0930\u0935\u093e\u0939\u0964 \u0938\u094d\u0915\u094d\u0930\u093f\u092a\u094d\u091f \u0915\u0928\u0947\u0915\u094d\u0936\u0928 \u092c\u0902\u0926 \u0915\u0930 \u0926\u093f\u092f\u093e \u0914\u0930 \u090f\u0915 500 \u0906\u0902\u0924\u0930\u093f\u0915 \u0938\u0930\u094d\u0935\u0930 \u0924\u094d\u0930\u0941\u091f\u093f \u092b\u0947\u0902\u0915 \u0926\u093f\u092f\u093e +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = \u0909\u091a\u093f\u0924 \u0935\u093e\u092a\u0938\u0940 \u0932\u092e\u094d\u092c\u093e\u0908 \u0915\u0940 \u091c\u093e\u0901\u091a \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930 \u092a\u0943\u0937\u094d\u0920\u092d\u0942\u092e\u093f \u092a\u094d\u0930\u094b\u0917\u094d\u0930\u093e\u092e \u0915\u094b \u092b\u093f\u0930 \u0938\u0947 \u0932\u093f\u0916\u0928\u093e\u0964 \u092f\u0939 \u0928\u093f\u0937\u094d\u092a\u093e\u0926\u0928 \u092f\u094b\u0917\u094d\u092f \u092a\u0943\u0937\u094d\u0920\u092d\u0942\u092e\u093f \u0915\u093e \u090f\u0915 recompile \u0915\u0940 \u0906\u0935\u0936\u094d\u092f\u0915\u0924\u093e \u0939\u094b\u0917\u0940\u0964 +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = \u090f\u0915 \u092a\u094d\u0930\u093e\u0930\u0942\u092a \u0938\u094d\u091f\u094d\u0930\u093f\u0902\u0917 \u0924\u094d\u0930\u0941\u091f\u093f \u0924\u092c \u0939\u094b\u0924\u0940 \u0939\u0948 \u091c\u092c \u090f\u0915 \u0907\u0928\u092a\u0941\u091f \u0938\u094d\u091f\u094d\u0930\u093f\u0902\u0917 \u0915\u0947 \u0938\u092c\u092e\u093f\u091f \u0915\u093f\u090f \u0917\u090f \u0921\u0947\u091f\u093e \u0935\u093e\u0932\u0947 \u0905\u0928\u0941\u092a\u094d\u0930\u092f\u094b\u0917 \u0926\u094d\u0935\u093e\u0930\u093e \u090f\u0915 \u0915\u092e\u093e\u0902\u0921 \u0915\u0947 \u0930\u0942\u092a \u092e\u0947\u0902 \u092e\u0942\u0932\u094d\u092f\u093e\u0902\u0915\u0928 \u0915\u093f\u092f\u093e \u091c\u093e\u0924\u093e \u0939\u0948\u0964 -ascanrules.formatstring.error1 = \u0938\u0902\u092d\u093e\u0935\u093f\u0924 \u0938\u094d\u0935\u0930\u0942\u092a \u0938\u094d\u091f\u094d\u0930\u093f\u0902\u0917 \u0924\u094d\u0930\u0941\u091f\u093f\u0964 \u0938\u094d\u0915\u094d\u0930\u093f\u092a\u094d\u091f \u090f\u0915 /%s \u092a\u0930 \u0915\u0928\u0947\u0915\u094d\u0936\u0928 \u092c\u0902\u0926 \u0915\u0930 \u0926\u093f\u092f\u093e -ascanrules.formatstring.error2 = \u0938\u0902\u092d\u093e\u0935\u093f\u0924 \u0938\u094d\u0935\u0930\u0942\u092a \u0938\u094d\u091f\u094d\u0930\u093f\u0902\u0917 \u0924\u094d\u0930\u0941\u091f\u093f\u0964 \u0938\u094d\u0915\u094d\u0930\u093f\u092a\u094d\u091f \u090f\u0915 /%s \u092a\u0930 \u0915\u0928\u0947\u0915\u094d\u0936\u0928 \u092c\u0902\u0926 \u0915\u0930 \u0926\u093f\u092f\u093e -ascanrules.formatstring.error3 = \u0938\u0902\u092d\u093e\u0935\u093f\u0924 \u0938\u094d\u0935\u0930\u0942\u092a \u0938\u094d\u091f\u094d\u0930\u093f\u0902\u0917 \u0924\u094d\u0930\u0941\u091f\u093f\u0964 \u0938\u094d\u0915\u094d\u0930\u093f\u092a\u094d\u091f \u0915\u093f\u0938\u0940 microsoft \u0938\u094d\u0935\u0930\u0942\u092a \u0938\u094d\u091f\u094d\u0930\u093f\u0902\u0917 \u0924\u094d\u0930\u0941\u091f\u093f \u092a\u0930 \u0915\u0928\u0947\u0915\u094d\u0936\u0928 \u092c\u0902\u0926 \u0915\u0930 \u0926\u093f\u092f\u093e +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = \u0938\u094d\u0935\u0930\u0942\u092a \u0938\u094d\u091f\u094d\u0930\u093f\u0902\u0917 \u0924\u094d\u0930\u0941\u091f\u093f ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = \u092c\u0941\u0930\u0947 \u091a\u0930\u093f\u0924\u094d\u0930 \u0924\u093e\u0930 \u0915\u0940 \u0909\u091a\u093f\u0924 \u0935\u093f\u0932\u094b\u092a\u0928 \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930 \u092a\u0943\u0937\u094d\u0920\u092d\u0942\u092e\u093f \u092a\u094d\u0930\u094b\u0917\u094d\u0930\u093e\u092e \u0915\u094b \u092b\u093f\u0930 \u0938\u0947 \u0932\u093f\u0916\u0928\u093e\u0964 \u092f\u0939 \u0928\u093f\u0937\u094d\u092a\u093e\u0926\u0928 \u092f\u094b\u0917\u094d\u092f \u092a\u0943\u0937\u094d\u0920\u092d\u0942\u092e\u093f \u0915\u093e \u090f\u0915 recompile \u0915\u0940 \u0906\u0935\u0936\u094d\u092f\u0915\u0924\u093e \u0939\u094b\u0917\u0940\u0964 +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = \u0915\u0941\u091b PHP \u0938\u0902\u0938\u094d\u0915\u0930\u0923 \u0939\u0948, \u091c\u092c CGI, \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0915\u0947 \u091a\u0932\u093e\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0915\u0949\u0928\u094d\u092b\u093c\u093f\u0917\u0930 \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0938\u0939\u0940 \u0922\u0902\u0917 \u0938\u0947 \u092e\u0928\u092e\u093e\u0928\u093e \u0915\u094b\u0921 \u0928\u093f\u0937\u094d\u092a\u093e\u0926\u0928 \u0915\u094b \u0938\u0915\u094d\u0937\u092e \u0915\u0930\u0928\u0947 \u0915\u0947 \u090f\u0915 unescaped "\=" \u0935\u0930\u094d\u0923, \u0915\u092e\u0940 \u0915\u094d\u0935\u0947\u0930\u0940 \u0938\u094d\u091f\u094d\u0930\u093f\u0902\u0917\u094d\u0938 \u0939\u0948\u0902\u0921\u0932 \u0928\u0939\u0940\u0902\u0964 \u0907\u0938 \u092e\u093e\u092e\u0932\u0947 \u092e\u0947\u0902, \u090f\u0915 \u0911\u092a\u0930\u0947\u091f\u093f\u0902\u0917 \u0938\u093f\u0938\u094d\u091f\u092e \u0915\u092e\u093e\u0902\u0921 \u0915\u094b \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u092a\u0930 \u0928\u093f\u0937\u094d\u092a\u093e\u0926\u093f\u0924 \u0915\u093f\u092f\u093e \u091c\u093e \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0915\u093e\u0930\u0923 \u0925\u093e, \u0914\u0930 \u092a\u0930\u093f\u0923\u093e\u092e \u0935\u0947\u092c \u092c\u094d\u0930\u093e\u0909\u091c\u093c\u0930 \u0915\u0947 \u0932\u093f\u090f \u0932\u094c\u091f \u0906\u090f \u0925\u0947\u0964 +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = \u0930\u093f\u092e\u094b\u091f \u0915\u094b\u0921 \u0915\u093e \u0928\u093f\u0937\u094d\u092a\u093e\u0926\u0928 - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = PHP \u0915\u093e \u0928\u0935\u0940\u0928\u0924\u092e \u0938\u094d\u0925\u093f\u0930 \u0938\u0902\u0938\u094d\u0915\u0930\u0923 \u0915\u0947 \u0932\u093f\u090f \u0928\u0935\u0940\u0928\u0940\u0915\u0930\u0923, \u092f\u093e \u0926\u0941\u0930\u094d\u092d\u093e\u0935\u0928\u093e\u092a\u0942\u0930\u094d\u0923 \u0905\u0928\u0941\u0930\u094b\u0927\u094b\u0902 \u0928\u093f\u0930\u094d\u0926\u0947\u0936\u094b\u0902 \u0915\u0947 "RewriteCond" \u0914\u0930 "RewriteRule" \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930 \u092c\u093e\u0939\u0930 \u092b\u093c\u093f\u0932\u094d\u091f\u0930 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f Apache \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u0914\u0930 mod_rewrite \u092e\u0949\u0921\u094d\u092f\u0942\u0932 \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0947\u0902\u0964 ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = \u0915\u094d\u0935\u0947\u0930\u0940 \u0924\u093e\u0930 \u0915\u093f PHP \u0938\u094d\u0930\u094b\u0924 \u0915\u094b\u0921 \u092a\u094d\u0930\u0915\u091f\u0940\u0915\u0930\u0923, \u0914\u0930 \u092e\u0928\u092e\u093e\u0928\u093e \u0915\u094b\u0921 \u0928\u093f\u0937\u094d\u092a\u093e\u0926\u0928 \u0915\u094b \u0938\u0915\u094d\u0937\u092e \u0915\u0930\u0928\u0947 \u0915\u0947 \u090f\u0915 unescaped "\=" \u0935\u0930\u094d\u0923, \u0915\u092e\u0940 \u0915\u0941\u091b PHP \u0938\u0902\u0938\u094d\u0915\u0930\u0923 \u0939\u0948, \u091c\u092c CGI, \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0915\u0947 \u091a\u0932\u093e\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0915\u0949\u0928\u094d\u092b\u093c\u093f\u0917\u0930 \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0938\u0939\u0940 \u0924\u0930\u0940\u0915\u0947 \u0938\u0947 \u0939\u0948\u0902\u0921\u0932 \u0928\u0939\u0940\u0902\u0964 \u0907\u0938 \u092e\u093e\u092e\u0932\u0947 \u092e\u0947\u0902, PHP \u092b\u093c\u093e\u0907\u0932 \u0915\u0940 \u0938\u093e\u092e\u0917\u094d\u0930\u0940 \u0938\u0940\u0927\u0947 \u0935\u0947\u092c \u092c\u094d\u0930\u093e\u0909\u091c\u093c\u0930 \u0915\u0947 \u0932\u093f\u090f \u0938\u0947\u0935\u093e \u0915\u0940 \u0925\u0947\u0964 \u0939\u093e\u0932\u093e\u0902\u0915\u093f \u092f\u0939 \u092d\u0940 \u0939\u094b \u0938\u0915\u0924\u0940 \u0939\u0948 \u0938\u0940\u0927\u0940 HTML \u0907\u0938 \u0906\u0909\u091f\u092a\u0941\u091f \u092e\u0947\u0902 \u0906\u092e\u0924\u094c\u0930 \u092a\u0930 PHP, \u0936\u093e\u092e\u093f\u0932 \u0939\u094b\u0902\u0917\u0947\u0964 ascanrules.sourcecodedisclosurecve-2012-1823.name = \u0938\u094d\u0930\u094b\u0924 \u0915\u094b\u0921 \u092a\u094d\u0930\u0915\u091f\u0940\u0915\u0930\u0923 - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = PHP \u0915\u093e \u0928\u0935\u0940\u0928\u0924\u092e \u0938\u094d\u0925\u093f\u0930 \u0938\u0902\u0938\u094d\u0915\u0930\u0923 \u0915\u0947 \u0932\u093f\u090f \u0928\u0935\u0940\u0928\u0940\u0915\u0930\u0923, \u092f\u093e \u0926\u0941\u0930\u094d\u092d\u093e\u0935\u0928\u093e\u092a\u0942\u0930\u094d\u0923 \u0905\u0928\u0941\u0930\u094b\u0927\u094b\u0902 \u0928\u093f\u0930\u094d\u0926\u0947\u0936\u094b\u0902 \u0915\u0947 "RewriteCond" \u0914\u0930 "RewriteRule" \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930 \u092c\u093e\u0939\u0930 \u092b\u093c\u093f\u0932\u094d\u091f\u0930 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f Apache \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u0914\u0930 mod_rewrite \u092e\u0949\u0921\u094d\u092f\u0942\u0932 \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0947\u0902\u0964 -ascanrules.sourcecodedisclosurewebinf.desc = \u091c\u093e\u0935\u093e \u0938\u094d\u0930\u094b\u0924 \u0915\u094b\u0921 \u092e\u0947\u0902 \u091c\u093e\u0935\u093e \u0935\u0930\u094d\u0917 \u092b\u093c\u093e\u0907\u0932\u0947\u0902 \u0935\u0947\u092c-INF \u092b\u093c\u094b\u0932\u094d\u0921\u0930 \u092e\u0947\u0902 \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u0926\u094d\u0935\u093e\u0930\u093e \u092c\u0924\u093e\u092f\u093e \u0917\u092f\u093e \u0925\u093e\u0964 \u0915\u094d\u0932\u093e\u0938 \u092b\u093e\u0907\u0932 \u091c\u093f\u0932\u0947 \u0909\u0924\u094d\u092a\u093e\u0926\u0928 \u0938\u094d\u0930\u094b\u0924 \u0915\u094b\u0921 \u0939\u0948 \u091c\u094b \u092c\u0939\u0941\u0924 \u0939\u0940 \u092c\u093e\u0930\u0940\u0915\u0940 \u0938\u0947 \u092e\u0942\u0932 \u0938\u094d\u0930\u094b\u0924 \u0915\u094b\u0921 \u0938\u0947 \u092e\u0947\u0932 \u0916\u093e\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0907\u0915\u091f\u094d\u0920\u0947 \u0939\u094b \u0938\u0915\u0924\u093e \u0939\u0948\u0964 +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = \u090f\u0915 \u091c\u093e\u0935\u093e \u0935\u0930\u094d\u0917 \u0915\u094b /WEB-INF \u092b\u093c\u094b\u0932\u094d\u0921\u0930 \u092e\u0947\u0902 \u0917\u0941\u0923 \u092b\u093c\u093e\u0907\u0932 \u0915\u0940 \u0909\u092a\u0938\u094d\u0925\u093f\u0924\u093f \u0915\u093e \u0916\u0941\u0932\u093e\u0938\u093e \u0915\u093f\u092f\u093e\u0964 \u0917\u0941\u0923 \u092b\u093c\u093e\u0907\u0932 \u0928\u0939\u0940\u0902 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0938\u093e\u0930\u094d\u0935\u091c\u0928\u093f\u0915 \u0930\u0942\u092a \u0938\u0947 \u0938\u0941\u0932\u092d \u0939\u094b, \u0914\u0930 \u0906\u092e\u0924\u094c\u0930 \u092a\u0930 \u0935\u093f\u0928\u094d\u092f\u093e\u0938 \u0938\u0942\u091a\u0928\u093e, \u0906\u0935\u0947\u0926\u0928 \u0915\u094d\u0930\u0947\u0921\u0947\u0902\u0936\u093f\u092f\u0932\u094d\u0938 \u092f\u093e \u0915\u094d\u0930\u093f\u092a\u094d\u091f\u094b\u0917\u094d\u0930\u093e\u092b\u093c\u093f\u0915 \u0915\u0941\u0902\u091c\u093f\u092f\u093e\u0901 \u0939\u094b\u0924\u0947 \u0939\u0948\u0902 \u0907\u0930\u093e\u0926\u093e \u0915\u0930 \u0930\u0939\u0947 \u0939\u0948\u0902\u0964 +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = \u0917\u0941\u0923 \u092b\u093c\u093e\u0907\u0932 \u0915\u0947 \u0932\u093f\u090f \u0938\u0902\u0926\u0930\u094d\u092d \u091c\u093f\u0932\u0947 \u0907\u0915\u091f\u094d\u0920\u0947 \u091c\u093e\u0935\u093e \u091c\u093e\u0935\u093e \u0935\u0930\u094d\u0917 [{0}] \u0915\u0947 \u0932\u093f\u090f \u0938\u094d\u0930\u094b\u0924 \u0915\u094b\u0921 \u092e\u0947\u0902 \u092a\u093e\u092f\u093e \u0917\u092f\u093e \u0925\u093e\u0964 ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = \u0917\u0941\u0923 \u092b\u093c\u093e\u0907\u0932 \u092a\u094d\u0930\u0915\u091f\u0940\u0915\u0930\u0923 - /WEB-INF \u092b\u093c\u094b\u0932\u094d\u0921\u0930 -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = /WEB-INF \u092b\u093c\u094b\u0932\u094d\u0921\u0930 \u092f\u093e \u0907\u0938\u0915\u0940 \u0938\u093e\u092e\u0917\u094d\u0930\u0940 \u0915\u0947 \u0932\u093f\u090f \u0935\u0947\u092c \u092c\u094d\u0930\u093e\u0909\u091c\u093c\u0930 \u0915\u0940 \u0938\u0947\u0935\u093e \u0928\u0939\u0940\u0902 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u0915\u0949\u0928\u094d\u092b\u093c\u093f\u0917\u0930 \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0939\u094b\u0928\u093e \u091a\u093e\u0939\u093f\u090f\u0964 \u092f\u0939 \u092d\u0940 /WEB-INF \u092b\u093c\u094b\u0932\u094d\u0921\u0930 \u0915\u094b \u0928\u093f\u0915\u093e\u0932\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0938\u0902\u092d\u0935 \u0939\u094b \u0938\u0915\u0924\u093e \u0939\u0948\u0964 +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u0915\u0947 /WEB-INF \u092b\u093c\u094b\u0932\u094d\u0921\u0930 \u0915\u0940 \u0938\u0947\u0935\u093e \u0928\u0939\u0940\u0902 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0915\u0949\u0928\u094d\u092b\u093c\u093f\u0917\u0930 \u0915\u093f\u092f\u093e \u091c\u093e\u0928\u093e \u091a\u093e\u0939\u093f\u090f \u092f\u093e \u0907\u0938\u0915\u0940 \u0938\u093e\u092e\u0917\u094d\u0930\u0940 \u0935\u0947\u092c \u092c\u094d\u0930\u093e\u0909\u091c\u093c\u0930\u094b\u0902, \u0915\u0947 \u092c\u093e\u0926 \u0938\u0947 \u092f\u0939 \u0907\u0938 \u0924\u0930\u0939 \u0915\u0947 \u0930\u0942\u092a \u092e\u0947\u0902 \u0938\u0902\u0935\u0947\u0926\u0928\u0936\u0940\u0932 \u091c\u093e\u0928\u0915\u093e\u0930\u0940 \u0936\u093e\u092e\u093f\u0932 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0915\u094d\u0930\u0947\u0921\u0947\u0902\u0936\u093f\u092f\u0932 \u0936\u093e\u092e\u093f\u0932 \u0915\u0930 \u0938\u0915\u0924\u0947 \u0939\u0948\u0902 \u091c\u093e\u0935\u093e \u0938\u094d\u0930\u094b\u0924 \u0915\u094b\u0921 \u0914\u0930 \u0917\u0941\u0923 \u092b\u093c\u093e\u0907\u0932\u0947\u0902 \u091c\u094b \u0938\u0902\u0915\u0932\u093f\u0924\u0964 \u0906\u0935\u0947\u0926\u0928 \u0915\u0947 \u0938\u093e\u0925 \u0924\u0948\u0928\u093e\u0924 \u091c\u093e\u0935\u093e \u0935\u0930\u094d\u0917\u094b\u0902, \u090f\u0915 "\u0930\u0915\u094d\u0937\u093e \u092e\u0947\u0902 \u0917\u0939\u0930\u093e\u0908" \u0926\u0943\u0937\u094d\u091f\u093f\u0915\u094b\u0923 \u092e\u0947\u0902 \u0930\u0915\u094d\u0937\u093e \u0915\u0940 \u090f\u0915 \u0905\u0924\u093f\u0930\u093f\u0915\u094d\u0924 \u092a\u0930\u0924 \u0915\u0947 \u0930\u0942\u092a \u092e\u0947\u0902 \u0938\u092e\u091d\u0928\u0947 \u092e\u0947\u0902 \u0915\u0920\u093f\u0928 \u0939\u094b\u0928\u093e \u091a\u093e\u0939\u093f\u090f\u0964 ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = \u0915\u094d\u0937\u0947\u0924\u094d\u0930\: [{0}], \u092e\u0942\u0932\u094d\u092f [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] \u0915\u094d\u0937\u0947\u0924\u094d\u0930\: [{1}], \u092e\u0942\u0932\u094d\u092f [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = \u092e\u0942\u0932 \u092e\u0942\u0932\u094d\u092f\: [{0}]\u0964 \u0938\u0902\u0936\u094b\u0927\u093f\u0924 \u092e\u093e\u0928\: [{1}]\u0964 \u0928\u093f\u092f\u0902\u0924\u094d\u0930\u0923 \u092e\u093e\u0928\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = HTTP \u0938\u094d\u0925\u093f\u0924\u093f [{0}] unmodified \u0938\u0902\u0926\u0947\u0936 \u0926\u093f\u092f\u093e \u0925\u093e, HTTP \u0938\u094d\u0925\u093f\u0924\u093f [{2}], \u0936\u0930\u0940\u0930 \u0915\u0940 \u0932\u0902\u092c\u093e\u0908 [{3}] \u0938\u0902\u0936\u094b\u0927\u093f\u0924 \u0936\u0930\u0940\u0930 \u0932\u0902\u092c\u093e\u0908 [{1}], \u0915\u093e \u0938\u0902\u0926\u0947\u0936 \u0926\u093f\u092f\u093e \u0925\u093e\u0964 \u090f\u0915 \u0924\u093f\u0939\u093e\u0908 (\u0917\u0948\u0930-SQL \u0907\u0902\u091c\u0947\u0915\u094d\u0936\u0928 \u092e\u093e\u0928 \u0909\u0924\u094d\u092a\u094d\u0930\u0947\u0930\u0923) HTTP \u0938\u094d\u0925\u093f\u0924\u093f [{4}], \u0936\u0930\u0940\u0930 \u0915\u0940 \u0932\u0902\u092c\u093e\u0908 [{5}] \u0926\u093f\u092f\u093e \u0925\u093e -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = HTTP \u0938\u094d\u0925\u093f\u0924\u093f [{0}] unmodified \u0938\u0902\u0926\u0947\u0936 \u0926\u093f\u092f\u093e \u0925\u093e, HTTP \u0938\u094d\u0925\u093f\u0924\u093f [{1}] \u0938\u0902\u0936\u094b\u0927\u093f\u0924 \u0938\u0902\u0926\u0947\u0936 \u0926\u093f\u092f\u093e \u0925\u093e -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = \u0915\u094d\u0935\u0947\u0930\u0940 \u0938\u092e\u092f \u092a\u0948\u0930\u093e\u092e\u0940\u091f\u0930 \u092e\u093e\u0928 [{0}], \u091c\u093f\u0938\u0915\u0947 \u0915\u093e\u0930\u0923 \u091c\u092c \u092e\u0942\u0932\u094d\u092f [{2}] \u0915\u0947 \u0938\u093e\u0925 \u092e\u0942\u0932 unmodified \u0915\u094d\u0935\u0947\u0930\u0940 [{3}] \u092e\u093f\u0932\u0940\u0938\u0947\u0915\u0902\u0921 \u0932\u093f\u092f\u093e [{1}] \u092e\u093f\u0938\u0947, \u0932\u0947 \u0932\u094b \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0905\u0928\u0941\u0930\u094b\u0927 \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930 \u091a\u0932\u093e\u092f\u093e \u0939\u0941\u0906 \u0939\u0948 +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] \u0915\u094d\u0937\u0947\u0924\u094d\u0930\: [{1}], \u092e\u0942\u0932\u094d\u092f [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hr_HR.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hr_HR.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hr_HR.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hr_HR.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hu_HU.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hu_HU.properties index ec7006b545a..48c3128c510 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hu_HU.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_hu_HU.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Puffer t\u00falcsordul\u00e1s -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_id_ID.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_id_ID.properties index 262f973d2b5..3bcec1370f9 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_id_ID.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_id_ID.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow kesalahan yang ditandai oleh timpa ruang memori dari latar belakang web proses, yang seharusnya tidak pernah dimodifikasi secara sengaja atau tidak sengaja. Timpa nilai IP (Instruction Pointer), BP (Base Pointer) dan register lainnya menyebabkan pengecualian, segmentasi, dan proses lain kesalahan yang terjadi. Biasanya kesalahan ini akhir pelaksanaan aplikasi dalam cara yang tak terduga. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potensi Buffer Overflow. Skrip menutup koneksi dan melemparkan 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Menulis latar belakang program tepat menggunakan kembali memeriksa suhu udara turun. Ini akan memerlukan kompilasi ulang dari latar belakang eksekusi. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Browsing Direktori ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modul dan Handler (ELMAH [elmah.axd]) Modul HTTP ditemukan tersedia. Modul ini bisa membocorkan sejumlah besar informasi berharga. ascanrules.elmah.name = Informasi ELMAH Bocor -ascanrules.elmah.otherinfo = Berdasarkan status respon kode ELMAH dapat dilindungi dengan otentikasi atau mekanisme otorisasi. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/ https\://www.nuget.org/packages/elmah https\://elmah.github.io/ ascanrules.elmah.soln = Pertimbangkan apakah ELMAH benar-benar diperlukan dalam produksi, jika tidak maka nonaktifkan. Jika kemudian memastikan akses ke sana memerlukan otentikasi dan otorisasi. Lihat juga\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = Kesalahan Format String terjadi ketika data yang dikirimkan dari sebuah string masukan dievaluasi sebagai perintah oleh aplikasi. -ascanrules.formatstring.error1 = Potensi Format String Error. Skrip menutup koneksi pada /%s -ascanrules.formatstring.error2 = Potensi Format String Error. Skrip menutup koneksi pada /%s dan /%x -ascanrules.formatstring.error3 = Potensi Format String Error. Skrip menutup koneksi pada string format microsoft error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Menulis latar belakang program menggunakan penghapusan karakter tepat buruk string. Ini akan memerlukan kompilasi ulang dari latar belakang eksekusi. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generik Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Perbarui perangkat lunak server yang terkena dampak, atau modifikasi skrip sehingga mereka benar memvalidasi data terenkripsi sebelum mencoba dekripsi. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Jalur Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Beberapa versi PHP, ketika dikonfigurasi untuk berjalan menggunakan CGI, tidak benar menangani pertanyaan string yang kurang tidak dapat lolos "\=" karakter, yang memungkinkan eksekusi kode sewenang-wenang. Dalam kasus ini, sebuah sistem operasi perintah disebabkan akan dieksekusi di web server, dan hasilnya dikembalikan ke browser web. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Eksekusi Kode Jarak Jauh - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade ke versi stabil terbaru dari PHP, atau menggunakan Apache web server dan modul mod_rewrite untuk menyaring berbahaya permintaan menggunakan arahan "RewriteCond" dan "RewriteRule". ascanrules.remotefileinclude.name = Penyertaan File Jarak Jauh -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Beberapa versi PHP, ketika dikonfigurasi untuk dijalankan menggunakan CGI, jangan menangani string kueri dengan benar yang tidak memiliki karakter "\=" yang tidak digerakkan, yang memungkinkan pengungkapan kode sumber PHP, dan eksekusi kode sewenang-wenang. Dalam hal ini, isi file PHP tersebut langsung ditayangkan ke web browser. Output ini biasanya berisi PHP, meskipun mungkin juga berisi HTML langsung. ascanrules.sourcecodedisclosurecve-2012-1823.name = Pengungkapan Kode Sumber - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade ke versi stabil terbaru dari PHP, atau menggunakan Apache web server dan modul mod_rewrite untuk menyaring berbahaya permintaan menggunakan arahan "RewriteCond" dan "RewriteRule". -ascanrules.sourcecodedisclosurewebinf.desc = Kode sumber Java telah diungkapkan oleh server web di file kelas Java di folder WEB-INF. File kelas dapat dis-rakitan untuk menghasilkan kode sumber yang sangat sesuai dengan kode sumber asli. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = Sebuah kelas Java di folder / WEB-INF mengungkapkan adanya file properti. File properti tidak dimaksudkan untuk dapat diakses oleh publik, dan biasanya berisi informasi konfigurasi, kredensial aplikasi, atau kunci kriptografi. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = Referensi ke file properti ditemukan di kode sumber Java dis-rakitan untuk kelas Java [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Pengungkapan File Properties - / WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = Server web harus dikonfigurasi untuk tidak melayani folder / WEB-INF atau isinya ke browser web. Mungkin juga untuk menghapus folder / WEB-INF. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = Server web harus dikonfigurasi untuk tidak melayani folder / WEB-INF atau isinya ke browser web, karena berisi informasi sensitif seperti kode sumber dan kode properti yang dikompilasi yang mungkin berisi kredensial. Kelas Java yang dikerahkan dengan aplikasi harus dikaburkan, sebagai lapisan pertahanan tambahan dalam pendekatan "pertahanan-mendalam". ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = bidang\: [{0}], nilai [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}]\: [{1}], nilai [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Nilai Asli\: [{0}]. Nilai yang Diubah\: [{1}]. Nilai Kontrol\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Pesan yang tidak dimodifikasi memberikan status HTTP [{0}], pesan yang dimodifikasi memberikan status HTTP [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = Waktu kueri dapat dikontrol dengan menggunakan nilai parameter [{0}], yang menyebabkan permintaan untuk mengambil [{1}] milidetik, bila kueri asli yang tidak dimodifikasi dengan nilai [{2}] mengambil [{3}] milidetik +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}]\: [{1}], nilai [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_it_IT.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_it_IT.properties index 9b43b83c641..d7280a566bf 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_it_IT.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_it_IT.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Gli errori di Buffer overflow sono caratterizzati dalla sovrascrittura di spazi di memoria del processo web sottostante, che non dovebbe mai essere modificata intenzionalmente o non intenzionalmente. Sovrascrivere i valori del registro IP (Instruction Pointer, puntatotre di istruzione), BP (Base Pointer, puntatore base) e altri registri pu\u00f2 causare eccezioni, errori di segmentazione, e altri errori di processo. Normalmente questi errori terminano l'esecuzione dell'applicazione in un modo non prevedibile. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potenziale Buffer Overflow. Lo script ha chiuso la connessione e ha generato un errore 500 Error interno del server +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Riscrivere il programma sullo sfondo utilizzando il controllo della lunghezza del valore di ritorno. Questo richiede di ricompilare l'eseguibile sullo sfondo. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Meta-dati del Cloud Potenzialmente Esposti @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Tecnica di attacco utilizzata per l'esecuzione non autorizzata di comandi del sistema operativo. Questo attacco \u00e8 possibile quando un'applicazione accetta un input non fidato per eseguire comandi del sistema operativo in una maniera non sicura, coinvolgendo la sanificazione di dati impropri e chiamate improprie a programmi esterni. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Stato di rilascio delle regole di scansione attiva -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = Il modulo HTTP Error Logging Modules and Handlers (ELMAH [elmah.axd]) \u00e8 stato trovato. Questo componente pu\u00f2 far trapelare una quantit\u00e0 importante di informazioni preziose. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = In base allo status code della risposta, ELMAH potrebbe essere protetto da un meccanismo di autenticazione o autorizzazione. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = Un errore di formato della stringa avviene quando i dati inviati di una stringa di input vengono valutati come comando dall'applicazione. -ascanrules.formatstring.error1 = Potenziale errore di formato stringa. Lo script ha chiuso la connessione su un /%s -ascanrules.formatstring.error2 = Potenziale errore di formato stringa. Lo script ha chiuso la connessione su un /%s e /%x -ascanrules.formatstring.error3 = Potenziale errore di formato stringa. Lo script ha chiuso la connessione su un errore di formattazione stringa microsoft +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Errore nella formattazione della stringa ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Riscrivere il programma in background utilizzando una corretta eliminazione delle stringhe con caratteri malevoli. Questo richieder\u00e0 una ricompilazione dell'eseguibile in background. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Oracle Padding generico ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Aggiornare il software del server interessato o modificare gli script in modo che essi convalidino correttamente i dati crittografati prima di tentare la decrittazione. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Alcune versioni PHP, quando configurate per essere eseguito usando CGI, non gestiscono correttamente le stringhe di query in cui manca un carattere "\=", consentendo l'esecuzione di codice arbitrario. In questo caso, un comando del sistema operativo \u00e8 stato eseguito dal server web, e i risultati sono stati restituiti al browser web. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Esecuzione di codice remoto - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Aggiornare all'ultima versione stabile di PHP, o utilizzare il server web Apache e il modulo mod_rewrite per filtrare le richieste dannose mediante le direttive "RewriteCond" e "RewriteRule". ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Alcune versioni PHP, quando configurate per essere eseguite usando CGI, non gestiscono correttamente le stringhe di query con mancanza di un carattere escape "\=", consentendo la divulgazione del codice sorgente PHP e l'esecuzione di codice arbitrario. In questo caso, il contenuto del file PHP \u00e8 stato servito direttamente al browser web. Questa uscita di solito contiene codice PHP, anche se pu\u00f2 anche contenere direttamente HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Rivelazione di codice sorgente - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Aggiornare all'ultima versione stabile di PHP, o utilizzare il server web Apache e il modulo mod_rewrite per filtrare le richieste dannose mediante le direttive "RewriteCond" e "RewriteRule". -ascanrules.sourcecodedisclosurewebinf.desc = Codice sorgente Java \u00e8 stato divulgato dal server web nel file di classe Java nella cartella WEB-INF. I file di classe possono essere disassemblati per produrre codice sorgente che assomiglier\u00e0 molto accuratamente al codice sorgente originale. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = Una classe Java nella cartella /WEB-INF ha rivelato la presenza di file di propriet\u00e0. I file di propriet\u00e0 non dovrebbero essere pubblicamente accessibilo e in genere contengono informazioni di configurazione, credenziali di applicazione o chiavi crittografiche. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = Il riferimento al file di propriet\u00e0 \u00e8 stato trovato nel codice sorgente Java disassemblato per la classe Java [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Rivelazione di File di Propriet\u00e0 - /WEB-INF cartella -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = Il server web deve essere configurato per non servire la cartella /WEB-INF o il suo contenuto ai browser web. \u00c8 possibile anche rimuovere la cartella /WEB-INF. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = Il server web deve essere configurato per non servire la cartella /WEB-INF o il suo contenuto ai browser web, poich\u00e9 contiene informazioni sensibili come codice Java compilato e file di propriet\u00e0 che possono contenere credenziali. Le classi Java distribuite con l'applicazione dovrebbero essere offuscate, come ulteriore livello di difesa in un approccio di "difesa in profondit\u00e0". ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = Campo\: [{0}], valore [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] campo\: [{1}], valore [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Valore originale\: [{0}]. valore modificato\: [{1}]. valore di controllo\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Messaggio non modificato ha dato il codice di stato HTTP [{0}], corpo di lunghezza [{1}], il messaggio modificato ha dato lo stato HTTP [{2}], corpo di lunghezza [{3}]. Un terzo (valore inducente una non-SQL injection) ha dato lo stato HTTP [{4}], corpo di lunghezza [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Messaggio non modificato ha dato il codice di stato HTTP [{0}], il messaggio modificato ha dato lo stato HTTP [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = Il tempo di query \u00e8 controllabile tramite il valore del parametro [{0}], che ha causato l''impiego di [{1}] millisecondi per la richiesta, quando la query originale non modificata con valore [{2}] ha impiegato [{3}] millisecondi +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] campo\: [{1}], valore [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ja_JP.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ja_JP.properties index 4e8b2b5ff8d..9a8f6b6e729 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ja_JP.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ja_JP.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = \u30d0\u30c3\u30d5\u30a1\u30aa\u30fc\u30d0\u30fc\u30d5\u30ed\u30fc\u4f8b\u5916\u306f\u3001\u30a6\u30a7\u30d6\u306e\u30d0\u30c3\u30af\u30b0\u30e9\u30a6\u30f3\u30c9\u51e6\u7406\u4e2d\u306b\u66f8\u304d\u8fbc\u307f\u4e0d\u53ef\u306e\u30e1\u30e2\u30ea\u7a7a\u9593\u304c\u610f\u56f3\u7684\u307e\u305f\u306f\u975e\u610f\u56f3\u7684\u306b\u4e0a\u66f8\u304d\u3055\u308c\u308b\u3053\u3068\u306b\u3088\u308a\u767a\u751f\u3057\u307e\u3059\u3002\nIP(\u30a4\u30f3\u30b9\u30c8\u30e9\u30af\u30b7\u30e7\u30f3\u30dd\u30a4\u30f3\u30bf)\u3084BP(\u30d9\u30fc\u30b9\u30dd\u30a4\u30f3\u30bf)\u306a\u3069\u306e\u30ec\u30b8\u30b9\u30bf\u306e\u5024\u304c\u4e0a\u66f8\u304d\u3055\u308c\u308b\u3053\u3068\u3067\u3001\u4f8b\u5916\u3084\u30bb\u30b0\u30e1\u30f3\u30c8\u9055\u53cd\u306a\u3069\u306e\u30d7\u30ed\u30bb\u30b9\u30a8\u30e9\u30fc\u304c\u767a\u751f\u3057\u307e\u3059\u3002\n\u901a\u5e38\u3001\u3053\u308c\u3089\u306e\u30a8\u30e9\u30fc\u304c\u767a\u751f\u3059\u308b\u3068\u3001\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306f\u4e88\u671f\u3057\u306a\u3044\u5f62\u3067\u7d42\u4e86\u3057\u307e\u3059\u3002 +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = \u30d0\u30c3\u30d5\u30a1 \u30aa\u30fc\u30d0\u30fc\u30d5\u30ed\u30fc -ascanrules.bufferoverflow.other = \u6f5c\u5728\u7684\u306a\u30d0\u30c3\u30d5\u30a1\u30aa\u30fc\u30d0\u30fc\u30d5\u30ed\u30fc\u306e\u53ef\u80fd\u6027\u304c\u3042\u308b\u305f\u3081\u3001\u8a3a\u65ad\u30b9\u30af\u30ea\u30d7\u30c8\u306f\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3068\u306e\u63a5\u7d9a\u3092\u9589\u3058\u3066\u3001500 Internal Server Error\u3092\u8fd4\u3057\u307e\u3057\u305f\u3002 +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = \u5909\u6570\u304c\u6841\u3042\u3075\u308c\u3057\u306a\u3044\u3088\u3046\u3001\u30d7\u30ed\u30b0\u30e9\u30e0\u5185\u3067\u9069\u5207\u306a\u6841\u6570\u30c1\u30a7\u30c3\u30af\u3092\u884c\u3044\u307e\u3059\u3002 \u30d7\u30ed\u30b0\u30e9\u30e0\u4fee\u6b63\u5f8c\u306f\u5b9f\u884c\u30e2\u30b8\u30e5\u30fc\u30eb\u306e\u518d\u30b3\u30f3\u30d1\u30a4\u30eb\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002 +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = \u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30d6\u30e9\u30a6\u30b8\u30f3\u30b0 ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = \u66f8\u5f0f\u6587\u5b57\u5217\u30a8\u30e9\u30fc ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = \u30d1\u30b9 \u30c8\u30e9\u30d0\u30fc\u30b5\u30eb @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = \u30ea\u30e2\u30fc\u30c8 \u30d5\u30a1\u30a4\u30eb\u3000\u30a4\u30f3\u30af\u30eb\u30fc\u30b8\u30e7\u30f3 -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] \u30d5\u30a3\u30fc\u30eb\u30c9\: [{1}]\u3000\u5024\uff1a[{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = \u5143\u306e\u5024\: [{0}]\u3002\u5909\u66f4\u5f8c\u306e\u5024\: [{1}]\u3002\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u5024\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] \u30d5\u30a3\u30fc\u30eb\u30c9\: [{1}]\u3000\u5024\uff1a[{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ko_KR.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ko_KR.properties index 1f2bca6fe80..330d00f8cf6 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ko_KR.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ko_KR.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] \ud544\ub4dc\: [{1}] \uac12 [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = \uae30\ubcf8\uac12\: [{0}]. \ubcc0\uacbd\uac12\: [{1}]. \uc81c\uc5b4\uac12\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] \ud544\ub4dc\: [{1}] \uac12 [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_mk_MK.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_mk_MK.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_mk_MK.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_mk_MK.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ms_MY.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ms_MY.properties index ec3c2ddecd9..4292acc7e8b 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ms_MY.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ms_MY.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Penampan limpahan kesilapan ditandai oleh penggantian memori ruang latar belakang web proses, yang seharusnya tidak pernah telah diubah secara sengaja atau tidak sengaja, Penggantian nilai-nilai PA (Pointer Arahan), PA (Pangkalan Penunjuk) dan daftar lain menyebabkan pengecualian, segmen kesalahan, dan proses yang lain kesilapan yang berlaku. Biasanya ini kesilapan akhir pelaksanaan permohonan dalam cara yang tidak dijangka. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Limpahan Penampan -ascanrules.bufferoverflow.other = Potensi Penampan Limpahan. Skrip ditutup sambungan dan melemparkan 500 Ralat Pelayan Dalaman +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Menulis semula program latar belakang menggunakan pemeriksaan pemulangan panjang yang betul. Ini akan memerlukan penyusunan semula kebolehlakuan latar belakang. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = Kesilapan Log Modules dan Handlers (ELMAH [elmah.axd]) HTTP Modul ditemukan untuk menjadi tersedia. This module can leak a significant amount of valuable maklumat. ascanrules.elmah.name = ELMAH Kebocoran Maklumat -ascanrules.elmah.otherinfo = Berdasarkan tindak balas kod status ELMAH mungkin dilindungi oleh authentication atau authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Mempertimbangkan apakah atau tidak ELMAH adalah benar-benar diperlukan dalam pengeluaran, jika ia tidak kemudian mematikan. Jika ia kemudian memastikan akses untuk itu memerlukan pengesahan dan kebenaran. Lihat juga\:\nhttps\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String kesilapan berlaku apabila diserahkan data input string adalah untuk dinilai sebagai perintah oleh aplikasi. -ascanrules.formatstring.error1 = Potensi Format String Ralat. Skrip ditutup sambungan pada /%s -ascanrules.formatstring.error2 = Potensi Format String Ralat. Skrip ditutup sambungan pada /%s dan /%x -ascanrules.formatstring.error3 = Potensi Format String Ralat. Skrip ditutup sambungan pada microsoft format string ralat +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Ralat ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Tulis program latar belakang menggunakan betul penghapusan buruk watak tali. Ini akan memerlukan susun semula latar belakang laku. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = Web server harus dikonfigurasi untuk tidak melayani /WEB-INF folder atau isinya ke web browser, karena mengandung informasi sensitif seperti informasi yang dihimpun kode sumber Java dan properties file yang dapat berisi mandat. Jawa kelas dikerahkan dengan aplikasi tersebut harus dikaburkan, sebagai lapisan tambahan pertahanan dalam "pertahanan-di-mendalam" pendekatan. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_nb_NO.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_nb_NO.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_nb_NO.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_nb_NO.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_nl_NL.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_nl_NL.properties index dae4119fda5..dbd607c01d1 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_nl_NL.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_nl_NL.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow fouten worden gekenmerkt door het overschrijven van geheugen ruimte van het achtergrond web proces. Dit mag nooit worden gewijzigd, opzettelijk of onopzettelijk. Het overschrijven van waarden van de IP (Instrucie Pointer), BP (Base Pointer) en andere registers zorgt voor het optreden van excepties, segmentatie fouten, en andere proces fouten. Meestal zorgen deze fouten ervoor dat de applicatie op een onverwachte manier stoppen. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potentiele Buffer Overflow. Het script sloot de verbinding en gaf een 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Herschrijf het achtergrond programma zodat de return lengte goed wordt gecontroleerd. Dit vergt een hercompilatie van de achtergrond executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = Een Format String fout treedt op wanneer de ingediende data van een invoerreeks wordt ge\u00ebvalueerd door de applicatie als een opdracht. -ascanrules.formatstring.error1 = Potenti\u00eble Format String Fout. Het script sloot de verbinding op een /%s -ascanrules.formatstring.error2 = Potenti\u00eble Format String Fout. Het script sloot de verbinding op een /%s en /%x -ascanrules.formatstring.error3 = Potenti\u00eble Format String fout. Het script sloot de verbinding op een microsoft format string fout +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Fout ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Herschrijf het achtergrond programma m. b. v. de juiste verwijdering van slechte tekens. Hiervoor is een hercompilatie van de achtergrond executables nodig. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Algemene Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Werk de getroffen server software bij, of wijzig de script zodat deze degelijk ge\u00ebncrypteerde data valideren voor deze te decrypteren. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Sommige PHP versies handelen query strings die geen unescaped "\=" teken hebben niet goed af wanneer ze geconfigureerd zijn om CGI te gebruiken. Dit zorgt ervoor dat willekeurige code uitgevoerd kan worden. In dit geval werd een operating system commando uitgevoerd op de web server en de resultaten daarvan werden terug gestuurd naar de web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade naar de nieuwste stabiele versie van PHP, of gebruik de Apache web server en de mod_rewrite module om schadelijke requests weg te filteren m.b.v. de "RewriteCond" en " RewriteRule" richtlijnen. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Sommige PHP versies, wanneer geconfigureerd om CGI uit te voeren, handelen de query strings niet correct af waneer deze een unescaped "\=" karakter missen, dit maakt bron code zichtbaar, en faciliteert willekeurige code execution. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade naar de nieuwste stabiele versie van PHP, of gebruik de Apache web server en de mod_rewrite module om schadelijke requests weg te filteren m.b.v. de "RewriteCond" en " RewriteRule" richtlijnen. -ascanrules.sourcecodedisclosurewebinf.desc = Java bron code is publiek zichtbaar op de web server in Java klasse bestanden in de WEB-INF folder. De klasse bestanden kunnen gedisassembleerd worden om bron code op te leveren welke zeer sterk lijkt op de originele bron code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = Een JAVA klasse in de /WEB-INF folder toont publiekelijk de aanwezigheid van de properties file. De properties file is niet bedoeld om publiek zichtbaar te zijn, typisch bevat deze file configuratie informatie, toepassing credentials, of cryptografische sleutels. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Proporties File publicatie - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = De web server wordt bij voorkeur geconfigueerd om geen /WEB-INF folder en/of de inhoud daarvan te publiceren. Het kan mogelijk zijn om de /WEB-INF folder te verwijderen. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = De web server zou niet geconfigureerd mogen worden om de /WEB-INF folder of de inhoud ervan beschikbaar te maken voor we browsers, dit omdat deze lokatie typisch gevoelige informatie bevat zoals gecompileerde Java Source Code en properties files welke credentials kunnen bevatten. Java klasses gepubliceerd samen met de toepassing moeten geobfusceerd worden, als een extra laag beveiliging binnen een "beveiliging-in-de-diepte" aanpak. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pcm_NG.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pcm_NG.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pcm_NG.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pcm_NG.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pl_PL.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pl_PL.properties index bc9f602e5a8..da4e9e391f5 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pl_PL.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pl_PL.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Przepe\u0142nienie bufora -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Obchodzenie \u015acie\u017cki @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Zdalne w\u0142\u0105czanie plik\u00f3w -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] pole\: [{1}], warto\u015b\u0107 [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] pole\: [{1}], warto\u015b\u0107 [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pt_BR.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pt_BR.properties index 35cac05b106..4925441f065 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pt_BR.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pt_BR.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Erros de estouro de Buffer s\u00e3o caracterizados pela sobrescri\u00e7\u00e3o de espa\u00e7os de mem\u00f3ria do processo web de segundo plano, o qual nunca deveria ser modificado com ou sem inten\u00e7\u00e3o. Sobrescrever valores do IP (Instruction Pointer), BP (Base Pointer) e outros registros causam exce\u00e7\u00f5es, falhas de segmenta\u00e7\u00e3o, e a ocorr\u00eancia de outros erros de processos. Normalmente esses erros finalizam a execu\u00e7\u00e3o do aplicativo de forma inesperada. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Estouro de Buffer -ascanrules.bufferoverflow.other = Potencial Estouro de Buffer. O script fechou a conex\u00e3o e lan\u00e7ou um Erro Interno de Servidor 500 +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack\n -ascanrules.bufferoverflow.soln = Reescreva o programa de plano de fundo utilizando o correto controle de retorno de comprimento. Isso ir\u00e1 requerer uma recompila\u00e7\u00e3o do execut\u00e1vel que roda em background. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Metadados de nuvem potencialmente expostos @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = N\u00e3o confie em nenhum dado do usu\u00e1rio nas configura\u00e7\u00f5es NGINX. Neste caso, \u00e9 provavelmente o uso da vari\u00e1vel $ host, que \u00e9 definida no cabe\u00e7alho 'Host' e pode ser controlada por um invasor. -ascanrules.codeinjection.desc = Uma inje\u00e7\u00e3o de c\u00f3digo pode ser poss\u00edvel incluindo um c\u00f3digo personalizado que ser\u00e1 avaliado pelo mecanismo de script +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Inje\u00e7\u00e3o de C\u00f3digo no Lado do Servidor ascanrules.codeinjection.name.asp = Inje\u00e7\u00e3o de C\u00f3digo no Lado do Servidor - Inje\u00e7\u00e3o de C\u00f3digo ASP ascanrules.codeinjection.name.php = Inje\u00e7\u00e3o de C\u00f3digo no Lado do Servidor - Inje\u00e7\u00e3o de C\u00f3digo PHP ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = N\u00e3o confie na entrada do lado do cliente, mesmo se existir uma valida\u00e7\u00e3o no lado cliente.\nEm geral, verifique o tipo de dados no lado do servidor e evite todos os dados recebidos do cliente.\n Evite o uso de fun\u00e7\u00f5es eval() combinadas com dados de entrada de usu\u00e1rios. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = T\u00e9cnica de ataque usada para execu\u00e7\u00e3o n\u00e3o autorizada de comandos do sistema operacional. Esse ataque \u00e9 poss\u00edvel quando um aplicativo aceita entrada n\u00e3o confi\u00e1vel para criar comandos do sistema operacional de maneira insegura, envolvendo sanitiza\u00e7\u00e3o inadequada de dados e chamada inadequada de programas externos. ascanrules.commandinjection.name = Inje\u00e7\u00e3o Remota de Comandos de SO -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = O cookie pode ser definido por meio de inje\u00e7\u00e3o CRLF. Tamb\u00e9m pode ser poss\u00edvel definir cabe\u00e7alhos de resposta HTTP arbitr\u00e1rios. Al\u00e9m disso, ao criar cuidadosamente a resposta injetada usando script de site cruzado, tamb\u00e9m pode existir vulnerabilidade de envenenamento de cache. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = Inje\u00e7\u00e3o CRLF ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = Um ataque XSS foi refletido em uma res ascanrules.crosssitescripting.json.name = Fraqueza de script entre sites (refletida na resposta JSON) ascanrules.crosssitescripting.name = Cross Site Scripting (Refletido) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Gerado com BAIXA confian\u00e7a, pois o Tipo de conte\u00fado n\u00e3o \u00e9 HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = \u00c9 poss\u00edvel visualizar a lista de diret\u00f3rios. A listagem de diret\u00f3rios pode revelar scripts ocultos, incluir arquivos, arquivos de origem de backup, etc., que podem ser acessados para ler informa\u00e7\u00f5es confidenciais. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Navega\u00e7\u00e3o no Diret\u00f3rio ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Desative a navega\u00e7\u00e3o no diret\u00f3rio. Se isso for necess\u00e1rio, certifique-se de que os arquivos listados n\u00e3o causem riscos. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = O m\u00f3dulo HTTP Error Logging Modules and Handlers (ELMAH [elmah.axd]) foi encontrado como dispon\u00edvel. Esse m\u00f3dulo pode vazar uma quantidade significativa de informa\u00e7\u00f5es valiosas. ascanrules.elmah.name = Vazamento de Informa\u00e7\u00e3o ELMAH -ascanrules.elmah.otherinfo = Baseado na resposta o c\u00f3digo de status ELMAH pode ser protegido por um mecanismo de autentica\u00e7\u00e3o ou autoriza\u00e7\u00e3o. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/ \nhttps\://www.nuget.org/packages/elmah \nhttps\://elmah.github.io/ ascanrules.elmah.soln = Considere se o ELMAH \u00e9 necess\u00e1rio ou n\u00e3o na produ\u00e7\u00e3o, se n\u00e3o for ent\u00e3o desative-o. Se for, ent\u00e3o garanta que o acesso a ele necessite de autentica\u00e7\u00e3o e autoriza\u00e7\u00e3o. Veja tamb\u00e9m\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = Nenhum motivo encontrado para isso ascanrules.externalredirect.reason.refresh.header = A resposta cont\u00e9m um redirecionamento em seu cabe\u00e7alho Atualizar que permite que um URL externo seja definido. ascanrules.externalredirect.reason.refresh.meta = A resposta cont\u00e9m um redirecionamento em sua meta tag http-equiv para 'Atualizar', que permite que um URL externo seja definido. -ascanrules.formatstring.desc = Um erro de Formato de String ocorre quando o dado enviado de uma string de entrada \u00e9 avaliado como um comando pelo aplicativo. -ascanrules.formatstring.error1 = Poss\u00edvel Erro de Formato de String. O script fechou a conex\u00e3o em /%s -ascanrules.formatstring.error2 = Poss\u00edvel Erro de Formato de String. O script fechou a conex\u00e3o entre /%s e /%x -ascanrules.formatstring.error3 = Poss\u00edvel Erro de Formato de String. O script fechou a conex\u00e3o devido a um erro de formato de string da Microsoft +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Erro de Formato de String ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack\n -ascanrules.formatstring.soln = Reescreva o programa de plano de fundo utilizando o apagamento apropriado das bad character strings. Isso ir\u00e1 requerer uma recompila\u00e7\u00e3o do execut\u00e1vel do plano de fundo. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = Os arquivos htaccess podem ser usados para alterar a configura\u00e7\u00e3o do software Apache Web Servidor para habilitar/desabilitar funcionalidades e recursos adicionais que o software Apache Web Servidor tem a oferecer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = Vazamento de informa\u00e7\u00f5es .htaccess ascanrules.htaccess.otherinfo = Com base no c\u00f3digo de status de resposta, o arquivo htaccess pode ser protegido por um mecanismo de autentica\u00e7\u00e3o ou autoriza\u00e7\u00e3o. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Oracle Padding Gen\u00e9rico ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Atualize o software do servidor afetado ou modifique os scripts para que validem corretamente os dados criptografados antes de tentar a descriptografia. -ascanrules.parametertamper.desc = A manipula\u00e7\u00e3o de par\u00e2metros causou a exibi\u00e7\u00e3o de uma p\u00e1gina de erro ou rastreamento de pilha Java. Isso indicou a falta de tratamento de exce\u00e7\u00f5es e \u00e1reas potenciais para explora\u00e7\u00e3o posterior. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Adultera\u00e7\u00e3o de par\u00e2metros -ascanrules.parametertamper.soln = Identifique a causa do erro e corrija. N\u00e3o confie na entrada do lado do cliente e aplique uma verifica\u00e7\u00e3o rigorosa no lado do servidor. Al\u00e9m disso, capture a exce\u00e7\u00e3o corretamente. Use uma p\u00e1gina de erro 500 gen\u00e9rica para erro interno do servidor. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Travessia/Passagem de Caminho @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = Um ataque XSS foi encontrado em uma r ascanrules.persistentxssattack.json.name = Fraqueza de script entre sites (persistente na resposta JSON) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistente) ascanrules.persistentxssattack.otherinfo = URL de Origem\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Gerado com BAIXA confian\u00e7a, pois o Tipo de conte\u00fado n\u00e3o \u00e9 HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistente) - Prim\u00e1rio ascanrules.persistentxssspider.name = Cross Site Scripting (Persistente) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Algumas vers\u00f5es do PHP, quando configuradas para serem executadas usando CGI, n\u00e3o lidam corretamente com strings de consulta que n\u00e3o possuem um caractere "\=" sem escape, permitindo a execu\u00e7\u00e3o arbitr\u00e1ria de c\u00f3digo. Nesse caso, um comando do sistema operacional foi executado no servidor web e os resultados foram retornados ao navegador da web. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Execu\u00e7\u00e3o Remota de C\u00f3digo - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Atualize para a \u00faltima vers\u00e3o est\u00e1vel do PHP ou use o servidor web Apache e o m\u00f3dulo mod_rewrite para filtrar solicita\u00e7\u00f5es maliciosas usando as diretivas "RewriteCond" e "RewriteRule". ascanrules.remotefileinclude.name = Inclus\u00e3o de Arquivo Remoto -ascanrules.serversideinclude.desc = Certos par\u00e2metros podem fazer com que os comandos de inclus\u00e3o do lado do servidor sejam executados. Isso pode permitir a execu\u00e7\u00e3o de uma conex\u00e3o de banco de dados ou de um c\u00f3digo arbitr\u00e1rio. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Incluir Lado do Servidor ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Algumas vers\u00f5es do PHP, quando configuradas para serem executadas usando CGI, n\u00e3o manipulam corretamente as strings de consulta que n\u00e3o possuem um caractere "\=" sem escape, permitindo a divulga\u00e7\u00e3o do c\u00f3digo-fonte PHP e a execu\u00e7\u00e3o arbitr\u00e1ria do c\u00f3digo. Neste caso, o conte\u00fado do arquivo PHP foi servido diretamente para o navegador da web. Essa sa\u00edda normalmente conter\u00e1 PHP, embora tamb\u00e9m possa conter HTML direto. ascanrules.sourcecodedisclosurecve-2012-1823.name = Divulga\u00e7\u00e3o de C\u00f3digo-Fonte - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Atualize para a \u00faltima vers\u00e3o est\u00e1vel do PHP ou use o servidor web Apache e o m\u00f3dulo mod_rewrite para filtrar solicita\u00e7\u00f5es maliciosas usando as diretivas "RewriteCond" e "RewriteRule". -ascanrules.sourcecodedisclosurewebinf.desc = O c\u00f3digo-fonte Java foi divulgado pelo servidor web em arquivos de classe Java na pasta WEB-INF. Os arquivos de classe podem ser desmontados para produzir c\u00f3digo-fonte que corresponda muito de perto ao c\u00f3digo-fonte original. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = Uma classe Java na pasta /WEB-INF revelou a presen\u00e7a de um arquivo de propriedades. O arquivo de propriedades n\u00e3o se destina a ser acessado publicamente e geralmente cont\u00e9m informa\u00e7\u00f5es de configura\u00e7\u00e3o, credenciais de aplicativo ou chaves criptogr\u00e1ficas. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = A refer\u00eancia ao arquivo de propriedades foi encontrada no c\u00f3digo-fonte Java disassemblado para a classe Java [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Divulga\u00e7\u00e3o de Arquivo de Propriedades - Pasta /WEB-INF -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = O servidor web deve ser configurado para n\u00e3o servir a pasta /WEB-INF ou seu conte\u00fado para navegadores web. Tamb\u00e9m pode ser poss\u00edvel remover a pasta /WEB-INF. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = O servidor web deve ser configurado para n\u00e3o servir a pasta /WEB-INF ou seu conte\u00fado para navegadores web, uma vez que cont\u00e9m informa\u00e7\u00f5es confidenciais, como c\u00f3digo-fonte Java compilado e arquivos de propriedades que podem conter credenciais. As classes Java implantadas com o aplicativo devem ser ofuscadas, como uma camada adicional de defesa em uma abordagem de "defesa em profundidade". ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = campo\: [{0}], valor [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Os dados foram retornados para o par\u00e2metro original.\nA vulnerabilidade foi detectada ao restringir com sucesso os dados originalmente retornados, manipulando o par\u00e2metro -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Os dados N\u00c3O foram retornados para o par\u00e2metro original.\nA vulnerabilidade foi detectada ao recuperar com sucesso mais dados do que os originalmente retornados, manipulando o par\u00e2metro +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Valor Original\: [{0}]. Valor Modificado\: [{1}]. Valor de Controle\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Mensagem n\u00e3o modificada fornece status HTTP [{0}], comprimento do corpo [{1}], mensagem modificada fornece status HTTP [{2}], comprimento do corpo [{3}]. Um terceiro (valor que n\u00e3o induz a inje\u00e7\u00e3o SQL) fornece status HTTP [{4}], comprimento do corpo [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Mensagem n\u00e3o modificada fornece status HTTP [{0}], Mensagem modificada fornece status HTTP [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = Os resultados da p\u00e1gina original foram replicados com sucesso usando a express\u00e3o [{0}] como o valor do par\u00e2metro\nO valor do par\u00e2metro sendo modificado foi {1} retirado da sa\u00edda HTML para fins de compara\u00e7\u00e3o -ascanrules.sqlinjection.alert.orderbybased.extrainfo = Os resultados da p\u00e1gina original foram replicados com sucesso usando a express\u00e3o "ORDENAR POR" [{0}] como o valor do par\u00e2metro\nO valor do par\u00e2metro sendo modificado foi {1} retirado da sa\u00edda HTML para fins de compara\u00e7\u00e3o -ascanrules.sqlinjection.alert.timebased.extrainfo = O tempo da query \u00e9 control\u00e1vel utilizando o valor do par\u00e2metro [{0}], o qual causou a requisi\u00e7\u00e3o a levar [{1}] milissegundos, enquanto o valor original da query sem modifica\u00e7\u00e3o com o valor [{2}] levou [{3}] milissegundos +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = Inje\u00e7\u00e3o SQL - Desvio de Autentica\u00e7\u00e3o ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = Inje\u00e7\u00e3o SQL - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Vazamento de Informa\u00e7\u00e3o -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pt_PT.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pt_PT.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pt_PT.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_pt_PT.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ro_RO.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ro_RO.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ro_RO.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ro_RO.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ru_RU.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ru_RU.properties index 8e4253355bd..b98771d7a68 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ru_RU.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ru_RU.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = \u041e\u0448\u0438\u0431\u043a\u0438 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u0431\u0443\u0444\u0435\u0440\u0430 \u0445\u0430\u0440\u0430\u043a\u0442\u0435\u0440\u0438\u0437\u0443\u044e\u0442\u0441\u044f \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0438\u0441\u044c\u044e \u043f\u0430\u043c\u044f\u0442\u0438 \u0444\u043e\u043d\u043e\u0432\u043e\u0433\u043e \u0432\u0435\u0431-\u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043d\u0438\u043a\u043e\u0433\u0434\u0430 \u0434\u043e\u043b\u0436\u0435\u043d \u0431\u044b\u0442\u044c \u0438\u0437\u043c\u0435\u043d\u0435\u043d, \u043d\u0430\u043c\u0435\u0440\u0435\u043d\u043d\u043e \u0438\u043b\u0438 \u043d\u0435\u043f\u0440\u0435\u0434\u043d\u0430\u043c\u0435\u0440\u0435\u043d\u043d\u043e. \u041f\u0435\u0440\u0435\u0437\u0430\u043f\u0438\u0441\u044c \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0439 IP (\u0443\u043a\u0430\u0437\u0430\u0442\u0435\u043b\u044c \u0438\u043d\u0441\u0442\u0440\u0443\u043a\u0446\u0438\u0439), BP (\u0443\u043a\u0430\u0437\u0430\u0442\u0435\u043b\u044c \u0431\u0430\u0437\u044b) \u0438 \u0434\u0440\u0443\u0433\u0438\u0445 \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u043e\u0432 \u0432\u044b\u0437\u044b\u0432\u0430\u0435\u0442 \u0438\u0441\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f, \u043e\u0448\u0438\u0431\u043a\u0438 \u0441\u0435\u0433\u043c\u0435\u043d\u0442\u0430\u0446\u0438\u0438 \u0438 \u0434\u0440\u0443\u0433\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430. \u041e\u0431\u044b\u0447\u043d\u043e \u044d\u0442\u0438 \u043e\u0448\u0438\u0431\u043a\u0438 \u0437\u0430\u0432\u0435\u0440\u0448\u0430\u044e\u0442 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u043d\u0435\u043e\u0436\u0438\u0434\u0430\u043d\u043d\u044b\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = \u041f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0431\u0443\u0444\u0435\u0440\u0430 -ascanrules.bufferoverflow.other = \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0435 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0431\u0443\u0444\u0435\u0440\u0430 (Buffer Overflow). \u0421\u043a\u0440\u0438\u043f\u0442 \u0437\u0430\u043a\u0440\u044b\u043b \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0435 \u0438 \u0432\u044b\u0434\u0430\u043b 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = \u041f\u0435\u0440\u0435\u043f\u0438\u0448\u0438\u0442\u0435 \u0444\u043e\u043d\u043e\u0432\u0443\u044e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0443, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0443\u044e \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0443 \u0434\u043b\u0438\u043d\u044b \u0432\u043e\u0437\u0432\u0440\u0430\u0442\u0430. \n\u042d\u0442\u043e \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u0435\u0442 \u043f\u0435\u0440\u0435\u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0446\u0438\u0438 \u0444\u043e\u043d\u043e\u0432\u043e\u0433\u043e \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = \u041f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u0435 \u043e\u0431\u043b\u0430\u0447\u043d\u044b\u0435 \u043c\u0435\u0442\u0430\u0434\u0430\u043d\u043d\u044b\u0435 @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = \u041d\u0435 \u0434\u043e\u0432\u0435\u0440\u044f\u0439\u0442\u0435 \u043d\u0438\u043a\u0430\u043a\u0438\u043c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u043c \u0434\u0430\u043d\u043d\u044b\u043c \u0432 \u043a\u043e\u043d\u0444\u0438\u0433\u0430\u0445 NGINX.\n\u0412 \u044d\u0442\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435, \u0432\u0435\u0440\u043e\u044f\u0442\u043d\u043e, \u044d\u0442\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0439 $ host, \n\u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u0438\u0437 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 Host \u0438 \u043c\u043e\u0436\u0435\u0442 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u043e\u043c. -ascanrules.codeinjection.desc = \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u0430 \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044f \u043a\u043e\u0434\u0430, \u0432\u043a\u043b\u044e\u0447\u0430\u044f \u043d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u0435\u043c\u044b\u0439 \u043a\u043e\u0434, \n\u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0431\u0443\u0434\u0435\u0442 \u043e\u0446\u0435\u043d\u0438\u0432\u0430\u0442\u044c\u0441\u044f \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u043e\u043c \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0435\u0432. +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = \u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 \u041a\u043e\u0434\u0430 \u043d\u0430 \u0421\u0442\u043e\u0440\u043e\u043d\u0435 \u0421\u0435\u0440\u0432\u0435\u0440\u0430 ascanrules.codeinjection.name.asp = \u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 \u043a\u043e\u0434\u0430 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 - \u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 \u043a\u043e\u0434\u0430 ASP ascanrules.codeinjection.name.php = \u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 \u043a\u043e\u0434\u0430 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 - \u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 \u043a\u043e\u0434\u0430 PHP ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = \u041d\u0435 \u0434\u043e\u0432\u0435\u0440\u044f\u0439\u0442\u0435 \u0432\u0432\u043e\u0434\u0443 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u043a\u043b\u0438\u0435\u043d\u0442\u0430, \u0434\u0430\u0436\u0435 \u0435\u0441\u043b\u0438 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u043a\u043b\u0438\u0435\u043d\u0442\u0430 \u0435\u0441\u0442\u044c \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430.\n\u041a\u0430\u043a \u043f\u0440\u0430\u0432\u0438\u043b\u043e, \u0432\u0432\u0435\u0434\u0438\u0442\u0435 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0443 \u0432\u0441\u0435\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \n\u0438 \u0438\u0437\u0431\u0435\u0433\u0430\u0439\u0442\u0435 \u0432\u0441\u0435\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0445 \u043e\u0442 \u043a\u043b\u0438\u0435\u043d\u0442\u0430.\n\u0418\u0437\u0431\u0435\u0433\u0430\u0439\u0442\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u0444\u0443\u043d\u043a\u0446\u0438\u0439 eval () \u0432 \u0441\u043e\u0447\u0435\u0442\u0430\u043d\u0438\u0438 \u0441 \u0434\u0430\u043d\u043d\u044b\u043c\u0438, \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u043c\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = \u0422\u0435\u0445\u043d\u0438\u043a\u0430 \u0430\u0442\u0430\u043a\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u0430\u044f \u0434\u043b\u044f \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043a\u043e\u043c\u0430\u043d\u0434 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b. \n\u042d\u0442\u0430 \u0430\u0442\u0430\u043a\u0430 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u0430, \u043a\u043e\u0433\u0434\u0430 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u043f\u0440\u0438\u043d\u0438\u043c\u0430\u0435\u0442 \u043d\u0435\u043d\u0430\u0434\u0435\u0436\u043d\u044b\u0439 \u0432\u0432\u043e\u0434 \u0434\u043b\u044f \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u043a\u043e\u043c\u0430\u043d\u0434 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c, \u0432\u043a\u043b\u044e\u0447\u0430\u044f \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0443\u044e \u043e\u0447\u0438\u0441\u0442\u043a\u0443 \u0434\u0430\u043d\u043d\u044b\u0445 \u0438 / \u0438\u043b\u0438 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u044b\u0439 \u0432\u044b\u0437\u043e\u0432 \u0432\u043d\u0435\u0448\u043d\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c. ascanrules.commandinjection.name = \u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u0445 \u043a\u043e\u043c\u0430\u043d\u0434 \u041e\u0421 -ascanrules.commandinjection.otherinfo.feedback-based = \u041f\u0440\u0430\u0432\u0438\u043b\u0443 \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0443\u0434\u0430\u043b\u043e\u0441\u044c \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u0444\u0430\u0439\u043b\u0430 \u0438\u043b\u0438 \u043a\u043e\u043c\u0430\u043d\u0434\u044b, \u043e\u0442\u043f\u0440\u0430\u0432\u0438\u0432 [{0}] \u0432 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0443\u044e \u0441\u0438\u0441\u0442\u0435\u043c\u0443, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u0437\u0430\u043f\u0443\u0449\u0435\u043d\u043e \u044d\u0442\u043e \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435. -ascanrules.commandinjection.otherinfo.time-based = \u041f\u0440\u0430\u0432\u0438\u043b\u043e \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u043c\u043e\u0433\u043b\u043e \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0432\u0440\u0435\u043c\u044f \u043e\u0442\u0432\u0435\u0442\u0430 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u044f [{0}] \u0432 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0443\u044e \u0441\u0438\u0441\u0442\u0435\u043c\u0443, \u0432 \u043a\u043e\u0442\u043e\u0440\u043e\u0439 \u0437\u0430\u043f\u0443\u0449\u0435\u043d\u043e \u044d\u0442\u043e \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435. +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie \u043c\u043e\u0436\u043d\u043e \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u0447\u0435\u0440\u0435\u0437 CRLF-\u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044e. \n\u0422\u0430\u043a\u0436\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0438 \u043e\u0442\u0432\u0435\u0442\u0430 HTTP. \n\u041a\u0440\u043e\u043c\u0435 \u0442\u043e\u0433\u043e, \u043f\u0440\u0438 \u0442\u0449\u0430\u0442\u0435\u043b\u044c\u043d\u043e\u0439 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u0432\u043d\u0435\u0434\u0440\u0435\u043d\u043d\u043e\u0433\u043e \u043e\u0442\u0432\u0435\u0442\u0430 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0430 \n\u0442\u0430\u043a\u0436\u0435 \u043c\u043e\u0436\u0435\u0442 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u043e\u0432\u0430\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0442\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u043a\u0435\u0448\u0430. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044f ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = \u0410\u0442\u0430\u043a\u0430 XSS \u0 ascanrules.crosssitescripting.json.name = \u0421\u043b\u0430\u0431\u043e\u0441\u0442\u044c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0438\u043d\u0433\u0430 (\u043e\u0442\u0440\u0430\u0436\u0435\u043d\u0430 \u0432 \u043e\u0442\u0432\u0435\u0442\u0435 JSON) ascanrules.crosssitescripting.name = \u041c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0439 \u0441\u043a\u0440\u0438\u043f\u0442\u0438\u043d\u0433 (\u043e\u0442\u0440\u0430\u0436\u0435\u043d\u0438\u0435) ascanrules.crosssitescripting.otherinfo.accesskey = \u0410\u0442\u0440\u0438\u0431\u0443\u0442 accesskey \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u044f\u0435\u0442 \u0433\u043e\u0440\u044f\u0447\u0443\u044e \u043a\u043b\u0430\u0432\u0438\u0448\u0443 \u0434\u043b\u044f \u0430\u043a\u0442\u0438\u0432\u0430\u0446\u0438\u0438/\u0444\u043e\u043a\u0443\u0441\u0438\u0440\u043e\u0432\u043a\u0438 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u0430. \u042d\u0442\u043e\u0442 \u0430\u0442\u0440\u0438\u0431\u0443\u0442 \u043c\u043e\u0436\u0435\u0442 \u0430\u043a\u0442\u0438\u0432\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043f\u043e\u043b\u0435\u0437\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0434\u043b\u044f \u043d\u0435\u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0445 \u0438\u043b\u0438 \u043d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u0435\u043c\u044b\u0445 \u0442\u0435\u0433\u043e\u0432. -ascanrules.crosssitescripting.otherinfo.nothtml = \u041f\u043e\u0434\u043d\u044f\u0442 \u0441 \u041d\u0418\u0417\u041a\u041e\u0419 \u0434\u043e\u0441\u0442\u043e\u0432\u0435\u0440\u043d\u043e\u0441\u0442\u044c\u044e, \u043f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 Content-Type \u043d\u0435 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = \u0412\u044b\u043f\u0443\u0441\u043a \u0441\u0442\u0430\u0442\u0443\u0441 \u0430\u043a\u0442\u0438\u0432\u043d\u044b\u0445 \u043f\u0440\u0430\u0432\u0438\u043b \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f -ascanrules.directorybrowsing.desc = \u041c\u043e\u0436\u043d\u043e \u043f\u0440\u043e\u0441\u043c\u043e\u0442\u0440\u0435\u0442\u044c \u0441\u043f\u0438\u0441\u043e\u043a \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u043e\u0432. \n\u0421\u043f\u0438\u0441\u043e\u043a \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u043e\u0432 \u043c\u043e\u0436\u0435\u0442 \u043e\u0442\u043e\u0431\u0440\u0430\u0436\u0430\u0442\u044c \u0441\u043a\u0440\u044b\u0442\u044b\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0438, \u0432\u043a\u043b\u044e\u0447\u0430\u0442\u044c \u0444\u0430\u0439\u043b\u044b, \n\u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0435 \u0444\u0430\u0439\u043b\u044b \u0440\u0435\u0437\u0435\u0440\u0432\u043d\u044b\u0445 \u043a\u043e\u043f\u0438\u0439 \u0438 \u0442. \u0434., \n\u043a \u043a\u043e\u0442\u043e\u0440\u044b\u043c \u043c\u043e\u0436\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043b\u044f \u0447\u0442\u0435\u043d\u0438\u044f \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = \u041f\u0440\u043e\u0441\u043c\u043e\u0442\u0440 \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u043e\u0432 ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = \u041e\u0442\u043a\u043b\u044e\u0447\u0438\u0442\u044c \u043f\u0440\u043e\u0441\u043c\u043e\u0442\u0440 \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u043e\u0432. \n\u0415\u0441\u043b\u0438 \u044d\u0442\u043e \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e, \u0443\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u043f\u0435\u0440\u0435\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u044b\u0435 \u0444\u0430\u0439\u043b\u044b \u043d\u0435 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u044f\u044e\u0442 \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = \u041c\u043e\u0434\u0443\u043b\u0438 \u0420\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438 \u041e\u0448\u0438\u0431\u043e\u043a \u0438 \u041e\u0431\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u0438 (ELMAH [elmah.axd]) HTTP-\u041c\u043e\u0434\u0443\u043b\u044c \u043e\u043a\u0430\u0437\u0430\u043b\u0441\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u043c. \u042d\u0442\u043e\u0442 \u043c\u043e\u0434\u0443\u043b\u044c \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u0443\u0442\u0435\u0447\u043a\u0435 \u0437\u043d\u0430\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0433\u043e \u043a\u043e\u043b\u0438\u0447\u0435\u0441\u0442\u0432\u0430 \u0446\u0435\u043d\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438. ascanrules.elmah.name = \u0423\u0442\u0435\u0447\u043a\u0430 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 ELMAH -ascanrules.elmah.otherinfo = \u041d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 \u043a\u043e\u0434\u0430 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u044f \u043e\u0442\u0432\u0435\u0442\u0430 ELMAH \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0435\u043d \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u043e\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0438\u043b\u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = \u041f\u043e\u0434\u0443\u043c\u0430\u0439\u0442\u0435, \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u043b\u0438 ELMAH \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0432 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0441\u0442\u0432\u0435, \u0435\u0441\u043b\u0438 \u043d\u0435\u0442, \u043e\u0442\u043a\u043b\u044e\u0447\u0438\u0442\u0435 \u0435\u0433\u043e. \u0415\u0441\u043b\u0438 \u044d\u0442\u043e \u0442\u0430\u043a, \u0443\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0434\u043b\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u043d\u0435\u043c\u0443 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438 \u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044f. \u0421\u043c. \u0422\u0430\u043a\u0436\u0435\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = \u041f\u043e\u0445\u043e\u0436\u0435, \u0447\u0442\u043e \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u043d\u0430\u0445\u043e\u0434\u0438\u0442\u0441\u044f \u043e\u0434\u0438\u043d \u0438\u043b\u0438 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0444\u0430\u0439\u043b\u043e\u0432 .env. \n\u042d\u0442\u0438 \u0444\u0430\u0439\u043b\u044b \u0447\u0430\u0441\u0442\u043e \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u044e\u0442 \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0443 \u0438\u043b\u0438 \u0443\u0447\u0435\u0442\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0430\u0434\u043c\u0438\u043d\u0438\u0441\u0442\u0440\u0430\u0442\u043e\u0440\u0430, \u043a\u043b\u044e\u0447\u0438 API \n\u0438\u043b\u0438 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u0438\u043b\u0438 \u0434\u0440\u0443\u0433\u0443\u044e \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env \u0423\u0442\u0435\u0447\u043a\u0430 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 ascanrules.envfiles.otherinfo = \u041d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 \u043a\u043e\u0434\u0430 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u044f \u043e\u0442\u0432\u0435\u0442\u0430 \u0444\u0430\u0439\u043b .env \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0435\u043d \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u043e\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0438\u043b\u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = \u041f\u0440\u0438\u0447\u0438\u04 ascanrules.externalredirect.reason.refresh.header = \u041e\u0442\u0432\u0435\u0442 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0432 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0435 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f, \n\u043a\u043e\u0442\u043e\u0440\u043e\u0435 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u0432\u043d\u0435\u0448\u043d\u0438\u0439 URL-\u0430\u0434\u0440\u0435\u0441. ascanrules.externalredirect.reason.refresh.meta = \u041e\u0442\u0432\u0435\u0442 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0432 \u0441\u0432\u043e\u0435\u043c \u043c\u0435\u0442\u0430\u0442\u0435\u0433\u0435 http-Equiv \u0434\u043b\u044f 'Refresh', \n\u043a\u043e\u0442\u043e\u0440\u043e\u0435 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u0432\u043d\u0435\u0448\u043d\u0438\u0439 URL-\u0430\u0434\u0440\u0435\u0441. -ascanrules.formatstring.desc = \u041e\u0448\u0438\u0431\u043a\u0430 \u0421\u0442\u0440\u043e\u043a\u0438 \u0424\u043e\u0440\u043c\u0430\u0442\u0430 \u0432\u043e\u0437\u043d\u0438\u043a\u0430\u0435\u0442, \u043a\u043e\u0433\u0434\u0430 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0432\u0445\u043e\u0434\u043d\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0438 \u043e\u0446\u0435\u043d\u0438\u0432\u0430\u044e\u0442\u0441\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435\u043c \u043a\u0430\u043a \u043a\u043e\u043c\u0430\u043d\u0434\u0430. -ascanrules.formatstring.error1 = \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u0430\u044f \u043e\u0448\u0438\u0431\u043a\u0430 \u0421\u0442\u0440\u043e\u043a\u0438 \u0424\u043e\u0440\u043c\u0430\u0442\u0430. \u0421\u043a\u0440\u0438\u043f\u0442 \u0437\u0430\u043a\u0440\u044b\u043b \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0435 \u043d\u0430 a /% s -ascanrules.formatstring.error2 = \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u0430\u044f \u043e\u0448\u0438\u0431\u043a\u0430 \u0421\u0442\u0440\u043e\u043a\u0438 \u0424\u043e\u0440\u043c\u0430\u0442\u0430. \u0421\u043a\u0440\u0438\u043f\u0442 \u0437\u0430\u043a\u0440\u044b\u043b \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0435 \u043d\u0430 /% s \u0438 /% x -ascanrules.formatstring.error3 = \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u0430\u044f \u043e\u0448\u0438\u0431\u043a\u0430 \u0421\u0442\u0440\u043e\u043a\u0438 \u0424\u043e\u0440\u043c\u0430\u0442\u0430. \u0421\u043a\u0440\u0438\u043f\u0442 \u0437\u0430\u043a\u0440\u044b\u043b \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0435 \u0438\u0437-\u0437\u0430 \u043e\u0448\u0438\u0431\u043a\u0438 \u0441\u0442\u0440\u043e\u043a\u0438 \u0444\u043e\u0440\u043c\u0430\u0442\u0430 microsoft +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = \u041e\u0448\u0438\u0431\u043a\u0430 \u0421\u0442\u0440\u043e\u043a\u0438 \u0424\u043e\u0440\u043c\u0430\u0442\u0430 ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = \u041f\u0435\u0440\u0435\u043f\u0438\u0448\u0438\u0442\u0435 \u0444\u043e\u043d\u043e\u0432\u0443\u044e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0443, \u0443\u0434\u0430\u043b\u0438\u0432 \u043d\u0435\u0432\u0435\u0440\u043d\u044b\u0435 \u0441\u0442\u0440\u043e\u043a\u0438 \u0441\u0438\u043c\u0432\u043e\u043b\u043e\u0432. \n\u042d\u0442\u043e \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u0435\u0442 \u043f\u0435\u0440\u0435\u043a\u043e\u043c\u043f\u0438\u043b\u044f\u0446\u0438\u0438 \u0444\u043e\u043d\u043e\u0432\u043e\u0433\u043e \u0438\u0441\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = \u0417\u0430\u043f\u0440\u043e\u0441, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0438\u0437\u043d\u0430\u0447\u0430\u043b\u044c\u043d\u043e \u0440\u0430\u0441\u0441\u043c\u0430\u0442\u0440\u0438\u0432\u0430\u043b\u0441\u044f \u043a\u0430\u043a POST, \u0442\u0430\u043a\u0436\u0435 \u0431\u044b\u043b \u043f\u0440\u0438\u043d\u044f\u0442 \u043a\u0430\u043a GET. \u042d\u0442\u0430 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0441\u0430\u043c\u0430 \u043f\u043e \u0441\u0435\u0431\u0435 \u043d\u0435 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0441\u043b\u0430\u0431\u044b\u043c \u043c\u0435\u0441\u0442\u043e\u043c \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0435 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \u043e\u0434\u043d\u0430\u043a\u043e \u043e\u043d\u0430 \u043c\u043e\u0436\u0435\u0442 \u043e\u0431\u043b\u0435\u0433\u0447\u0438\u0442\u044c \u0434\u0440\u0443\u0433\u0438\u0435 \u0430\u0442\u0430\u043a\u0438. \u041d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0435\u0441\u043b\u0438 \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0439 POST-\u0437\u0430\u043f\u0440\u043e\u0441 \u043f\u043e\u0434\u0432\u0435\u0440\u0433\u0430\u0435\u0442\u0441\u044f \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u043c\u0443 \u0441\u043a\u0440\u0438\u043f\u0442\u0438\u043d\u0433\u0443 (XSS), \u0442\u043e \u044d\u0442\u043e\u0442 \u0432\u044b\u0432\u043e\u0434 \u043c\u043e\u0436\u0435\u0442 \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0442\u044c \u043d\u0430 \u0442\u043e, \u0447\u0442\u043e \u0442\u0430\u043a\u0436\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u0435\u043d \u0443\u043f\u0440\u043e\u0449\u0435\u043d\u043d\u044b\u0439 (\u043e\u0441\u043d\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u043d\u0430 GET) XSS. ascanrules.getforpost.name = GET \u0434\u043b\u044f POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = \u041f\u043e\u0438\u0441\u043a \u0441\u043a\u0440 ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = \u041f\u043e\u0434\u0443\u043c\u0430\u0439\u0442\u0435, \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u043b\u0438 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0432 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0441\u0442\u0432\u0435, \u0435\u0441\u043b\u0438 \u043d\u0435\u0442, \u043e\u0442\u043a\u043b\u044e\u0447\u0438\u0442\u0435 \u0435\u0433\u043e. \n\u0415\u0441\u043b\u0438 \u044d\u0442\u043e \u0442\u0430\u043a, \u0443\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0434\u043b\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u043d\u0435\u043c\u0443 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0430\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044f, \u0438\u043b\u0438 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u044c\u0442\u0435 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0438\u043c \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u043c \u0438\u043b\u0438 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u044b\u043c \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u043c IP-\u0430\u0434\u0440\u0435\u0441\u0430\u043c \u0438 \u0442. \u0434. -ascanrules.htaccess.desc = \u0424\u0430\u0439\u043b\u044b .htaccess \u043c\u043e\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0434\u043b\u044f \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 Apache, \u0447\u0442\u043e\u0431\u044b \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u044c / \u043e\u0442\u043a\u043b\u044e\u0447\u0438\u0442\u044c \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u0438 \u0438 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0435\u0434\u043b\u043e\u0436\u0438\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u0435 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 Apache. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = \u0423\u0442\u0435\u0447\u043a\u0430 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 .htaccess ascanrules.htaccess.otherinfo = \u041d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 \u043a\u043e\u0434\u0430 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u044f \u043e\u0442\u0432\u0435\u0442\u0430 \u0444\u0430\u0439\u043b htaccess \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0435\u043d \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u043e\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0438\u043b\u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = \u0421\u0442\u0430\u043d\u0434\u0430\u0440\u0442 ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = \u041e\u0431\u043d\u043e\u0432\u0438\u0442\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0433\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0438\u043b\u0438 \u0438\u0437\u043c\u0435\u043d\u0438\u0442\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0438 (scripts), \n\u0447\u0442\u043e\u0431\u044b \u043e\u043d\u0438 \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u043b\u0438 \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u043f\u0435\u0440\u0435\u0434 \u043f\u043e\u043f\u044b\u0442\u043a\u043e\u0439 \u0434\u0435\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f. -ascanrules.parametertamper.desc = \u041c\u0430\u043d\u0438\u043f\u0443\u043b\u044f\u0446\u0438\u0438 \u0441 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\u043c\u0438 \u043f\u0440\u0438\u0432\u0435\u043b\u0438 \u043a \u043e\u0442\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u0438\u044e \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b \u043e\u0448\u0438\u0431\u043a\u0438 \u0438\u043b\u0438 \u0442\u0440\u0430\u0441\u0441\u0438\u0440\u043e\u0432\u043a\u0438 \u0441\u0442\u0435\u043a\u0430 Java. \u042d\u0442\u043e \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u043b\u043e \u043d\u0430 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u0435 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0438\u0441\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0439 \n\u0438 \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0435 \u043e\u0431\u043b\u0430\u0441\u0442\u0438 \u0434\u043b\u044f \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0435\u0433\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = \u0418\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u0435 \u041f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u0432 -ascanrules.parametertamper.soln = \u041e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u0435 \u043f\u0440\u0438\u0447\u0438\u043d\u0443 \u043e\u0448\u0438\u0431\u043a\u0438 \u0438 \u0443\u0441\u0442\u0440\u0430\u043d\u0438\u0442\u0435 \u0435\u0435. \u041d\u0435 \u0434\u043e\u0432\u0435\u0440\u044f\u0439\u0442\u0435 \u0432\u0432\u043e\u0434\u0443 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u043a\u043b\u0438\u0435\u043d\u0442\u0430 \u0438 \u0441\u0442\u0440\u043e\u0433\u043e \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0439\u0442\u0435 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u0430. \u041a\u0440\u043e\u043c\u0435 \u0442\u043e\u0433\u043e, \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043b\u043e\u0432\u0438\u0442\u0435 \u0438\u0441\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435. \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u0443\u044e \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0443 \u043e\u0448\u0438\u0431\u043a\u0438 500 \u0434\u043b\u044f \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0435\u0439 \u043e\u0448\u0438\u0431\u043a\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0430. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = \u041e\u0431\u0445\u043e\u0434 \u041f\u0443\u0442\u0438 @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = \u0412 \u043e\u0442\u0432\u0435\u0442 ascanrules.persistentxssattack.json.name = \u0421\u043b\u0430\u0431\u043e\u0441\u0442\u044c \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0438\u043d\u0433\u0430 (\u0441\u043e\u0445\u0440\u0430\u043d\u044f\u0435\u0442\u0441\u044f \u0432 \u043e\u0442\u0432\u0435\u0442\u0435 JSON) ascanrules.persistentxssattack.name = \u041c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0439 \u0441\u043a\u0440\u0438\u043f\u0442\u0438\u043d\u0433 (\u043f\u043e\u0441\u0442\u043e\u044f\u043d\u043d\u044b\u0439) ascanrules.persistentxssattack.otherinfo = \u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0439 URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = \u041f\u043e\u0434\u043d\u044f\u0442 \u0441 \u041d\u0418\u0417\u041a\u041e\u0419 \u0434\u043e\u0441\u0442\u043e\u0432\u0435\u0440\u043d\u043e\u0441\u0442\u044c\u044e, \u043f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 Content-Type \u043d\u0435 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = \u041c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0439 \u0441\u043a\u0440\u0438\u043f\u0442\u0438\u043d\u0433 (\u043f\u043e\u0441\u0442\u043e\u044f\u043d\u043d\u044b\u0439) - \u041e\u0441\u043d\u043e\u0432\u043d\u043e\u0439 ascanrules.persistentxssspider.name = \u041c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0439 \u0421\u043a\u0440\u0438\u043f\u0442\u0438\u043d\u0433 (\u041f\u043e\u0441\u0442\u043e\u044f\u043d\u043d\u044b\u0439) - \u041f\u0430\u0443\u043a -ascanrules.remotecodeexecution.cve-2012-1823.desc = \u041d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0432\u0435\u0440\u0441\u0438\u0438 PHP, \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043d\u043d\u044b\u0435 \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c CGI, \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u044e\u0442 \u0441\u0442\u0440\u043e\u043a\u0438 \u0437\u0430\u043f\u0440\u043e\u0441\u0430, \u0432 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0443\u0435\u0442 \u043d\u0435\u044d\u043a\u0440\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0441\u0438\u043c\u0432\u043e\u043b \u00ab\=\u00bb, \u0447\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434. \u0412 \u044d\u0442\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u0430 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0431\u044b\u043b\u0430 \u0432\u044b\u0437\u0432\u0430\u043d\u0430 \u0434\u043b\u044f \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043d\u0430 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0435, \u0430 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u044b \u0431\u044b\u043b\u0438 \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0435\u043d\u044b \u0432 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = \u0423\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u043a\u043e\u0434\u0430 - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = \u0412\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u0435 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u0434\u043e \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0439 \u0441\u0442\u0430\u0431\u0438\u043b\u044c\u043d\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438 PHP \u0438\u043b\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 Apache \u0438 \u043c\u043e\u0434\u0443\u043b\u044c mod_rewrite \u0434\u043b\u044f \u0444\u0438\u043b\u044c\u0442\u0440\u0430\u0446\u0438\u0438 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0445 \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432 RewriteCond \u0438 RewriteRule. ascanrules.remotefileinclude.name = \u0423\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0435 \u0412\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 \u0424\u0430\u0439\u043b\u043e\u0432 -ascanrules.serversideinclude.desc = \u041e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u044b\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b \u043c\u043e\u0433\u0443\u0442 \u0432\u044b\u0437\u044b\u0432\u0430\u0442\u044c \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u043a\u043e\u043c\u0430\u043d\u0434 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u0430. \n\u042d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0435 \u0441 \u0431\u0430\u0437\u043e\u0439 \u0434\u0430\u043d\u043d\u044b\u0445 \u0438\u043b\u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = \u0421\u0435\u0440\u0432\u0435\u0440\u043d\u0430\u044f \u0421\u0442\u043e\u0440\u043e\u043d\u0430 \u0412\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = \u041d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0432\u0435\u0440\u0441\u0438\u0438 PHP, \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043d\u043d\u044b\u0435 \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c CGI, \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u044e\u0442 \u0441\u0442\u0440\u043e\u043a\u0438 \u0437\u0430\u043f\u0440\u043e\u0441\u0430, \u0432 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0443\u0435\u0442 \u043d\u0435\u044d\u043a\u0440\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0441\u0438\u043c\u0432\u043e\u043b \u00ab\=\u00bb, \u0447\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0440\u0430\u0441\u043a\u0440\u044b\u0432\u0430\u0442\u044c \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u0434 PHP \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434. \u0412 \u044d\u0442\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u0444\u0430\u0439\u043b\u0430 PHP \u043f\u0435\u0440\u0435\u0434\u0430\u0432\u0430\u043b\u043e\u0441\u044c \u043d\u0435\u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0435\u043d\u043d\u043e \u0432 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440. \u042d\u0442\u043e\u0442 \u0432\u044b\u0432\u043e\u0434 \u043e\u0431\u044b\u0447\u043d\u043e \u0431\u0443\u0434\u0435\u0442 \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442\u044c PHP, \u0445\u043e\u0442\u044f \u043e\u043d \u0442\u0430\u043a\u0436\u0435 \u043c\u043e\u0436\u0435\u0442 \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442\u044c \u043f\u0440\u043e\u0441\u0442\u043e\u0439 HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = \u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430 - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = \u0412\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u0435 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u0434\u043e \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0439 \u0441\u0442\u0430\u0431\u0438\u043b\u044c\u043d\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438 PHP \u0438\u043b\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 Apache \u0438 \u043c\u043e\u0434\u0443\u043b\u044c mod_rewrite \u0434\u043b\u044f \u0444\u0438\u043b\u044c\u0442\u0440\u0430\u0446\u0438\u0438 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0445 \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432 RewriteCond \u0438 RewriteRule. -ascanrules.sourcecodedisclosurewebinf.desc = \u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u0434 Java \u0431\u044b\u043b \u0440\u0430\u0441\u043a\u0440\u044b\u0442 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c \u0432 \u0444\u0430\u0439\u043b\u0430\u0445 \u043a\u043b\u0430\u0441\u0441\u043e\u0432 Java \u0432 \u043f\u0430\u043f\u043a\u0435 WEB-INF. \u0424\u0430\u0439\u043b\u044b \u043a\u043b\u0430\u0441\u0441\u043e\u0432 \u043c\u043e\u0436\u043d\u043e \u0440\u0430\u0437\u043e\u0431\u0440\u0430\u0442\u044c \u0434\u043b\u044f \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043e\u0447\u0435\u043d\u044c \u0431\u043b\u0438\u0437\u043a\u043e \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u0435\u0442 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u043c\u0443 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u043c\u0443 \u043a\u043e\u0434\u0443. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = \u041a\u043b\u0430\u0441\u0441 Java \u0432 \u043f\u0430\u043f\u043a\u0435 / WEB-INF \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b \u043d\u0430\u043b\u0438\u0447\u0438\u0435 \u0444\u0430\u0439\u043b\u0430 \u0441\u0432\u043e\u0439\u0441\u0442\u0432. \u0424\u0430\u0439\u043b \u0441\u0432\u043e\u0439\u0441\u0442\u0432 \u043d\u0435 \u043f\u0440\u0435\u0434\u043d\u0430\u0437\u043d\u0430\u0447\u0435\u043d \u0434\u043b\u044f \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u0438 \u043e\u0431\u044b\u0447\u043d\u043e \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438, \u0443\u0447\u0435\u0442\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u0438\u043b\u0438 \u043a\u0440\u0438\u043f\u0442\u043e\u0433\u0440\u0430\u0444\u0438\u0447\u0435\u0441\u043a\u0438\u0435 \u043a\u043b\u044e\u0447\u0438. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = \u0421\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u0444\u0430\u0439\u043b \u0441\u0432\u043e\u0439\u0441\u0442\u0432 \u0431\u044b\u043b\u0430 \u043d\u0430\u0439\u0434\u0435\u043d\u0430 \u0432 \u0434\u0438\u0437\u0430\u0441\u0441\u0435\u043c\u0431\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u043c \u043a\u043e\u0434\u0435 Java \n\u0434\u043b\u044f \u043a\u043b\u0430\u0441\u0441\u0430 Java [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = \u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u0424\u0430\u0439\u043b\u0430 \u0421\u0432\u043e\u0439\u0441\u0442\u0432 - \u043f\u0430\u043f\u043a\u0430 / WEB-INF -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = \u0412\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 \u0434\u043e\u043b\u0436\u0435\u043d \u0431\u044b\u0442\u044c \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043d \u0442\u0430\u043a, \u0447\u0442\u043e\u0431\u044b \u043d\u0435 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u0442\u044c \u043f\u0430\u043f\u043a\u0443 / WEB-INF \u0438\u043b\u0438 \u0435\u0435 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u0434\u043b\u044f \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u0432. \u0422\u0430\u043a\u0436\u0435 \u043c\u043e\u0436\u043d\u043e \u0443\u0434\u0430\u043b\u0438\u0442\u044c \u043f\u0430\u043f\u043a\u0443 / WEB-INF. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = \u0412\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 \u0434\u043e\u043b\u0436\u0435\u043d \u0431\u044b\u0442\u044c \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043d \u0442\u0430\u043a, \u0447\u0442\u043e\u0431\u044b \u043d\u0435 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u0442\u044c \u043f\u0430\u043f\u043a\u0443 / WEB-INF \u0438\u043b\u0438 \u0435\u0435 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u0434\u043b\u044f \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u0432, \u043f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u043e\u043d \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e, \u0442\u0430\u043a\u0443\u044e \u043a\u0430\u043a \u0441\u043a\u043e\u043c\u043f\u0438\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u0434 Java \u0438 \u0444\u0430\u0439\u043b\u044b \u0441\u0432\u043e\u0439\u0441\u0442\u0432, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043c\u043e\u0433\u0443\u0442 \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442\u044c \u0443\u0447\u0435\u0442\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435. \u041a\u043b\u0430\u0441\u0441\u044b Java, \u0440\u0430\u0437\u0432\u0435\u0440\u043d\u0443\u0442\u044b\u0435 \u0432\u043c\u0435\u0441\u0442\u0435 \u0441 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435\u043c, \u0434\u043e\u043b\u0436\u043d\u044b \u0431\u044b\u0442\u044c \u0437\u0430\u043f\u0443\u0442\u0430\u043d\u044b \u0432 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0433\u043e \u0443\u0440\u043e\u0432\u043d\u044f \u0437\u0430\u0449\u0438\u0442\u044b \u0432 \u043f\u043e\u0434\u0445\u043e\u0434\u0435 \u00ab\u0433\u043b\u0443\u0431\u043e\u043a\u043e\u0439 \u0437\u0430\u0449\u0438\u0442\u044b\u00bb. ascanrules.spring4shell.desc = \u041f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e \u0434\u043b\u044f CVE-2022-22965 (\u0442\u0430\u043a\u0436\u0435 \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e\u0439 \u043a\u0430\u043a Spring4Shell) \u2014 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u043a\u043e\u0434\u0430 (RCE) \u0447\u0435\u0440\u0435\u0437 \u043f\u0440\u0438\u0432\u044f\u0437\u043a\u0443 \u0434\u0430\u043d\u043d\u044b\u0445. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = \u041e\u0442\u043a\u043b\u044e\u0447\u0438\u044 #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = \u043f\u043e\u043b\u0435\: [{0}], \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = \u0414\u0430\u043d\u043d\u044b\u0435 \u0431\u044b\u043b\u0438 \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0435\u043d\u044b \u0434\u043b\u044f \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430.\n\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u044b\u043b\u0430 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u043f\u0443\u0442\u0435\u043c \u0443\u0441\u043f\u0435\u0448\u043d\u043e\u0433\u043e \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0438\u0441\u0445\u043e\u0434\u043d\u043e \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u043f\u0443\u0442\u0435\u043c \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = \u0414\u0430\u043d\u043d\u044b\u0435 \u041d\u0415 \u0431\u044b\u043b\u0438 \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0435\u043d\u044b \u0434\u043b\u044f \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430.\n\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u044b\u043b\u0430 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u043f\u0443\u0442\u0435\u043c \u0443\u0441\u043f\u0435\u0448\u043d\u043e\u0433\u043e \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u0431\u043e\u043b\u044c\u0448\u0435\u0433\u043e \u043a\u043e\u043b\u0438\u0447\u0435\u0441\u0442\u0432\u0430 \u0434\u0430\u043d\u043d\u044b\u0445, \u0447\u0435\u043c \u0431\u044b\u043b\u043e \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0435\u043d\u043e \u0438\u0437\u043d\u0430\u0447\u0430\u043b\u044c\u043d\u043e, \u043f\u0443\u0442\u0435\u043c \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] \u043f\u043e\u043b\u0435\: [{1}] \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = \u0418\u0441\u0445\u043e\u0434\u043d\u043e\u0435 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435\: [{0}]. \u0418\u0437\u043c\u0435\u043d\u0435\u043d\u043d\u043e\u0435 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435\: [{1}]. \u041a\u043e\u043d\u0442\u0440\u043e\u043b\u044c\u043d\u043e\u0435 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = \u041d\u0435\u0438\u0437\u043c\u0435\u043d\u0435\u043d\u043d\u043e\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 \u0432\u0435\u0440\u043d\u0443\u043b\u043e \u0441\u0442\u0430\u0442\u0443\u0441 HTTP [{0}], \u0440\u0430\u0437\u043c\u0435\u0440 \u0442\u0435\u043b\u0430 [{1}], \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u043d\u043e\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 \u0432\u0435\u0440\u043d\u0443\u043b\u043e \u0441\u0442\u0430\u0442\u0443\u0441 HTTP [{2}], \u0440\u0430\u0437\u043c\u0435\u0440 \u0442\u0435\u043b\u0430 [{3}]. \u0422\u0440\u0435\u0442\u044c\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 (\u0441\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435\u043c, \u043d\u0435 \u0432\u044b\u0437\u044b\u0432\u0430\u044e\u0449\u0438\u043c SQL \u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044e) \u0432\u0435\u0440\u043d\u0443\u043b\u043e \u0441\u0442\u0430\u0442\u0443\u0441 HTTP [{4}], \u0440\u0430\u0437\u043c\u0435\u0440 \u0442\u0435\u043b\u0430 [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = \u041d\u0435\u0438\u0437\u043c\u0435\u043d\u0435\u043d\u043d\u043e\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 \u0432\u0435\u0440\u043d\u0443\u043b\u043e \u0441\u0442\u0430\u0442\u0443\u0441 HTTP [{0}], \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u043d\u043e\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 \u0432\u0435\u0440\u043d\u0443\u043b\u043e \u0441\u0442\u0430\u0442\u0443\u0441 HTTP [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = \u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0435 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u044b \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b \u0431\u044b\u043b\u0438 \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u0432\u043e\u0441\u043f\u0440\u043e\u0438\u0437\u0432\u0435\u0434\u0435\u043d\u044b \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0432\u044b\u0440\u0430\u0436\u0435\u043d\u0438\u044f [{0}] \u0432 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430.\n\u0418\u0437\u043c\u0435\u043d\u044f\u0435\u043c\u043e\u0435 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 \u0431\u044b\u043b\u043e {1} \u0443\u0434\u0430\u043b\u0435\u043d\u043e \u0438\u0437 \u0432\u044b\u0432\u043e\u0434\u0430 HTML \u0434\u043b\u044f \u0446\u0435\u043b\u0435\u0439 \u0441\u0440\u0430\u0432\u043d\u0435\u043d\u0438\u044f. -ascanrules.sqlinjection.alert.orderbybased.extrainfo = \u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u044b \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0439 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b \u0431\u044b\u043b\u0438 \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u0432\u043e\u0441\u043f\u0440\u043e\u0438\u0437\u0432\u0435\u0434\u0435\u043d\u044b \n\u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0432\u044b\u0440\u0430\u0436\u0435\u043d\u0438\u044f ORDER BY [{0}] \u0432 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430.\n\u0418\u0437\u043c\u0435\u043d\u044f\u0435\u043c\u043e\u0435 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 \u0431\u044b\u043b\u043e {1} \u0443\u0434\u0430\u043b\u0435\u043d\u043e \u0438\u0437 \u0432\u044b\u0432\u043e\u0434\u0430 HTML \u0434\u043b\u044f \u0446\u0435\u043b\u0435\u0439 \u0441\u0440\u0430\u0432\u043d\u0435\u043d\u0438\u044f. -ascanrules.sqlinjection.alert.timebased.extrainfo = \u0412\u0440\u0435\u043c\u044f \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435\u043c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 [{0}], \u0434\u043b\u044f \u043a\u043e\u0442\u043e\u0440\u043e\u0433\u043e \u0437\u0430\u043f\u0440\u043e\u0441 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u043b\u0441\u044f [{1}] \u043c\u0438\u043b\u043b\u0438\u0441\u0435\u043a\u0443\u043d\u0434, \u0432 \u0442\u043e\u043c \u0432\u0440\u0435\u043c\u044f \u043a\u0430\u043a \u0434\u043b\u044f \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e \u043d\u0435\u0438\u0437\u043c\u0435\u043d\u0435\u043d\u043d\u043e\u0433\u043e \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u0441\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435\u043c [{2}] \u0437\u0430\u043f\u0440\u043e\u0441 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u043b\u0441\u044f [{3}] \u043c\u0438\u043b\u043b\u0438\u0441\u0435\u043a\u0443\u043d\u0434 +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = \u0412\u0440\u0435\u043c\u044f \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u043c\u043e\u0436\u043d\u043e \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 [{0}], \n\u0438\u0437-\u0437\u0430 \u043a\u043e\u0442\u043e\u0440\u043e\u0433\u043e \u0437\u0430\u043f\u0440\u043e\u0441 \u0437\u0430\u043d\u0438\u043c\u0430\u043b [{1}] \u043c\u0438\u043b\u043b\u0438\u0441\u0435\u043a\u0443\u043d\u0434\u044b, \n\u0442\u043e\u0433\u0434\u0430 \u043a\u0430\u043a \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043d\u0435\u043c\u043e\u0434\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0437\u0430\u043f\u0440\u043e\u0441 \u0441\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435\u043c [{2}] \u0437\u0430\u043d\u044f\u043b [{3}] \u043c\u0438\u043b\u043b\u0438\u0441\u0435\u043a\u0443\u043d\u0434\u044b. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] \u043f\u043e\u043b\u0435\: [{1}] \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = \u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 SQL - \u043e\u0431\u0445\u043e\u0434 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = \u0412\u0440\u0435\u0 ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL-\u0438\u043d\u044a\u0435\u043a\u0446\u0438\u044f - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = \u041a\u043e\u0433\u0434\u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0439 \u0432\u0432\u043e\u0434 \u0432\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0432 \u0448\u0430\u0431\u043b\u043e\u043d, \n\u0430 \u043d\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0432 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442\u0430 \u043f\u0440\u0438 \u0440\u0435\u043d\u0434\u0435\u0440\u0438\u043d\u0433\u0435, \n\u043e\u043d \u043e\u0446\u0435\u043d\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u043e\u043c \u0448\u0430\u0431\u043b\u043e\u043d\u043e\u0432. \n\u0412 \u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e\u0441\u0442\u0438 \u043e\u0442 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0430 \u0448\u0430\u0431\u043b\u043e\u043d\u043e\u0432 \u044d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u043c\u0443 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044e \u043a\u043e\u0434\u0430. ascanrules.ssti.name = \u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 \u0448\u0430\u0431\u043b\u043e\u043d\u0430 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = \u0412\u043c\u0435\u0441\u0442\u043e \u0442\u043e\u0 ascanrules.traceaxd.desc = \u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u043e, \u0447\u0442\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e \u043f\u0440\u043e\u0441\u043c\u043e\u0442\u0440\u0430 \u0442\u0440\u0430\u0441\u0441\u0438\u0440\u043e\u0432\u043a\u0438 ASP.NET (trace.axd) \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e. \n\u042d\u0442\u043e\u0442 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442 \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u0443\u0442\u0435\u0447\u043a\u0435 \u0437\u043d\u0430\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0433\u043e \u043a\u043e\u043b\u0438\u0447\u0435\u0441\u0442\u0432\u0430 \u0446\u0435\u043d\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438. ascanrules.traceaxd.name = Trace.axd \u0423\u0442\u0435\u0447\u043a\u0430 \u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 -ascanrules.traceaxd.otherinfo = \u041d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 \u043a\u043e\u0434\u0430 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u044f \u043e\u0442\u0432\u0435\u0442\u0430 Trace Viewer \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0435\u043d \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u043e\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0438\u043b\u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = \u041f\u043e\u0434\u0443\u043c\u0430\u0439\u0442\u0435, \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u043b\u0438 Trace Viewer \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0432 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u0439 \u0441\u0440\u0435\u0434\u0435, \u0435\u0441\u043b\u0438 \u043d\u0435\u0442, \u043e\u0442\u043a\u043b\u044e\u0447\u0438\u0442\u0435 \u0435\u0433\u043e. \n\u0415\u0441\u043b\u0438 \u044d\u0442\u043e \u0442\u0430\u043a, \u0443\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0434\u043b\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u043d\u0435\u043c\u0443 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u043f\u043e\u0434\u043b\u0438\u043d\u043d\u043e\u0441\u0442\u0438 \u0438 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044f. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_si_LK.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_si_LK.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_si_LK.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_si_LK.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sk_SK.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sk_SK.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sk_SK.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sk_SK.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sl_SI.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sl_SI.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sl_SI.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sl_SI.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sq_AL.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sq_AL.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sq_AL.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sq_AL.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sr_CS.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sr_CS.properties index 7303a47aa65..575851528c3 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sr_CS.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sr_CS.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] polje\: [{1}], vrednost [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] polje\: [{1}], vrednost [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sr_SP.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sr_SP.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sr_SP.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_sr_SP.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_tr_TR.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_tr_TR.properties index 9f5756ad5f3..6fb074d89eb 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_tr_TR.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_tr_TR.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Bellek ta\u015fma hatalar\u0131, arka planda \u00e7al\u0131\u015fan web i\u015flemlerinin bellekteki yerleri \u00fczerine bilerek ya da bilmeyerek yaz\u0131lmas\u0131yla olu\u015fan hatalard\u0131r. IP (Komut \u0130\u015faret\u00e7isi), BP(Temel Pointer) ve di\u011fer yazma\u00e7lar istisnai hatalar, segmentasyon hatalar\u0131 ve di\u011fer i\u015flemlerde problemler olu\u015fmas\u0131na neden olur. Genellikle bu hatalar uygulaman\u0131n beklenmedik bir \u015fekilde sona ermesine sebep olur. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Bellek Ta\u015fmas\u0131 -ascanrules.bufferoverflow.other = Olas\u0131 Bellek Ta\u015fmas\u0131. Betik ba\u011flant\u0131y\u0131 sonland\u0131rd\u0131 ve 500 \u0130\u00e7 Sunucu Hatas\u0131 verdi +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Arka planda \u00e7al\u0131\u015fan program\u0131 uygun d\u00f6n\u00fc\u015f de\u011feri i\u00e7in uzunluk kontrol\u00fc yaparak tekrar yaz. Bu i\u015flem arka planda \u00e7al\u0131\u015fan program\u0131n tekrar derlenmesini gerektirir. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Dizin Tarama ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Bilgi S\u0131z\u0131nt\u0131s\u0131 -ascanrules.elmah.otherinfo = Yan\u0131t durumu koduna dayanarak, ELMAH bir kimlik do\u011frulama veya yetkilendirme mekanizmas\u0131 taraf\u0131ndan korunabilir. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = ELMAH'\u0131n \u00fcretimde ger\u00e7ekten gerekli olup olmad\u0131\u011f\u0131n\u0131 d\u00fc\u015f\u00fcn\u00fcn, gerekli de\u011filse devre d\u0131\u015f\u0131 b\u0131rak\u0131n. E\u011fer \u00f6yleyse, ona eri\u015fimin, kimlik do\u011frulama ve yetkilendirme gerektirdi\u011finden emin olun. Ayr\u0131ca bkz\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = Girilen verinin uygulama taraf\u0131ndan bir komut olarak de\u011ferlendirilmesi sonucu Bi\u00e7im String hatas\u0131 olu\u015fur. -ascanrules.formatstring.error1 = Potansiyel bi\u00e7im string hatas\u0131. Komut dosyas\u0131 bir /%s' de ba\u011flant\u0131 kapatt\u0131 -ascanrules.formatstring.error2 = Potansiyel bi\u00e7im string hatas\u0131. Komut dosyas\u0131 bir /%s' de ve /%x ba\u011flant\u0131 kapatt\u0131 -ascanrules.formatstring.error3 = Muhtemel yaz\u0131 format\u0131 hatas\u0131. Komut dosyas\u0131 mikrosoft yaz\u0131 format\u0131 hatas\u0131 ile sonland\u0131 +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Bi\u00e7im String Hatas\u0131 ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Arka planda \u00e7al\u0131\u015fan program\u0131 uygun k\u00f6t\u00fc string karakterlerini silerek tekrar yaz\u0131n. Bu arka planda \u00e7al\u0131\u015fan program\u0131n tekrar derlenmesini gerektirir. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Genel Dolgu Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Kod \u00e7\u00f6zmeye ba\u015flamadan \u00f6nce kodlanm\u0131\u015f verileri d\u00fczg\u00fcn bir \u015fekilde do\u011frulayabilmeleri i\u00e7in etkilenmi\u015f sunucu yaz\u0131l\u0131m\u0131n\u0131 g\u00fcncelle veya komut dizilerini de\u011fi\u015ftir. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Yol Takibi @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = CGI kullanarak \u00e7al\u0131\u015fmak \u00fczere yap\u0131land\u0131r\u0131lm\u0131\u015f Baz\u0131 PHP s\u00fcr\u00fcmleri, do\u011fru rasgele kod y\u00fcr\u00fct\u00fclmesine olanak bir \u00e7\u0131kmam\u0131\u015f "\=" karakterini eksikli\u011fi sorgu dizeleri dokunmay\u0131n. Bu durumda, bir i\u015fletim sistemi komut web sunucusunda y\u00fcr\u00fct\u00fclecek neden ve sonu\u00e7lar web taray\u0131c\u0131s\u0131 iade edildi. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Uzaktan Kod Y\u00fcr\u00fctme - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = PHP'nin en son kararl\u0131 s\u00fcr\u00fcme y\u00fckseltin veya "RewriteCond" ve "RewriteRule" direktiflerini kullanarak k\u00f6t\u00fc niyetli istekleri s\u00fczmek i\u00e7in Apache web sunucusu ve mod_rewrite mod\u00fcl\u00fcn\u00fc kullanabilirsiniz. ascanrules.remotefileinclude.name = Uzaktan dosya dahili -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = CGI kullanarak \u00e7al\u0131\u015fmak \u00fczere yap\u0131land\u0131r\u0131lm\u0131\u015f Baz\u0131 PHP s\u00fcr\u00fcmleri, do\u011fru PHP kaynak kodu a\u00e7\u0131klama ve keyfi kod y\u00fcr\u00fct\u00fclmesine olanak bir \u00e7\u0131kmam\u0131\u015f "\=" karakteri yoksun sorgu dizeleri dokunmay\u0131n. Bu durumda, PHP dosyas\u0131n\u0131n i\u00e7eri\u011fi web taray\u0131c\u0131s\u0131 do\u011frudan ikram edildi. O da d\u00fcz HTML i\u00e7erebilir ancak bu \u00e7\u0131k\u0131\u015f, genellikle, PHP i\u00e7erecektir. ascanrules.sourcecodedisclosurecve-2012-1823.name = Kaynak Kodu Bilgilendirme - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = PHP'nin en son kararl\u0131 s\u00fcr\u00fcme y\u00fckseltin veya "RewriteCond" ve "RewriteRule" direktiflerini kullanarak k\u00f6t\u00fc niyetli istekleri s\u00fczmek i\u00e7in Apache web sunucusu ve mod_rewrite mod\u00fcl\u00fcn\u00fc kullanabilirsiniz. -ascanrules.sourcecodedisclosurewebinf.desc = Java kaynak kodu WEB-INF klas\u00f6r\u00fcndeki Java s\u0131n\u0131f dosyalar\u0131 web sunucusu taraf\u0131ndan if\u015fa edildi. s\u0131n\u0131f dosyalar\u0131 olabilir \u00e7ok yak\u0131ndan orijinal kaynak kodu ile e\u015fle\u015fen kaynak kodu \u00fcretmek i\u00e7in dis-topland\u0131. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = / WEB-INF klas\u00f6r\u00fcndeki bir Java s\u0131n\u0131f\u0131 \u00f6zellikleri dosyan\u0131n varl\u0131\u011f\u0131n\u0131 a\u00e7\u0131klad\u0131. \u00d6zellikler dosyas\u0131 kamuya a\u00e7\u0131k olmas\u0131 ve genellikle yap\u0131land\u0131rma bilgilerini, uygulama kimlik bilgilerini veya \u015fifreleme anahtarlar\u0131 i\u00e7ermesi i\u00e7in de\u011fildir. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = \u00f6zellikler dosyaya ba\u015fvuru Java s\u0131n\u0131f\u0131 i\u00e7in dis monte Java kaynak kodu bulunmu\u015ftur [ {0} ]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = \u00d6zellikler A\u00e7\u0131klanmas\u0131 Dosya - / WEB-INF klas\u00f6r\u00fc -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = web sunucusu / WEB-INF klas\u00f6r\u00fcn\u00fc veya web taray\u0131c\u0131lar\u0131 i\u00e7eri\u011fini de\u011fil hizmet i\u00e7in yap\u0131land\u0131r\u0131lmal\u0131d\u0131r. Ayr\u0131ca / WEB-INF klas\u00f6r\u00fc kald\u0131rmak m\u00fcmk\u00fcn olabilir. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = web sunucusu bu t\u00fcr kimlik i\u00e7erebilir derlenmi\u015f Java kaynak kodu ve \u00f6zellikleri dosyalar\u0131 gibi hassas bilgiler i\u00e7erdi\u011finden, / WEB-INF klas\u00f6r\u00fcn\u00fc veya web taray\u0131c\u0131lar\u0131 i\u00e7eri\u011fini de\u011fil hizmet i\u00e7in yap\u0131land\u0131r\u0131lmal\u0131d\u0131r. Uygulama ile da\u011f\u0131t\u0131lan Java s\u0131n\u0131flar\u0131 bir "savunma derinlemesine" yakla\u015f\u0131m\u0131 i\u00e7inde ek bir savunma katman\u0131 olarak, Karart\u0131lm\u0131\u015f edilmelidir. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = Alan\: [ {0} ], de\u011fer [ {1} ] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [ {0} ] alan\: [ {1} ], de\u011fer [ {2} ] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = De\u011fi\u015ftirilmemi\u015f mesaj [HTTP stat\u00fcs\u00fc verdi {0} ], uzunlu\u011fu v\u00fccut [ {1} ], modifiye mesaj HTTP stat\u00fcs\u00fc verdi [ {2} ], uzunluk v\u00fccut [ {3} ]. \u00dc\u00e7\u00fcnc\u00fc (non-SQL enjeksiyonu uyaran de\u011feri) HTTP stat\u00fcs\u00fc verdi [ {4} ], uzunlu\u011fu v\u00fccut [ {5} ] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = De\u011fi\u015ftirilmemi\u015f mesaj [HTTP stat\u00fcs\u00fc verdi {0} ], modifiye mesaj verdi HTTP durum [ {1} ] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = Sorgu s\u00fcresi parametre de\u011ferini kullanarak kontrol edilebilir [ {0} ], istek [almaya neden olan {1} de\u011feri ile orijinal de\u011fi\u015ftirilmemi\u015f sorgusu [zaman] milisaniye, {2} ] [s\u00fcrd\u00fc {3} ] milisaniye +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [ {0} ] alan\: [ {1} ], de\u011fer [ {2} ] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_uk_UA.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_uk_UA.properties index da75d93c2e2..cfc32173957 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_uk_UA.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_uk_UA.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = \u041f\u043e\u043c\u0438\u043b\u043a\u0438 \u043f\u0435\u0440\u0435\u043f\u043e\u0432\u043d\u0435\u043d\u043d\u044f \u0431\u0443\u0444\u0435\u0440\u0430 \u0445\u0430\u0440\u0430\u043a\u0442\u0435\u0440\u0438\u0437\u0443\u044e\u0442\u044c\u0441\u044f \u043f\u0435\u0440\u0435\u0437\u0430\u043f\u0438\u0441\u043e\u043c \u043f\u0440\u043e\u0441\u0442\u043e\u0440\u0456\u0432 \u043f\u0430\u043c\u2019\u044f\u0442\u0456 \u0444\u043e\u043d\u043e\u0432\u043e\u0433\u043e \u0432\u0435\u0431-\u043f\u0440\u043e\u0446\u0435\u0441\u0443, \u044f\u043a\u0438\u0439 \u043d\u0456\u043a\u043e\u043b\u0438 \u043d\u0435 \u0441\u043b\u0456\u0434 \u0431\u0443\u043b\u043e \u0437\u043c\u0456\u043d\u044e\u0432\u0430\u0442\u0438 \u043d\u0430\u0432\u043c\u0438\u0441\u043d\u043e \u0447\u0438 \u043d\u0435\u043d\u0430\u0432\u043c\u0438\u0441\u043d\u043e. \u041f\u0435\u0440\u0435\u0437\u0430\u043f\u0438\u0441 \u0437\u043d\u0430\u0447\u0435\u043d\u044c IP (\u0432\u043a\u0430\u0437\u0456\u0432\u043d\u0438\u043a \u0456\u043d\u0441\u0442\u0440\u0443\u043a\u0446\u0456\u0439), BP (\u0431\u0430\u0437\u043e\u0432\u0438\u0439 \u0432\u043a\u0430\u0437\u0456\u0432\u043d\u0438\u043a) \u0442\u0430 \u0456\u043d\u0448\u0438\u0445 \u0440\u0435\u0433\u0456\u0441\u0442\u0440\u0456\u0432 \u0432\u0438\u043a\u043b\u0438\u043a\u0430\u0454 \u0432\u0438\u043d\u044f\u0442\u043a\u0438, \u043f\u043e\u043c\u0438\u043b\u043a\u0438 \u0441\u0435\u0433\u043c\u0435\u043d\u0442\u0430\u0446\u0456\u0457 \u0442\u0430 \u0456\u043d\u0448\u0456 \u043f\u043e\u043c\u0438\u043b\u043a\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0443. \u0417\u0430\u0437\u0432\u0438\u0447\u0430\u0439 \u0446\u0456 \u043f\u043e\u043c\u0438\u043b\u043a\u0438 \u043f\u0440\u0438\u0437\u0432\u043e\u0434\u044f\u0442\u044c \u0434\u043e \u043d\u0435\u043e\u0447\u0456\u043a\u0443\u0432\u0430\u043d\u043e\u0433\u043e \u0437\u0430\u0432\u0435\u0440\u0448\u0435\u043d\u043d\u044f \u0432\u0438\u043a\u043e\u043d\u0430\u043d\u043d\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0438. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = \u041f\u0435\u0440\u0435\u043f\u043e\u0432\u043d\u0435\u043d\u043d\u044f \u0431\u0443\u0444\u0435\u0440\u0443 -ascanrules.bufferoverflow.other = \u041f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u0435 \u043f\u0435\u0440\u0435\u043f\u043e\u0432\u043d\u0435\u043d\u043d\u044f \u0431\u0443\u0444\u0435\u0440\u0430. \u0421\u0446\u0435\u043d\u0430\u0440\u0456\u0439 \u0437\u0430\u043a\u0440\u0438\u0432 \u0437\u2019\u0454\u0434\u043d\u0430\u043d\u043d\u044f \u0442\u0430 \u0432\u0438\u0434\u0430\u0432 \u0432\u043d\u0443\u0442\u0440\u0456\u0448\u043d\u044e \u043f\u043e\u043c\u0438\u043b\u043a\u0443 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 500 +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = \u041f\u0435\u0440\u0435\u043f\u0438\u0448\u0456\u0442\u044c \u0444\u043e\u043d\u043e\u0432\u0443 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0443, \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u044e\u0447\u0438 \u043d\u0430\u043b\u0435\u0436\u043d\u0443 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0443 \u0434\u043e\u0432\u0436\u0438\u043d\u0438 \u043f\u043e\u0432\u0435\u0440\u043d\u0435\u043d\u043d\u044f. \u0414\u043b\u044f \u0446\u044c\u043e\u0433\u043e \u0437\u043d\u0430\u0434\u043e\u0431\u0438\u0442\u044c\u0441\u044f \u043f\u0435\u0440\u0435\u043a\u043e\u043c\u043f\u0456\u043b\u044e\u0432\u0430\u0442\u0438 \u0444\u043e\u043d\u043e\u0432\u0438\u0439 \u0432\u0438\u043a\u043e\u043d\u0443\u0432\u0430\u043d\u0438\u0439 \u0444\u0430\u0439\u043b. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = \u0410\u0442\u0430\u043a\u0430 \u043c\u0435\u0442\u0430\u0434\u0430\u043d\u0438\u0445 \u0445\u043c\u0430\u0440\u0438 \u043d\u0430\u043c\u0430\u0433\u0430\u0454\u0442\u044c\u0441\u044f \u0437\u043b\u043e\u0432\u0436\u0438\u0432\u0430\u0442\u0438 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u0438\u043c \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c NGINX, \u0449\u043e\u0431 \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u043c\u0435\u0442\u0430\u0434\u0430\u043d\u0438\u0445 \u0435\u043a\u0437\u0435\u043c\u043f\u043b\u044f\u0440\u0456\u0432, \u044f\u043a\u0456 \u043f\u0456\u0434\u0442\u0440\u0438\u043c\u0443\u044e\u0442\u044c\u0441\u044f \u043f\u043e\u0441\u0442\u0430\u0447\u0430\u043b\u044c\u043d\u0438\u043a\u0430\u043c\u0438 \u0445\u043c\u0430\u0440\u043d\u0438\u0445 \u043f\u043e\u0441\u043b\u0443\u0433, \u0442\u0430\u043a\u0438\u043c\u0438 \u044f\u043a AWS, GCP \u0456 Azure.\n\u0423\u0441\u0456 \u0446\u0456 \u043f\u043e\u0441\u0442\u0430\u0447\u0430\u043b\u044c\u043d\u0438\u043a\u0438 \u043d\u0430\u0434\u0430\u044e\u0442\u044c \u043c\u0435\u0442\u0430\u0434\u0430\u043d\u0456 \u0447\u0435\u0440\u0435\u0437 \u0432\u043d\u0443\u0442\u0440\u0456\u0448\u043d\u044e \u043d\u0435\u043c\u0430\u0440\u0448\u0440\u0443\u0442\u0438\u0437\u043e\u0432\u0430\u043d\u0443 IP-\u0430\u0434\u0440\u0435\u0441\u0443 '169.254.169.254' \u2014 \u0446\u0435 \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043e \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u0438\u043c\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u043c\u0438 NGINX \u0456 \u043c\u043e\u0436\u0435 \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u0434\u043e\u0441\u0442\u0443\u043f \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0446\u0456\u0454\u0457 IP-\u0430\u0434\u0440\u0435\u0441\u0438 \u0432 \u043f\u043e\u043b\u0456 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 \u0445\u043e\u0441\u0442\u0443. ascanrules.cloudmetadata.name = \u041c\u0435\u0442\u0430\u0434\u0430\u043d\u0456 \u0445\u043c\u0430\u0440\u0438 \u043f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u043e \u0440\u043e\u0437\u043a\u0440\u0438\u0442\u0456 @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = \u041d\u0430 \u043e\u0441\u043d\u043e\u0432 ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = \u041d\u0435 \u0434\u043e\u0432\u0456\u0440\u044f\u0439\u0442\u0435 \u0436\u043e\u0434\u043d\u0438\u043c \u0434\u0430\u043d\u0438\u043c \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0432 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u044f\u0445 NGINX. \u0423 \u0446\u044c\u043e\u043c\u0443 \u0432\u0438\u043f\u0430\u0434\u043a\u0443 \u0446\u0435, \u0439\u043c\u043e\u0432\u0456\u0440\u043d\u043e, \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f \u0437\u043c\u0456\u043d\u043d\u043e\u0457 $host, \u044f\u043a\u0430 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u044e\u0454\u0442\u044c\u0441\u044f \u0437 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 \u00abHost\u00bb \u0456 \u043c\u043e\u0436\u0435 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044e\u0432\u0430\u0442\u0438\u0441\u044f \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u043e\u043c. -ascanrules.codeinjection.desc = \u041c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u043c\u043e\u0436\u043b\u0438\u0432\u0438\u043c \u0432\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f \u043a\u043e\u0434\u0443, \u0432\u043a\u043b\u044e\u0447\u0430\u044e\u0447\u0438 \u0441\u043f\u0435\u0446\u0456\u0430\u043b\u044c\u043d\u0438\u0439 \u043a\u043e\u0434, \u044f\u043a\u0438\u0439 \u0431\u0443\u0434\u0435 \u043e\u0446\u0456\u043d\u0435\u043d\u043e \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c\u043e\u043c \u0441\u0442\u0432\u043e\u0440\u0435\u043d\u043d\u044f \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u0457\u0432 +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = \u0412\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f \u043a\u043e\u0434\u0443 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0456 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 ascanrules.codeinjection.name.asp = \u0412\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f \u043a\u043e\u0434\u0443 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0456 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 - \u0432\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f \u043a\u043e\u0434\u0443 ASP ascanrules.codeinjection.name.php = \u0412\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f \u043a\u043e\u0434\u0443 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0456 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 - \u0432\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f \u043a\u043e\u0434\u0443 PHP ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = \u041d\u0435 \u0434\u043e\u0432\u0456\u0440\u044f\u0439\u0442\u0435 \u0432\u0432\u0435\u0434\u0435\u043d\u0438\u043c \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0456 \u043a\u043b\u0456\u0454\u043d\u0442\u0430, \u043d\u0430\u0432\u0456\u0442\u044c \u044f\u043a\u0449\u043e \u0456\u0441\u043d\u0443\u0454 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0430 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0456 \u043a\u043b\u0456\u0454\u043d\u0442\u0430.\n\u0417\u0430\u0433\u0430\u043b\u043e\u043c, \u0432\u0432\u0435\u0434\u0456\u0442\u044c \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u0438\u0442\u0438 \u0432\u0441\u0456 \u0434\u0430\u043d\u0456 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0456 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0442\u0430 \u0443\u043d\u0438\u043a\u043d\u0443\u0442\u0438 \u0432\u0441\u0456\u0445 \u0434\u0430\u043d\u0438\u0445, \u043e\u0442\u0440\u0438\u043c\u0430\u043d\u0438\u0445 \u0432\u0456\u0434 \u043a\u043b\u0456\u0454\u043d\u0442\u0430.\n \u0423\u043d\u0438\u043a\u0430\u0439\u0442\u0435 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f \u0444\u0443\u043d\u043a\u0446\u0456\u0439 eval() \u0443 \u043f\u043e\u0454\u0434\u043d\u0430\u043d\u043d\u0456 \u0437 \u0432\u0432\u0435\u0434\u0435\u043d\u0438\u043c\u0438 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u043c \u0434\u0430\u043d\u0438\u043c\u0438. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = \u0422\u0435\u0445\u043d\u0456\u043a\u0430 \u0430\u0442\u0430\u043a\u0438, \u044f\u043a\u0430 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f \u0434\u043b\u044f \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0456\u043e\u043d\u043e\u0432\u0430\u043d\u043e\u0433\u043e \u0432\u0438\u043a\u043e\u043d\u0430\u043d\u043d\u044f \u043a\u043e\u043c\u0430\u043d\u0434 \u043e\u043f\u0435\u0440\u0430\u0446\u0456\u0439\u043d\u043e\u0457 \u0441\u0438\u0441\u0442\u0435\u043c\u0438. \u0426\u044f \u0430\u0442\u0430\u043a\u0430 \u043c\u043e\u0436\u043b\u0438\u0432\u0430, \u043a\u043e\u043b\u0438 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0430 \u043f\u0440\u0438\u0439\u043c\u0430\u0454 \u043d\u0435\u043d\u0430\u0434\u0456\u0439\u043d\u0438\u0439 \u0432\u0445\u0456\u0434 \u0434\u043b\u044f \u043f\u043e\u0431\u0443\u0434\u043e\u0432\u0438 \u043a\u043e\u043c\u0430\u043d\u0434 \u043e\u043f\u0435\u0440\u0430\u0446\u0456\u0439\u043d\u043e\u0457 \u0441\u0438\u0441\u0442\u0435\u043c\u0438 \u0432 \u043d\u0435\u0431\u0435\u0437\u043f\u0435\u0447\u043d\u0438\u0439 \u0441\u043f\u043e\u0441\u0456\u0431, \u0432\u043a\u043b\u044e\u0447\u0430\u044e\u0447\u0438 \u043d\u0435\u043d\u0430\u043b\u0435\u0436\u043d\u0443 \u043e\u0431\u0440\u043e\u0431\u043a\u0443 \u0434\u0430\u043d\u0438\u0445 \u0456/\u0430\u0431\u043e \u043d\u0435\u043d\u0430\u043b\u0435\u0436\u043d\u0438\u0439 \u0432\u0438\u043a\u043b\u0438\u043a \u0437\u043e\u0432\u043d\u0456\u0448\u043d\u0456\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c. ascanrules.commandinjection.name = \u0412\u0456\u0434\u0434\u0430\u043b\u0435\u043d\u0435 \u0432\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f \u043a\u043e\u043c\u0430\u043d\u0434 OS -ascanrules.commandinjection.otherinfo.feedback-based = \u041f\u0440\u0430\u0432\u0438\u043b\u0443 \u0441\u043a\u0430\u043d\u0443\u0432\u0430\u043d\u043d\u044f \u0432\u0434\u0430\u043b\u043e\u0441\u044f \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u0432\u043c\u0456\u0441\u0442 \u0444\u0430\u0439\u043b\u0443 \u0430\u0431\u043e \u043a\u043e\u043c\u0430\u043d\u0434\u0438, \u043d\u0430\u0434\u0456\u0441\u043b\u0430\u0432\u0448\u0438 [{0}] \u0434\u043e \u043e\u043f\u0435\u0440\u0430\u0446\u0456\u0439\u043d\u043e\u0457 \u0441\u0438\u0441\u0442\u0435\u043c\u0438, \u043d\u0430 \u044f\u043a\u0456\u0439 \u0437\u0430\u043f\u0443\u0449\u0435\u043d\u0430 \u0446\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0430 -ascanrules.commandinjection.otherinfo.time-based = \u041f\u0440\u0430\u0432\u0438\u043b\u0443 \u0441\u043a\u0430\u043d\u0443\u0432\u0430\u043d\u043d\u044f \u0432\u0434\u0430\u043b\u043e\u0441\u044f \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u0432\u043c\u0456\u0441\u0442 \u0444\u0430\u0439\u043b\u0443 \u0430\u0431\u043e \u043a\u043e\u043c\u0430\u043d\u0434\u0438, \u043d\u0430\u0434\u0456\u0441\u043b\u0430\u0432\u0448\u0438 [{0}] \u0434\u043e \u043e\u043f\u0435\u0440\u0430\u0446\u0456\u0439\u043d\u043e\u0457 \u0441\u0438\u0441\u0442\u0435\u043c\u0438, \u043d\u0430 \u044f\u043a\u0456\u0439 \u0437\u0430\u043f\u0443\u0449\u0435\u043d\u0430 \u0446\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0430 +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie \u043c\u043e\u0436\u043d\u0430 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u0438 \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0432\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f CRLF. \u0422\u0430\u043a\u043e\u0436 \u043c\u043e\u0436\u043d\u0430 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u0438 \u0434\u043e\u0432\u0456\u043b\u044c\u043d\u0456 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0438 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 HTTP. \u041a\u0440\u0456\u043c \u0442\u043e\u0433\u043e, \u0443\u0440\u0430\u0437\u043b\u0438\u0432\u0456\u0441\u0442\u044c \u0434\u043e \u043e\u0442\u0440\u0443\u0454\u043d\u043d\u044f \u043a\u0435\u0448\u0443 \u0442\u0430\u043a\u043e\u0436 \u043c\u043e\u0436\u0435 \u0456\u0441\u043d\u0443\u0432\u0430\u0442\u0438, \u0440\u0435\u0442\u0435\u043b\u044c\u043d\u043e \u0441\u0442\u0432\u043e\u0440\u044e\u044e\u0447\u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u043c\u0456\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u044e. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044f ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = \u0423\u0432\u0430\u0436\u043d\u043e \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u0442\u0435 \u0432\u0432\u0435\u0434\u0435\u043d\u0438\u0439 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440. \u041d\u0435 \u0434\u043e\u043f\u0443\u0441\u043a\u0430\u0439\u0442\u0435 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044f CRLF \u0448\u043b\u044f\u0445\u043e\u043c \u0444\u0456\u043b\u044c\u0442\u0440\u0430\u0446\u0456\u0457 CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = XSS-\u0430\u0442\u0430\u043a\u0430 \u0 ascanrules.crosssitescripting.json.name = \u0421\u043b\u0430\u0431\u043a\u0456\u0441\u0442\u044c \u043c\u0456\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u044e (\u0432\u0456\u0434\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u043e \u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 JSON) ascanrules.crosssitescripting.name = \u041c\u0456\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0438\u0439 \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u0439 (\u0412\u0456\u0434\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u043e) ascanrules.crosssitescripting.otherinfo.accesskey = \u0410\u0442\u0440\u0438\u0431\u0443\u0442 accesskey \u0432\u0438\u0437\u043d\u0430\u0447\u0430\u0454 \u043a\u043e\u043c\u0431\u0456\u043d\u0430\u0446\u0456\u044e \u043a\u043b\u0430\u0432\u0456\u0448 \u0434\u043b\u044f \u0430\u043a\u0442\u0438\u0432\u0430\u0446\u0456\u0457 \u0430\u0431\u043e \u0444\u043e\u043a\u0443\u0441\u0443\u0432\u0430\u043d\u043d\u044f \u0435\u043b\u0435\u043c\u0435\u043d\u0442\u0430. \u0426\u0435\u0439 \u0430\u0442\u0440\u0438\u0431\u0443\u0442 \u043c\u043e\u0436\u0435 \u0456\u043d\u0456\u0446\u0456\u044e\u0432\u0430\u0442\u0438 \u043a\u043e\u0440\u0438\u0441\u043d\u0435 \u043d\u0430\u0432\u0430\u043d\u0442\u0430\u0436\u0435\u043d\u043d\u044f \u0434\u043b\u044f \u043d\u0435\u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u0438\u0445 \u0430\u0431\u043e \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0446\u044c\u043a\u0438\u0445 \u0442\u0435\u0433\u0456\u0432. -ascanrules.crosssitescripting.otherinfo.nothtml = \u0412\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043e \u0437 \u041d\u0418\u0417\u042c\u041a\u041e\u042e \u0434\u043e\u0441\u0442\u043e\u0432\u0456\u0440\u043d\u0456\u0441\u0442\u044e, \u043e\u0441\u043a\u0456\u043b\u044c\u043a\u0438 Content-Type \u043d\u0435 \u0454 HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = \u0412\u0438\u043f\u0443\u0441\u043a \u0441\u0442\u0430\u043d\u0443 \u0430\u043a\u0442\u0438\u0432\u043d\u0438\u0445 \u043f\u0440\u0430\u0432\u0438\u043b \u0441\u043a\u0430\u043d\u0443\u0432\u0430\u043d\u043d\u044f -ascanrules.directorybrowsing.desc = \u0404 \u043c\u043e\u0436\u043b\u0438\u0432\u0456\u0441\u0442\u044c \u043f\u0435\u0440\u0435\u0433\u043b\u044f\u043d\u0443\u0442\u0438 \u043f\u0435\u0440\u0435\u043b\u0456\u043a \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0443. \u041f\u0435\u0440\u0435\u043b\u0456\u043a \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0443 \u043c\u043e\u0436\u0435 \u0432\u0438\u044f\u0432\u0438\u0442\u0438 \u043f\u0440\u0438\u0445\u043e\u0432\u0430\u043d\u0456 \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u0457, \u043c\u0456\u0441\u0442\u0438\u0442\u0438 \u0444\u0430\u0439\u043b\u0438, \u0432\u0438\u0445\u0456\u0434\u043d\u0456 \u0444\u0430\u0439\u043b\u0438 \u0440\u0435\u0437\u0435\u0440\u0432\u043d\u0438\u0445 \u043a\u043e\u043f\u0456\u0439 \u0442\u043e\u0449\u043e, \u0434\u043e \u044f\u043a\u0438\u0445 \u043c\u043e\u0436\u043d\u0430 \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043b\u044f \u0447\u0438\u0442\u0430\u043d\u043d\u044f \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u043e\u0457 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = \u041f\u0435\u0440\u0435\u0433\u043b\u044f\u0434 \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0456\u0432 ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = \u0412\u0438\u043c\u043a\u043d\u0443\u0442\u0438 \u043f\u0435\u0440\u0435\u0433\u043b\u044f\u0434 \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0443. \u042f\u043a\u0449\u043e \u0446\u0435 \u0434\u0456\u0439\u0441\u043d\u043e \u043f\u043e\u0442\u0440\u0456\u0431\u043d\u043e, \u043f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u043f\u0435\u0440\u0435\u043b\u0456\u0447\u0435\u043d\u0456 \u0444\u0430\u0439\u043b\u0438 \u043d\u0435 \u0441\u0442\u0432\u043e\u0440\u044e\u044e\u0442\u044c \u0440\u0438\u0437\u0438\u043a\u0456\u0432. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = \u041c\u043e\u0434\u0443\u043b\u0456 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u044e\u0432\u0430\u043d\u043d\u044f \u043f\u043e\u043c\u0438\u043b\u043e\u043a \u0456 \u043e\u0431\u0440\u043e\u0431\u043d\u0438\u043a\u0438 (ELMAH [elmah.axd]) HTTP \u0432\u0438\u044f\u0432\u0438\u043b\u0438\u0441\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0438\u043c\u0438. \u0426\u0435\u0439 \u043c\u043e\u0434\u0443\u043b\u044c \u043c\u043e\u0436\u0435 \u043f\u0440\u0438\u0437\u0432\u0435\u0441\u0442\u0438 \u0434\u043e \u0432\u0438\u0442\u043e\u043a\u0443 \u0437\u043d\u0430\u0447\u043d\u043e\u0457 \u043a\u0456\u043b\u044c\u043a\u043e\u0441\u0442\u0456 \u0446\u0456\u043d\u043d\u043e\u0457 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457. ascanrules.elmah.name = \u0412\u0438\u0442\u0456\u043a \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457 ELMAH -ascanrules.elmah.otherinfo = \u041d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 \u043a\u043e\u0434\u0443 \u0441\u0442\u0430\u043d\u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 ELMAH \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0438\u0439 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c\u043e\u043c \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 \u0430\u0431\u043e \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = \u0427\u0438 ELMAH \u043f\u043e\u0442\u0440\u0456\u0431\u0435\u043d \u0443 \u0432\u0438\u0440\u043e\u0431\u043d\u0438\u0446\u0442\u0432\u0456, \u044f\u043a\u0449\u043e \u043d\u0456, \u0432\u0438\u043c\u043a\u043d\u0456\u0442\u044c \u0439\u043e\u0433\u043e. \u042f\u043a\u0449\u043e \u0446\u0435 \u0442\u0430\u043a, \u043f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u043d\u044c\u043e\u0433\u043e \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u0454 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 \u0442\u0430 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457. \u0414\u0438\u0432\u0456\u0442\u044c\u0441\u044f \u0442\u0430\u043a\u043e\u0436\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = \u0421\u0445\u043e\u0436\u0435, \u043e\u0434\u0438\u043d \u0430\u0431\u043e \u043a\u0456\u043b\u044c\u043a\u0430 \u0444\u0430\u0439\u043b\u0456\u0432 .env \u0440\u043e\u0437\u0442\u0430\u0448\u043e\u0432\u0430\u043d\u043e \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0456. \u0426\u0456 \u0444\u0430\u0439\u043b\u0438 \u0447\u0430\u0441\u0442\u043e \u0440\u043e\u0437\u043a\u0440\u0438\u0432\u0430\u044e\u0442\u044c \u0456\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0443 \u0430\u0431\u043e \u0430\u0434\u043c\u0456\u043d\u0456\u0441\u0442\u0440\u0430\u0442\u0438\u0432\u043d\u0456 \u043e\u0431\u043b\u0456\u043a\u043e\u0432\u0456 \u0434\u0430\u043d\u0456, \u043a\u043b\u044e\u0447\u0456 API \u0430\u0431\u043e APP \u0430\u0431\u043e \u0456\u043d\u0448\u0443 \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0443 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u0439\u043d\u0443 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = \u0412\u0438\u0442\u0456\u043a \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457 .env ascanrules.envfiles.otherinfo = \u041d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 \u043a\u043e\u0434\u0443 \u0441\u0442\u0430\u0442\u0443\u0441\u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 \u0444\u0430\u0439\u043b .env \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0438\u0439 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c\u043e\u043c \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 \u0430\u0431\u043e \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = \u041f\u0440\u0438\u0447\u0438\u04 ascanrules.externalredirect.reason.refresh.header = \u0412\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u043f\u0435\u0440\u0435\u0441\u043f\u0440\u044f\u043c\u0443\u0432\u0430\u043d\u043d\u044f \u0432 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0443 \u043e\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044f, \u0449\u043e \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u0438 \u0437\u043e\u0432\u043d\u0456\u0448\u043d\u044e URL-\u0430\u0434\u0440\u0435\u0441\u0443. ascanrules.externalredirect.reason.refresh.meta = \u0412\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u043f\u0435\u0440\u0435\u0441\u043f\u0440\u044f\u043c\u0443\u0432\u0430\u043d\u043d\u044f \u0443 \u0441\u0432\u043e\u0454\u043c\u0443 \u043c\u0435\u0442\u0430\u0442\u0435\u0491\u0443 http-equiv \u0434\u043b\u044f \u00ab\u041e\u043d\u043e\u0432\u0438\u0442\u0438\u00bb, \u044f\u043a\u0435 \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u0438 \u0437\u043e\u0432\u043d\u0456\u0448\u043d\u044e URL-\u0430\u0434\u0440\u0435\u0441\u0443.\n -ascanrules.formatstring.desc = \u0412\u0438\u043d\u0438\u043a\u0430\u0454 \u043f\u043e\u043c\u0438\u043b\u043a\u0430 \u0444\u043e\u0440\u043c\u0430\u0442\u0443\u0432\u0430\u043d\u043d\u044f \u0440\u044f\u0434\u043a\u0430, \u043a\u043e\u043b\u0438 \u043d\u0430\u0434\u0456\u0441\u043b\u0430\u043d\u0456 \u0434\u0430\u043d\u0456 \u0432\u0445\u0456\u0434\u043d\u043e\u0433\u043e \u0440\u044f\u0434\u043a\u0430 \u043e\u0446\u0456\u043d\u044e\u044e\u0442\u044c\u0441\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043e\u044e \u044f\u043a \u043a\u043e\u043c\u0430\u043d\u0434\u0430. -ascanrules.formatstring.error1 = \u041f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u0430 \u043f\u043e\u043c\u0438\u043b\u043a\u0430 \u0440\u044f\u0434\u043a\u0430 \u0444\u043e\u0440\u043c\u0430\u0442\u0443. \u0421\u0446\u0435\u043d\u0430\u0440\u0456\u0439 \u0437\u0430\u043a\u0440\u0438\u0432 \u0437\u2019\u0454\u0434\u043d\u0430\u043d\u043d\u044f \u043d\u0430 /%s -ascanrules.formatstring.error2 = \u041f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u0430 \u043f\u043e\u043c\u0438\u043b\u043a\u0430 \u0440\u044f\u0434\u043a\u0430 \u0444\u043e\u0440\u043c\u0430\u0442\u0443. \u0421\u0446\u0435\u043d\u0430\u0440\u0456\u0439 \u0437\u0430\u043a\u0440\u0438\u0432 \u0437\u2019\u0454\u0434\u043d\u0430\u043d\u043d\u044f \u043d\u0430 /%s \u0442\u0430 /%x -ascanrules.formatstring.error3 = \u041f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u0430 \u043f\u043e\u043c\u0438\u043b\u043a\u0430 \u0440\u044f\u0434\u043a\u0430 \u0444\u043e\u0440\u043c\u0430\u0442\u0443. \u0421\u0446\u0435\u043d\u0430\u0440\u0456\u0439 \u0437\u0430\u043a\u0440\u0438\u0432 \u0437\u2019\u0454\u0434\u043d\u0430\u043d\u043d\u044f \u0447\u0435\u0440\u0435\u0437 \u043f\u043e\u043c\u0438\u043b\u043a\u0443 \u0440\u044f\u0434\u043a\u0430 \u0444\u043e\u0440\u043c\u0430\u0442\u0443 Microsoft +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = \u041f\u043e\u043c\u0438\u043b\u043a\u0430 \u0444\u043e\u0440\u043c\u0430\u0442\u0443\u0432\u0430\u043d\u043d\u044f \u0440\u044f\u0434\u043a\u0430 ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Fromat_string_attack -ascanrules.formatstring.soln = \u041f\u0435\u0440\u0435\u043f\u0438\u0448\u0456\u0442\u044c \u0444\u043e\u043d\u043e\u0432\u0443 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0443, \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u0432\u0438\u0434\u0430\u043b\u0438\u0432\u0448\u0438 \u0440\u044f\u0434\u043a\u0438 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0438\u0445 \u0441\u0438\u043c\u0432\u043e\u043b\u0456\u0432. \u0414\u043b\u044f \u0446\u044c\u043e\u0433\u043e \u043f\u043e\u0442\u0440\u0456\u0431\u043d\u043e \u043f\u0435\u0440\u0435\u043a\u043e\u043c\u043f\u0456\u043b\u044e\u0432\u0430\u0442\u0438 \u0444\u043e\u043d\u043e\u0432\u0438\u0439 \u0432\u0438\u043a\u043e\u043d\u0443\u0432\u0430\u043d\u0438\u0439 \u0444\u0430\u0439\u043b. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = \u0417\u0430\u043f\u0438\u0442, \u044f\u043a\u0438\u0439 \u0441\u043f\u043e\u0447\u0430\u0442\u043a\u0443 \u0441\u043f\u043e\u0441\u0442\u0435\u0440\u0456\u0433\u0430\u0432\u0441\u044f \u044f\u043a POST, \u0442\u0430\u043a\u043e\u0436 \u0431\u0443\u0432 \u043f\u0440\u0438\u0439\u043d\u044f\u0442\u0438\u0439 \u044f\u043a GET. \u0426\u044f \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0441\u0430\u043c\u0430 \u043f\u043e \u0441\u043e\u0431\u0456 \u043d\u0435 \u0454 \u0441\u043b\u0430\u0431\u043a\u0456\u0441\u0442\u044e \u0431\u0435\u0437\u043f\u0435\u043a\u0438, \u043e\u0434\u043d\u0430\u043a \u0432\u043e\u043d\u0430 \u043c\u043e\u0436\u0435 \u0441\u043f\u0440\u0438\u044f\u0442\u0438 \u0441\u043f\u0440\u043e\u0449\u0435\u043d\u043d\u044e \u0456\u043d\u0448\u0438\u0445 \u0430\u0442\u0430\u043a. \u041d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, \u044f\u043a\u0449\u043e \u043e\u0440\u0438\u0433\u0456\u043d\u0430\u043b\u044c\u043d\u0438\u0439 POST \u043f\u0456\u0434\u043b\u044f\u0433\u0430\u0454 \u043c\u0456\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u043c\u0443 \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u044e (XSS), \u0442\u043e \u0446\u0435 \u043c\u043e\u0436\u0435 \u0432\u043a\u0430\u0437\u0443\u0432\u0430\u0442\u0438 \u043d\u0430 \u0442\u0435, \u0449\u043e \u0441\u043f\u0440\u043e\u0449\u0435\u043d\u0438\u0439 (\u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 GET) XSS \u0442\u0430\u043a\u043e\u0436 \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u043c\u043e\u0436\u043b\u0438\u0432\u0438\u043c. ascanrules.getforpost.name = GET \u0434\u043b\u044f POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = \u041f\u043e\u0448\u0443\u043a \u043f\u0440\u0438 ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.htm ascanrules.hidden.files.soln = \u0417\u0432\u0430\u0436\u0442\u0435, \u0447\u0438 \u0434\u0456\u0439\u0441\u043d\u043e \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442 \u043f\u043e\u0442\u0440\u0456\u0431\u0435\u043d \u0443 \u0432\u0438\u0440\u043e\u0431\u043d\u0438\u0446\u0442\u0432\u0456, \u0456 \u044f\u043a\u0449\u043e \u043d\u0456, \u0432\u0438\u043c\u043a\u043d\u0456\u0442\u044c \u0439\u043e\u0433\u043e. \u042f\u043a\u0449\u043e \u0442\u0430\u043a, \u0442\u043e \u043f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u043d\u044c\u043e\u0433\u043e \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u0454 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u043d\u043e\u0457 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 \u0442\u0430 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457, \u0430\u0431\u043e \u043e\u0431\u043c\u0435\u0436\u0442\u0435 \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u0432\u043d\u0443\u0442\u0440\u0456\u0448\u043d\u0456\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u0447\u0438 \u043f\u0435\u0432\u043d\u0438\u0445 \u0434\u0436\u0435\u0440\u0435\u043b IP-\u0430\u0434\u0440\u0435\u0441 \u0442\u043e\u0449\u043e. -ascanrules.htaccess.desc = \u0424\u0430\u0439\u043b\u0438 htaccess \u043c\u043e\u0436\u043d\u0430 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438 \u0434\u043b\u044f \u0437\u043c\u0456\u043d\u0438 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u0457 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u043e\u0433\u043e \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0435\u043d\u043d\u044f \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0430 Apache, \u0449\u043e\u0431 \u0443\u0432\u0456\u043c\u043a\u043d\u0443\u0442\u0438 \u0430\u0431\u043e \u0432\u0438\u043c\u043a\u043d\u0443\u0442\u0438 \u0434\u043e\u0434\u0430\u0442\u043a\u043e\u0432\u0456 \u0444\u0443\u043d\u043a\u0446\u0456\u0457 \u0442\u0430 \u0444\u0443\u043d\u043a\u0446\u0456\u0457, \u044f\u043a\u0456 \u043f\u0440\u043e\u043f\u043e\u043d\u0443\u0454 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u0435 \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0435\u043d\u043d\u044f \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440 Apache. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = \u0412\u0438\u0442\u0456\u043a \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457 \u0444\u0430\u0439\u043b\u0443 .htaccess ascanrules.htaccess.otherinfo = \u041d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 \u043a\u043e\u0434\u0443 \u0441\u0442\u0430\u0442\u0443\u0441\u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 \u0444\u0430\u0439\u043b htaccess \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0438\u0439 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c\u043e\u043c \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 \u0430\u0431\u043e \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = \u0417\u0430\u0433\u0430\u043b\u044c\u043d\u0438 ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = \u041e\u043d\u043e\u0432\u0456\u0442\u044c \u0443\u0440\u0430\u0436\u0435\u043d\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u0435 \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0435\u043d\u043d\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0430\u0431\u043e \u0437\u043c\u0456\u043d\u0456\u0442\u044c \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u0457, \u0449\u043e\u0431 \u0432\u043e\u043d\u0438 \u043d\u0430\u043b\u0435\u0436\u043d\u0438\u043c \u0447\u0438\u043d\u043e\u043c \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u044f\u043b\u0438 \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0456 \u0434\u0430\u043d\u0456 \u043f\u0435\u0440\u0435\u0434 \u0441\u043f\u0440\u043e\u0431\u043e\u044e \u0440\u043e\u0437\u0448\u0438\u0444\u0440\u043e\u0432\u043a\u0438. -ascanrules.parametertamper.desc = \u041c\u0430\u043d\u0456\u043f\u0443\u043b\u044f\u0446\u0456\u0457 \u0437 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\u043c\u0438 \u043f\u0440\u0438\u0437\u0432\u0435\u043b\u0438 \u0434\u043e \u0432\u0456\u0434\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u043d\u044f \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438 \u043f\u043e\u043c\u0438\u043b\u043a\u0438 \u0430\u0431\u043e \u0442\u0440\u0430\u0441\u0443\u0432\u0430\u043d\u043d\u044f \u0441\u0442\u0435\u043a\u0430 Java. \u0426\u0435 \u0432\u043a\u0430\u0437\u0443\u0454 \u043d\u0430 \u0432\u0456\u0434\u0441\u0443\u0442\u043d\u0456\u0441\u0442\u044c \u043e\u0431\u0440\u043e\u0431\u043a\u0438 \u0432\u0438\u043d\u044f\u0442\u043a\u0456\u0432 \u0456 \u043f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u0456 \u043e\u0431\u043b\u0430\u0441\u0442\u0456 \u0434\u043b\u044f \u043f\u043e\u0434\u0430\u043b\u044c\u0448\u043e\u0433\u043e \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = \u041f\u0456\u0434\u0440\u043e\u0431\u043a\u0430 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0443 -ascanrules.parametertamper.soln = \u0412\u0438\u0437\u043d\u0430\u0447\u0442\u0435 \u043f\u0440\u0438\u0447\u0438\u043d\u0443 \u043f\u043e\u043c\u0438\u043b\u043a\u0438 \u0442\u0430 \u0443\u0441\u0443\u043d\u044c\u0442\u0435 \u0457\u0457. \u041d\u0435 \u0434\u043e\u0432\u0456\u0440\u044f\u0439\u0442\u0435 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044e \u0437 \u0431\u043e\u043a\u0443 \u043a\u043b\u0456\u0454\u043d\u0442\u0430 \u0442\u0430 \u0432\u0438\u043a\u043e\u043d\u0443\u0439\u0442\u0435 \u0441\u0443\u0432\u043e\u0440\u0443 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0443 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0456 \u0441\u0435\u0440\u0432\u0435\u0440\u0430. \u041a\u0440\u0456\u043c \u0442\u043e\u0433\u043e, \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043f\u0435\u0440\u0435\u0445\u043e\u043f\u043b\u044e\u0439\u0442\u0435 \u0432\u0438\u043d\u044f\u0442\u043e\u043a. \u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u0437\u0430\u0433\u0430\u043b\u044c\u043d\u0443 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0443 \u043f\u043e\u043c\u0438\u043b\u043a\u0438 500 \u0434\u043b\u044f \u0432\u043d\u0443\u0442\u0440\u0456\u0448\u043d\u044c\u043e\u0457 \u043f\u043e\u043c\u0438\u043b\u043a\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0430. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = \u041e\u0431\u0445\u0456\u0434 \u0448\u043b\u044f\u0445\u0443 @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = \u0423 \u0432\u0456\u0434\u043f\u043e ascanrules.persistentxssattack.json.name = \u0421\u043b\u0430\u0431\u043a\u0456\u0441\u0442\u044c \u043c\u0456\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u044e (\u043f\u043e\u0441\u0442\u0456\u0439\u043d\u0438\u0439 \u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 JSON) ascanrules.persistentxssattack.name = \u041c\u0456\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0438\u0439 \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u0439 (\u041f\u043e\u0441\u0442\u0456\u0439\u043d\u0438\u0439) ascanrules.persistentxssattack.otherinfo = \u0414\u0436\u0435\u0440\u0435\u043b\u043e URL-\u0430\u0434\u0440\u0435\u0441\u0438\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = \u0412\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043e \u0437 \u0439\u043c\u043e\u0432\u0456\u0440\u043d\u0456\u0441\u0442\u044e LOW, \u043e\u0441\u043a\u0456\u043b\u044c\u043a\u0438 Content-Type \u043d\u0435 \u0454 HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = \u041c\u0456\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0438\u0439 \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u0439 (\u041f\u043e\u0441\u0442\u0456\u0439\u043d\u0438\u0439) - Prime ascanrules.persistentxssspider.name = \u041c\u0456\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0438\u0439 \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u0439 (\u041f\u043e\u0441\u0442\u0456\u0439\u043d\u0438\u0439) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = \u0414\u0435\u044f\u043a\u0456 \u0432\u0435\u0440\u0441\u0456\u0457 PHP, \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u0456 \u043d\u0430 \u0440\u043e\u0431\u043e\u0442\u0443 \u0437 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f\u043c CGI, \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043e\u0431\u0440\u043e\u0431\u043b\u044f\u044e\u0442\u044c \u0440\u044f\u0434\u043a\u0438 \u0437\u0430\u043f\u0438\u0442\u0443, \u0443 \u044f\u043a\u0438\u0445 \u0432\u0456\u0434\u0441\u0443\u0442\u043d\u0456\u0439 \u043d\u0435\u0435\u043a\u0440\u0430\u043d\u043e\u0432\u0430\u043d\u0438\u0439 \u0441\u0438\u043c\u0432\u043e\u043b "\=", \u0449\u043e \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0432\u0438\u043a\u043e\u043d\u0443\u0432\u0430\u0442\u0438 \u0434\u043e\u0432\u0456\u043b\u044c\u043d\u0438\u0439 \u043a\u043e\u0434. \u0423 \u0446\u044c\u043e\u043c\u0443 \u0432\u0438\u043f\u0430\u0434\u043a\u0443 \u043d\u0430 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0456 \u0431\u0443\u043b\u043e \u0432\u0438\u043a\u043b\u0438\u043a\u0430\u043d\u043e \u0432\u0438\u043a\u043e\u043d\u0430\u043d\u043d\u044f \u043a\u043e\u043c\u0430\u043d\u0434\u0438 \u043e\u043f\u0435\u0440\u0430\u0446\u0456\u0439\u043d\u043e\u0457 \u0441\u0438\u0441\u0442\u0435\u043c\u0438, \u0430 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0438 \u043f\u043e\u0432\u0435\u0440\u043d\u0443\u0442\u043e \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0443. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = \u0412\u0456\u0434\u0434\u0430\u043b\u0435\u043d\u0435 \u0432\u0438\u043a\u043e\u043d\u0430\u043d\u043d\u044f \u043a\u043e\u0434\u0443 - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = \u041e\u043d\u043e\u0432\u0456\u0442\u044c PHP \u0434\u043e \u043e\u0441\u0442\u0430\u043d\u043d\u044c\u043e\u0457 \u0441\u0442\u0430\u0431\u0456\u043b\u044c\u043d\u043e\u0457 \u0432\u0435\u0440\u0441\u0456\u0457 \u0430\u0431\u043e \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440 Apache \u0456 \u043c\u043e\u0434\u0443\u043b\u044c mod_rewrite \u0434\u043b\u044f \u0444\u0456\u043b\u044c\u0442\u0440\u0430\u0446\u0456\u0457 \u0448\u043a\u0456\u0434\u043b\u0438\u0432\u0438\u0445 \u0437\u0430\u043f\u0438\u0442\u0456\u0432 \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432 "RewriteCond" \u0456 "RewriteRule". ascanrules.remotefileinclude.name = \u0412\u0456\u0434\u0434\u0430\u043b\u0435\u043d\u0435 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u044f \u0444\u0430\u0439\u043b\u0456\u0432 -ascanrules.serversideinclude.desc = \u041f\u0435\u0432\u043d\u0456 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438 \u043c\u043e\u0436\u0443\u0442\u044c \u0432\u0438\u043a\u043b\u0438\u043a\u0430\u0442\u0438 \u0432\u0438\u043a\u043e\u043d\u0430\u043d\u043d\u044f \u043a\u043e\u043c\u0430\u043d\u0434 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u044f \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0456 \u0441\u0435\u0440\u0432\u0435\u0440\u0430. \u0426\u0435 \u043c\u043e\u0436\u0435 \u0434\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u0438 \u043f\u0456\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u044f \u0434\u043e \u0431\u0430\u0437\u0438 \u0434\u0430\u043d\u0438\u0445 \u0430\u0431\u043e \u0432\u0438\u043a\u043e\u043d\u0430\u043d\u043d\u044f \u0434\u043e\u0432\u0456\u043b\u044c\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0443. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = \u0421\u0435\u0440\u0432\u0435\u0440\u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0430 \u0432\u043a\u043b\u044e\u0447\u0430\u0454 ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = \u041d\u0435 \u0434\u043e\u0432\u0456\u0440\u044f\u0439\u0442\u0435 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044e \u0437 \u0431\u043e\u043a\u0443 \u043a\u043b\u0456\u0454\u043d\u0442\u0430 \u0442\u0430 \u0432\u0438\u043a\u043e\u043d\u0443\u0439\u0442\u0435 \u0441\u0443\u0432\u043e\u0440\u0443 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0443 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0456 \u0441\u0435\u0440\u0432\u0435\u0440\u0430. \u0412\u0438\u043c\u043a\u043d\u0443\u0442\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u043d\u0456 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0438.\n\u0417\u0432\u0435\u0440\u043d\u0456\u0442\u044c\u0441\u044f \u0434\u043e \u043f\u043e\u0441\u0456\u0431\u043d\u0438\u043a\u0430, \u0449\u043e\u0431 \u0432\u0438\u043c\u043a\u043d\u0443\u0442\u0438 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u044f \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0456 \u0441\u0435\u0440\u0432\u0435\u0440\u0430.\n\u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u043d\u0430\u0439\u043c\u0435\u043d\u0448\u0456 \u043f\u0440\u0438\u0432\u0456\u043b\u0435\u0457 \u0434\u043b\u044f \u0437\u0430\u043f\u0443\u0441\u043a\u0443 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0430\u0431\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c.\n\u0414\u043b\u044f Apache \u0432\u0438\u043c\u043a\u043d\u0456\u0442\u044c \u043d\u0430\u0441\u0442\u0443\u043f\u043d\u0435\:\n\u041f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438 \u0412\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u044f FollowSymLinks \u0412\u043a\u043b\u044e\u0447\u0430\u0454\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = \u0414\u0435\u044f\u043a\u0456 \u0432\u0435\u0440\u0441\u0456\u0457 PHP, \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u0456 \u043d\u0430 \u0440\u043e\u0431\u043e\u0442\u0443 \u0437 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f\u043c CGI, \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043e\u0431\u0440\u043e\u0431\u043b\u044f\u044e\u0442\u044c \u0440\u044f\u0434\u043a\u0438 \u0437\u0430\u043f\u0438\u0442\u0443, \u0443 \u044f\u043a\u0438\u0445 \u0432\u0456\u0434\u0441\u0443\u0442\u043d\u0456\u0439 \u043d\u0435\u0432\u0456\u0434\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u0438\u0439 \u0441\u0438\u043c\u0432\u043e\u043b "\=", \u0449\u043e \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0440\u043e\u0437\u043a\u0440\u0438\u0432\u0430\u0442\u0438 \u0432\u0438\u0445\u0456\u0434\u043d\u0438\u0439 \u043a\u043e\u0434 PHP \u0456 \u0432\u0438\u043a\u043e\u043d\u0443\u0432\u0430\u0442\u0438 \u0434\u043e\u0432\u0456\u043b\u044c\u043d\u0438\u0439 \u043a\u043e\u0434. \u0423 \u0446\u044c\u043e\u043c\u0443 \u0432\u0438\u043f\u0430\u0434\u043a\u0443 \u0432\u043c\u0456\u0441\u0442 PHP \u0444\u0430\u0439\u043b\u0443 \u0431\u0443\u043b\u043e \u043f\u043e\u0434\u0430\u043d\u043e \u0431\u0435\u0437\u043f\u043e\u0441\u0435\u0440\u0435\u0434\u043d\u044c\u043e \u0443 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440. \u0426\u0435\u0439 \u0432\u0438\u0445\u0456\u0434 \u0437\u0430\u0437\u0432\u0438\u0447\u0430\u0439 \u043c\u0456\u0441\u0442\u0438\u0442\u0438\u043c\u0435 PHP, \u0445\u043e\u0447\u0430 \u0432\u0456\u043d \u0442\u0430\u043a\u043e\u0436 \u043c\u043e\u0436\u0435 \u043c\u0456\u0441\u0442\u0438\u0442\u0438 \u0437\u0432\u0438\u0447\u0430\u0439\u043d\u0438\u0439 HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = \u0420\u043e\u0437\u043a\u0440\u0438\u0442\u0442\u044f \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0443 - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = \u041e\u043d\u043e\u0432\u0456\u0442\u044c \u0434\u043e \u043e\u0441\u0442\u0430\u043d\u043d\u044c\u043e\u0457 \u0441\u0442\u0430\u0431\u0456\u043b\u044c\u043d\u043e\u0457 \u0432\u0435\u0440\u0441\u0456\u0457 PHP \u0430\u0431\u043e \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440 Apache \u0456 \u043c\u043e\u0434\u0443\u043b\u044c mod_rewrite, \u0449\u043e\u0431 \u0432\u0456\u0434\u0444\u0456\u043b\u044c\u0442\u0440\u0443\u0432\u0430\u0442\u0438 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0456 \u0437\u0430\u043f\u0438\u0442\u0438 \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432 \u00abRewriteCond\u00bb \u0456 \u00abRewriteRule\u00bb. -ascanrules.sourcecodedisclosurewebinf.desc = \u0412\u0438\u0445\u0456\u0434\u043d\u0438\u0439 \u043a\u043e\u0434 Java \u0431\u0443\u0432 \u0440\u043e\u0437\u043a\u0440\u0438\u0442\u0438\u0439 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c \u0443 \u0444\u0430\u0439\u043b\u0430\u0445 \u043a\u043b\u0430\u0441\u0456\u0432 Java \u0443 \u0442\u0435\u0446\u0456 WEB-INF. \u0424\u0430\u0439\u043b\u0438 \u043a\u043b\u0430\u0441\u0456\u0432 \u043c\u043e\u0436\u043d\u0430 \u0440\u043e\u0437\u0456\u0431\u0440\u0430\u0442\u0438 \u0434\u043b\u044f \u0441\u0442\u0432\u043e\u0440\u0435\u043d\u043d\u044f \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0443, \u044f\u043a\u0438\u0439 \u0434\u0443\u0436\u0435 \u0442\u043e\u0447\u043d\u043e \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0430\u0454 \u043e\u0440\u0438\u0433\u0456\u043d\u0430\u043b\u044c\u043d\u043e\u043c\u0443 \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u043c\u0443 \u043a\u043e\u0434\u0443. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = \u0420\u043e\u0437\u043a\u0440\u0438\u0442\u0442\u044f \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0443 - \u0442\u0435\u043a\u0430 /WEB-INF -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = \u041a\u043b\u0430\u0441 Java \u0443 \u0442\u0435\u0446\u0456 /WEB-INF \u0432\u0438\u044f\u0432\u0438\u0432 \u043d\u0430\u044f\u0432\u043d\u0456\u0441\u0442\u044c \u0444\u0430\u0439\u043b\u0443 \u0432\u043b\u0430\u0441\u0442\u0438\u0432\u043e\u0441\u0442\u0435\u0439. \u0424\u0430\u0439\u043b \u0432\u043b\u0430\u0441\u0442\u0438\u0432\u043e\u0441\u0442\u0435\u0439 \u043d\u0435 \u043f\u0440\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u0437\u0430\u0433\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0443 \u0442\u0430 \u0437\u0430\u0437\u0432\u0438\u0447\u0430\u0439 \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e \u043f\u0440\u043e \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u044e, \u043e\u0431\u043b\u0456\u043a\u043e\u0432\u0456 \u0434\u0430\u043d\u0456 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0438 \u0430\u0431\u043e \u043a\u0440\u0438\u043f\u0442\u043e\u0433\u0440\u0430\u0444\u0456\u0447\u043d\u0456 \u043a\u043b\u044e\u0447\u0456. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = \u041f\u043e\u0441\u0438\u043b\u0430\u043d\u043d\u044f \u043d\u0430 \u0444\u0430\u0439\u043b \u0432\u043b\u0430\u0441\u0442\u0438\u0432\u043e\u0441\u0442\u0435\u0439 \u0437\u043d\u0430\u0439\u0434\u0435\u043d\u043e \u0432 \u0440\u043e\u0437\u0456\u0431\u0440\u0430\u043d\u043e\u043c\u0443 \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u043c\u0443 \u043a\u043e\u0434\u0456 Java \u0434\u043b\u044f \u043a\u043b\u0430\u0441\u0443 Java [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = \u0420\u043e\u0437\u043a\u0440\u0438\u0442\u0442\u044f \u0444\u0430\u0439\u043b\u0443 \u0432\u043b\u0430\u0441\u0442\u0438\u0432\u043e\u0441\u0442\u0435\u0439 - \u0442\u0435\u043a\u0430 /WEB-INF -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = \u0412\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440 \u043c\u0430\u0454 \u0431\u0443\u0442\u0438 \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u0438\u0439 \u0442\u0430\u043a, \u0449\u043e\u0431 \u0442\u0435\u043a\u0430 /WEB-INF \u0430\u0431\u043e \u0457\u0457 \u0432\u043c\u0456\u0441\u0442 \u043d\u0435 \u043e\u0431\u0441\u043b\u0443\u0433\u043e\u0432\u0443\u0432\u0430\u043b\u0438\u0441\u044f \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430\u043c\u0438. \u0422\u0430\u043a\u043e\u0436 \u043c\u043e\u0436\u043d\u0430 \u0432\u0438\u0434\u0430\u043b\u0438\u0442\u0438 \u0442\u0435\u043a\u0443 /WEB-INF. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = \u0412\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440 \u043c\u0430\u0454 \u0431\u0443\u0442\u0438 \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u0438\u0439 \u0442\u0430\u043a\u0438\u043c \u0447\u0438\u043d\u043e\u043c, \u0449\u043e\u0431 \u043d\u0435 \u043e\u0431\u0441\u043b\u0443\u0433\u043e\u0432\u0443\u0432\u0430\u0442\u0438 \u0442\u0435\u043a\u0443 /WEB-INF \u0430\u0431\u043e \u0457\u0457 \u0432\u043c\u0456\u0441\u0442 \u0443 \u0432\u0435\u0431\u043f\u0435\u0440\u0435\u0433\u043b\u044f\u0434\u0430\u0447\u0430\u0445, \u043e\u0441\u043a\u0456\u043b\u044c\u043a\u0438 \u0432\u043e\u043d\u0430 \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0443 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e, \u0442\u0430\u043a\u0443 \u044f\u043a \u0441\u043a\u043e\u043c\u043f\u0456\u043b\u044c\u043e\u0432\u0430\u043d\u0438\u0439 \u0432\u0438\u0445\u0456\u0434\u043d\u0438\u0439 \u043a\u043e\u0434 Java \u0456 \u0444\u0430\u0439\u043b\u0438 \u0432\u043b\u0430\u0441\u0442\u0438\u0432\u043e\u0441\u0442\u0435\u0439, \u044f\u043a\u0456 \u043c\u043e\u0436\u0443\u0442\u044c \u043c\u0456\u0441\u0442\u0438\u0442\u0438 \u043e\u0431\u043b\u0456\u043a\u043e\u0432\u0456 \u0434\u0430\u043d\u0456. \u041a\u043b\u0430\u0441\u0438 Java, \u0449\u043e \u0440\u043e\u0437\u0433\u043e\u0440\u0442\u0430\u044e\u0442\u044c\u0441\u044f \u0440\u0430\u0437\u043e\u043c \u0456\u0437 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043e\u044e, \u043c\u0430\u044e\u0442\u044c \u0431\u0443\u0442\u0438 \u043e\u0431\u0444\u0443\u0441\u043a\u043e\u0432\u0430\u043d\u0456 \u044f\u043a \u0434\u043e\u0434\u0430\u0442\u043a\u043e\u0432\u0438\u0439 \u0440\u0456\u0432\u0435\u043d\u044c \u0437\u0430\u0445\u0438\u0441\u0442\u0443 \u0432 \u043f\u0456\u0434\u0445\u043e\u0434\u0456 \u00ab\u043f\u043e\u0433\u043b\u0438\u0431\u043b\u0435\u043d\u043e\u0433\u043e \u0437\u0430\u0445\u0438\u0441\u0442\u0443\u00bb. ascanrules.spring4shell.desc = \u0414\u043e\u0434\u0430\u0442\u043e\u043a \u0432\u0438\u044f\u0432\u043b\u044f\u0454\u0442\u044c\u0441\u044f \u0443\u0440\u0430\u0437\u043b\u0438\u0432\u0438\u043c \u0434\u043b\u044f CVE-2022-22965 (\u0442\u0430\u043a\u043e\u0436 \u0432\u0456\u0434\u043e\u043c\u043e\u0457 \u044f\u043a Spring4Shell) - \u0432\u0456\u0434\u0434\u0430\u043b\u0435\u043d\u0435 \u0432\u0438\u043a\u043e\u043d\u0430\u043d\u043d\u044f \u043a\u043e\u0434\u0443 (RCE) \u0447\u0435\u0440\u0435\u0437 \u0437\u0432'\u044f\u0437\u0443\u0432\u0430\u043d\u043d\u044f \u0434\u0430\u043d\u0438\u0445. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = \u0412\u0438\u043c\u043a\u043d\u0456\u0442\u044 #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = \u043f\u043e\u043b\u0435\: [{0}], \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = \u0420\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0438 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438 \u0431\u0443\u043b\u0438 \u0443\u0441\u043f\u0456\u0448\u043d\u043e \u043e\u0431\u0440\u043e\u0431\u043b\u0435\u043d\u0456 \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u043b\u043e\u0433\u0456\u0447\u043d\u0438\u0445 \u0443\u043c\u043e\u0432 [{0}] \u0456 [{1}]\n\u0417\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430, \u0449\u043e \u0437\u043c\u0456\u043d\u044e\u0454\u0442\u044c\u0441\u044f, \u0431\u0443\u043b\u043e {2}\u0432\u0438\u043b\u0443\u0447\u0435\u043d\u043e \u0437 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0443 HTML \u0434\u043b\u044f \u0446\u0456\u043b\u0435\u0439 \u043f\u043e\u0440\u0456\u0432\u043d\u044f\u043d\u043d\u044f -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = \u041f\u043e\u0432\u0435\u0440\u043d\u0435\u043d\u043e \u0434\u0430\u043d\u0456 \u0434\u043b\u044f \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u0433\u043e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430.\n\u0423\u0440\u0430\u0437\u043b\u0438\u0432\u0456\u0441\u0442\u044c \u0431\u0443\u043b\u0430 \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u0430 \u0448\u043b\u044f\u0445\u043e\u043c \u0443\u0441\u043f\u0456\u0448\u043d\u043e\u0433\u043e \u043e\u0431\u043c\u0435\u0436\u0435\u043d\u043d\u044f \u043f\u0435\u0440\u0432\u0456\u0441\u043d\u043e \u043f\u043e\u0432\u0435\u0440\u043d\u0443\u0442\u0438\u0445 \u0434\u0430\u043d\u0438\u0445 \u0448\u043b\u044f\u0445\u043e\u043c \u043c\u0430\u043d\u0456\u043f\u0443\u043b\u044e\u0432\u0430\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u043c -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = \u0414\u0430\u043d\u0456 \u041d\u0415 \u043f\u043e\u0432\u0435\u0440\u043d\u0443\u0442\u043e \u0434\u043b\u044f \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u0433\u043e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430.\n\u0412\u0440\u0430\u0437\u043b\u0438\u0432\u0456\u0441\u0442\u044c \u0431\u0443\u043b\u0430 \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u0430 \u0448\u043b\u044f\u0445\u043e\u043c \u0443\u0441\u043f\u0456\u0448\u043d\u043e\u0433\u043e \u043e\u0442\u0440\u0438\u043c\u0430\u043d\u043d\u044f \u0431\u0456\u043b\u044c\u0448\u043e\u0457 \u043a\u0456\u043b\u044c\u043a\u043e\u0441\u0442\u0456 \u0434\u0430\u043d\u0438\u0445, \u043d\u0456\u0436 \u0441\u043f\u043e\u0447\u0430\u0442\u043a\u0443 \u043f\u043e\u0432\u0435\u0440\u043d\u0443\u0442\u043e, \u0448\u043b\u044f\u0445\u043e\u043c \u043c\u0430\u043d\u0456\u043f\u0443\u043b\u044e\u0432\u0430\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u043c +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] \u043f\u043e\u043b\u0435\: [{1}], \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = \u041e\u0440\u0438\u0433\u0456\u043d\u0430\u043b\u044c\u043d\u0435 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f\: [{0}]. \u0417\u043c\u0456\u043d\u0435\u043d\u0435 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f\: [{1}]. \u041a\u043e\u043d\u0442\u0440\u043e\u043b\u044c\u043d\u0435 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = \u041d\u0435\u0437\u043c\u0456\u043d\u0435\u043d\u043e\u043c\u0443 \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044e \u043f\u0440\u0438\u0441\u0432\u043e\u0454\u043d\u043e \u0441\u0442\u0430\u0442\u0443\u0441 HTTP [{0}], \u0434\u043e\u0432\u0436\u0438\u043d\u0443 \u0442\u0456\u043b\u0430 [{1}], \u0437\u043c\u0456\u043d\u0435\u043d\u043e\u043c\u0443 \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044e \u043f\u0440\u0438\u0441\u0432\u043e\u0454\u043d\u043e \u0441\u0442\u0430\u0442\u0443\u0441 HTTP [{2}], \u0434\u043e\u0432\u0436\u0438\u043d\u0443 \u0442\u0456\u043b\u0430 [{3}]. \u0422\u0440\u0435\u0442\u0454 (\u043d\u0435-SQL \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f, \u0449\u043e \u0432\u0438\u043a\u043b\u0438\u043a\u0430\u0454 \u0432\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f) \u043c\u0430\u0454 \u0441\u0442\u0430\u0442\u0443\u0441 HTTP [{4}], \u0434\u043e\u0432\u0436\u0438\u043d\u0443 \u0442\u0456\u043b\u0430 [{5}]. -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}], \u0456\u043c\u043e\u0432\u0456\u0440\u043d\u043e, \u0437\u0430\u0434\u0430\u043d\u043e \u0440\u0435\u0433\u0443\u043b\u044f\u0440\u043d\u0438\u0439 \u0432\u0438\u0440\u0430\u0437 \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044f \u043f\u0440\u043e \u043f\u043e\u043c\u0438\u043b\u043a\u0443 [{1}], \u044f\u043a\u0438\u0439 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0430\u0454 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0430\u043c HTML.\n\u0412\u0440\u0430\u0437\u043b\u0438\u0432\u0456\u0441\u0442\u044c \u0431\u0443\u043b\u0430 \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u0430 \u0448\u043b\u044f\u0445\u043e\u043c \u043c\u0430\u043d\u0456\u043f\u0443\u043b\u044e\u0432\u0430\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u043c, \u0449\u043e\u0431 \u0432\u0438\u043a\u043b\u0438\u043a\u0430\u0442\u0438 \u043f\u043e\u0432\u0435\u0440\u043d\u0435\u043d\u043d\u044f \u0442\u0430 \u0440\u043e\u0437\u043f\u0456\u0437\u043d\u0430\u0432\u0430\u043d\u043d\u044f \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044f \u043f\u0440\u043e \u043f\u043e\u043c\u0438\u043b\u043a\u0443 \u0431\u0430\u0437\u0438 \u0434\u0430\u043d\u0438\u0445 -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = \u041d\u0435\u0437\u043c\u0456\u043d\u0435\u043d\u0435 \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044f \u043c\u0430\u0454 \u0441\u0442\u0430\u0442\u0443\u0441 HTTP [{0}], \u0437\u043c\u0456\u043d\u0435\u043d\u0435 \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044f \u043c\u0430\u0454 \u0441\u0442\u0430\u0442\u0443\u0441 HTTP [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = \u041f\u043e\u0447\u0430\u0442\u043a\u043e\u0432\u0456 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0438 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438 \u0431\u0443\u043b\u043e \u0443\u0441\u043f\u0456\u0448\u043d\u043e \u0432\u0456\u0434\u0442\u0432\u043e\u0440\u0435\u043d\u043e \u0437 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f\u043c \u0432\u0438\u0440\u0430\u0437\u0443 [{0}] \u044f\u043a \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\n\u0417\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430, \u0449\u043e \u0437\u043c\u0456\u043d\u044e\u0454\u0442\u044c\u0441\u044f, \u0431\u0443\u043b\u043e {1}\u0432\u0438\u043b\u0443\u0447\u0435\u043d\u043e \u0437 \u0432\u0438\u0432\u043e\u0434\u0443 HTML \u0434\u043b\u044f \u0446\u0456\u043b\u0435\u0439 \u043f\u043e\u0440\u0456\u0432\u043d\u044f\u043d\u043d\u044f -ascanrules.sqlinjection.alert.orderbybased.extrainfo = \u041f\u043e\u0447\u0430\u0442\u043a\u043e\u0432\u0456 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0438 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438 \u0431\u0443\u043b\u043e \u0443\u0441\u043f\u0456\u0448\u043d\u043e \u0432\u0456\u0434\u0442\u0432\u043e\u0440\u0435\u043d\u043e \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0432\u0438\u0440\u0430\u0437\u0443 "\u0421\u041e\u0420\u0422\u0423\u0412\u0410\u0422\u0418 \u0417\u0410" [{0}] \u044f\u043a \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\n\u0417\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430, \u0449\u043e \u0437\u043c\u0456\u043d\u044e\u0454\u0442\u044c\u0441\u044f, \u0431\u0443\u043b\u043e {1}\u0432\u0438\u043b\u0443\u0447\u0435\u043d\u043e \u0437 \u0432\u0438\u0432\u043e\u0434\u0443 HTML \u0434\u043b\u044f \u0446\u0456\u043b\u0435\u0439 \u043f\u043e\u0440\u0456\u0432\u043d\u044f\u043d\u043d\u044f -ascanrules.sqlinjection.alert.timebased.extrainfo = \u0427\u0430\u0441 \u0437\u0430\u043f\u0438\u0442\u0443 \u043c\u043e\u0436\u043d\u0430 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044e\u0432\u0430\u0442\u0438 \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 [{0}], \u0447\u0435\u0440\u0435\u0437 \u0449\u043e \u0437\u0430\u043f\u0438\u0442 \u0437\u0430\u0439\u043c\u0430\u0432 [{1}] \u043c\u0456\u043b\u0456\u0441\u0435\u043a\u0443\u043d\u0434, \u0442\u043e\u0434\u0456 \u044f\u043a \u0432\u0438\u0445\u0456\u0434\u043d\u0438\u0439 \u043d\u0435\u0437\u043c\u0456\u043d\u0435\u043d\u0438\u0439 \u0437\u0430\u043f\u0438\u0442 \u0437\u0456 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f\u043c [{2}] \u0437\u0430\u0439\u043c\u0430\u0432 [{3}] \u043c\u0456\u043b\u0456\u0441\u0435\u043a\u0443\u043d\u0434 +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = \u0427\u0430\u0441 \u0437\u0430\u043f\u0438\u0442\u0443 \u043c\u043e\u0436\u043d\u0430 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044e\u0432\u0430\u0442\u0438 \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 [{0}], \u0447\u0435\u0440\u0435\u0437 \u0449\u043e \u0437\u0430\u043f\u0438\u0442 \u0437\u0430\u0439\u043c\u0430\u0432 [{1}] \u043c\u0456\u043b\u0456\u0441\u0435\u043a\u0443\u043d\u0434, \u0442\u043e\u0434\u0456 \u044f\u043a \u0432\u0438\u0445\u0456\u0434\u043d\u0438\u0439 \u043d\u0435\u0437\u043c\u0456\u043d\u0435\u043d\u0438\u0439 \u0437\u0430\u043f\u0438\u0442 \u0437\u0456 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f\u043c [{2}] \u0437\u0430\u0439\u043c\u0430\u0432 [{3}] \u043c\u0456\u043b\u0456\u0441\u0435\u043a\u0443\u043d\u0434. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] \u043f\u043e\u043b\u0435\: [{1}], \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] \u0439\u043c\u043e\u0432\u0456\u0440\u043d\u043e, \u0432\u0440\u0430\u0445\u043e\u0432\u0443\u044e\u0447\u0438 \u0440\u0435\u0433\u0443\u043b\u044f\u0440\u043d\u0438\u0439 \u0432\u0438\u0440\u0430\u0437 \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044f \u043f\u0440\u043e \u043f\u043e\u043c\u0438\u043b\u043a\u0443 UNION [{1}], \u044f\u043a\u0438\u0439 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0430\u0454 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0430\u043c HTML\n\u0412\u0440\u0430\u0437\u043b\u0438\u0432\u0456\u0441\u0442\u044c \u0431\u0443\u043b\u043e \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043e \u0448\u043b\u044f\u0445\u043e\u043c \u043c\u0430\u043d\u0456\u043f\u0443\u043b\u044e\u0432\u0430\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u043c \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u043f\u0440\u043e\u043f\u043e\u0437\u0438\u0446\u0456\u0457 SQL ''UNION'', \u0449\u043e\u0431 \u0441\u043f\u0440\u0438\u0447\u0438\u043d\u0438\u0442\u0438 \u043f\u043e\u0432\u0435\u0440\u043d\u0435\u043d\u043d\u044f \u0442\u0430 \u0440\u043e\u0437\u043f\u0456\u0437\u043d\u0430\u0432\u0430\u043d\u043d\u044f \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044f \u043f\u0440\u043e \u043f\u043e\u043c\u0438\u043b\u043a\u0443 \u0431\u0430\u0437\u0438 \u0434\u0430\u043d\u0438\u0445 +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL \u0432\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u043c\u043e\u0436\u043b\u0438\u0432\u0435 \u043d\u0430 \u0441\u0442\u043e\u0440\u0456\u043d\u0446\u0456 \u0432\u0445\u043e\u0434\u0443, \u043f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u043e \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0447\u0438 \u043e\u0431\u0456\u0439\u0442\u0438 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0438 ascanrules.sqlinjection.authbypass.name = \u0412\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f SQL - \u043e\u0431\u0445\u0456\u0434 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 ascanrules.sqlinjection.desc = \u0412\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f SQL \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u043c\u043e\u0436\u043b\u0438\u0432\u0435. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = \u0427\u0430\u0441 \u ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = \u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u044e\u0447\u0438 \u0430\u0442\u0430\u043a\u0443 SQL Injection \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 UNION \u0456 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c \u0434\u0438\u043d\u0430\u043c\u0456\u0447\u043d\u043e\u0433\u043e \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044f SQLite, \u0431\u0443\u043b\u043e \u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043e, \u0449\u043e \u0432\u0435\u0440\u0441\u0456\u044f SQLite [{0}].\n\u0417\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0442\u043e\u0447\u043e\u043a \u0432\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f \u043c\u043e\u0436\u043d\u0430 \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u043f\u043e\u0432\u043d\u0443 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e \u043f\u0440\u043e \u0432\u0435\u0440\u0441\u0456\u044e SQLite, \u0430\u043b\u0435 \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0447\u0438\u0441\u043b\u043e\u0432\u0438\u0445 \u0442\u043e\u0447\u043e\u043a \u0432\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f \u043c\u043e\u0436\u043d\u0430 \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u043b\u0438\u0448\u0435 \u0447\u0430\u0441\u0442\u043a\u043e\u0432\u0443 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e \u043f\u0440\u043e \u0432\u0435\u0440\u0441\u0456\u044e SQLite.\n\u0411\u0456\u043b\u044c\u0448\u0435 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457 \u043f\u0440\u043e \u0432\u0435\u0440\u0441\u0456\u044e SQLite [{0}] \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e \u0437\u0430 \u0430\u0434\u0440\u0435\u0441\u043e\u044e https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL \u0432\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f - SQLite -ascanrules.ssti.alert.otherinfo = \u041f\u0456\u0434\u0442\u0432\u0435\u0440\u0434\u0436\u0435\u043d\u043d\u044f \u0437\u043d\u0430\u0439\u0434\u0435\u043d\u043e \u043d\u0430 [{0}]\n\u0437\u043c\u0456\u0441\u0442\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = \u041a\u043e\u043b\u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044f \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0432\u0441\u0442\u0430\u0432\u043b\u044f\u0454\u0442\u044c\u0441\u044f \u0432 \u0448\u0430\u0431\u043b\u043e\u043d \u0437\u0430\u043c\u0456\u0441\u0442\u044c \u0442\u043e\u0433\u043e, \u0449\u043e\u0431 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438\u0441\u044f \u044f\u043a \u0430\u0440\u0433\u0443\u043c\u0435\u043d\u0442 \u043f\u0456\u0434 \u0447\u0430\u0441 \u0432\u0456\u0437\u0443\u0430\u043b\u0456\u0437\u0430\u0446\u0456\u0457, \u043e\u0431\u0440\u043e\u0431\u043b\u044f\u0454\u0442\u044c\u0441\u044f \u043e\u0431\u0440\u043e\u0431\u043d\u0438\u043a\u043e\u043c \u0448\u0430\u0431\u043b\u043e\u043d\u0456\u0432. \u0417\u0430\u043b\u0435\u0436\u043d\u043e \u0432\u0456\u0434 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c\u0443 \u0448\u0430\u0431\u043b\u043e\u043d\u0456\u0432 \u0446\u0435 \u043c\u043e\u0436\u0435 \u043f\u0440\u0438\u0437\u0432\u0435\u0441\u0442\u0438 \u0434\u043e \u0432\u0456\u0434\u0434\u0430\u043b\u0435\u043d\u043e\u0433\u043e \u0432\u0438\u043a\u043e\u043d\u0430\u043d\u043d\u044f \u043a\u043e\u0434\u0443. ascanrules.ssti.name = \u0412\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f \u0448\u0430\u0431\u043b\u043e\u043d\u0443 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0456 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = \u0417\u0430\u043c\u0456\u0441\u0442\u044c \u0442\u0 ascanrules.traceaxd.desc = Trace Viewer ASP.NET (trace.axd) \u0432\u0438\u044f\u0432\u0438\u0432\u0441\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0438\u043c. \u0426\u0435\u0439 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442 \u043c\u043e\u0436\u0435 \u043f\u0440\u0438\u0437\u0432\u0435\u0441\u0442\u0438 \u0434\u043e \u0432\u0438\u0442\u043e\u043a\u0443 \u0437\u043d\u0430\u0447\u043d\u043e\u0457 \u043a\u0456\u043b\u044c\u043a\u043e\u0441\u0442\u0456 \u0446\u0456\u043d\u043d\u043e\u0457 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457. ascanrules.traceaxd.name = \u0412\u0438\u0442\u0456\u043a \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457 Trace.axd -ascanrules.traceaxd.otherinfo = \u041d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 \u043a\u043e\u0434\u0443 \u0441\u0442\u0430\u0442\u0443\u0441\u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 Trace Viewer \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0438\u0439 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c\u043e\u043c \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 \u0430\u0431\u043e \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = \u041f\u043e\u0434\u0443\u043c\u0430\u0439\u0442\u0435, \u0447\u0438 \u0434\u0456\u0439\u0441\u043d\u043e Trace Viewer \u043f\u043e\u0442\u0440\u0456\u0431\u0435\u043d \u0443 \u0432\u0438\u0440\u043e\u0431\u043d\u0438\u0446\u0442\u0432\u0456, \u044f\u043a\u0449\u043e \u0432\u0456\u043d \u043d\u0435 \u043f\u043e\u0442\u0440\u0456\u0431\u0435\u043d, \u0442\u043e\u0434\u0456 \u0432\u0438\u043c\u043a\u043d\u0456\u0442\u044c \u0439\u043e\u0433\u043e. \u042f\u043a\u0449\u043e \u0446\u0435 \u0442\u0430\u043a, \u043f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u043d\u044c\u043e\u0433\u043e \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u0454 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 \u0442\u0430 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ur_PK.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ur_PK.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ur_PK.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_ur_PK.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_vi_VN.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_vi_VN.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_vi_VN.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_vi_VN.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_yo_NG.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_yo_NG.properties index 45b56f52542..a17d9ce6b80 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_yo_NG.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_yo_NG.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = Buffer Overflow -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = Remote OS Command Injection -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH Information Leak -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env Information Leak ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL Injection - Authentication Bypass ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL Injection - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_zh_CN.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_zh_CN.properties index 55770fe4086..da3e705b11a 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_zh_CN.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_zh_CN.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = \u7f13\u51b2\u533a\u6ea2\u51fa\u9519\u8bef\u7684\u7279\u70b9\u662f\u8986\u76d6\u4e86\u540e\u53f0 web \u8fdb\u7a0b\u7684\u5185\u5b58\u7a7a\u95f4\uff0c\u8fd9\u4e9b\u5185\u5b58\u7a7a\u95f4\u5e94\u8be5\u4ece\u6765\u6ca1\u6709\u88ab\u6709\u610f\u6216\u65e0\u610f\u5730\u4fee\u6539\u8fc7\u3002 IP(Instruction Pointer)\u3001BP(Base Pointer)\u7b49\u5bc4\u5b58\u5668\u7684\u6539\u5199\u503c\u4f1a\u5bfc\u81f4\u5f02\u5e38\u3001\u6bb5\u9519\u8bef\u548c\u5176\u4ed6\u8fdb\u7a0b\u9519\u8bef\u7684\u53d1\u751f\u3002 \u901a\u5e38\u8fd9\u4e9b\u9519\u8bef\u4f1a\u4ee5\u610f\u60f3\u4e0d\u5230\u7684\u65b9\u5f0f\u7ed3\u675f\u5e94\u7528\u7a0b\u5e8f\u7684\u6267\u884c\u3002 +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = \u7f13\u51b2\u533a\u6ea2\u51fa -ascanrules.bufferoverflow.other = \u6f5c\u5728\u7684\u7f13\u51b2\u533a\u6ea2\u51fa\u3002 \u8be5\u811a\u672c\u5173\u95ed\u4e86\u8fde\u63a5\uff0c\u8fd4\u56de 500 \u5185\u90e8\u670d\u52a1\u5668\u9519\u8bef +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = \u4ee5\u9002\u5f53\u7684\u8fd4\u56de\u957f\u5ea6\u68c0\u67e5\u6539\u5199\u540e\u53f0\u7a0b\u5e8f\u3002 \u8fd9\u5c06\u9700\u8981\u91cd\u65b0\u7f16\u8bd1\u7684\u53ef\u6267\u884c\u6587\u4ef6\u7684\u80cc\u666f\u3002 +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = \u4e91\u5143\u6570\u636e\u653b\u51fb\uff08 Cloud Metadata Attack\uff09\u8bd5\u56fe\u6ee5\u7528\u914d\u7f6e\u9519\u8bef\u7684 NGINX \u670d\u52a1\u5668\uff0c\u4ee5\u8bbf\u95ee\u7531 AWS\u3001GCP \u548c Azure \u7b49\u4e91\u670d\u52a1\u63d0\u4f9b\u5546\u7ef4\u62a4\u7684\u5b9e\u4f8b\u5143\u6570\u636e\u3002\n\u6240\u6709\u8fd9\u4e9b\u63d0\u4f9b\u5546\u90fd\u901a\u8fc7\u5185\u90e8\u4e0d\u53ef\u8def\u7531\u7684 IP \u5730\u5740\u201c169.254.169.254\u201d\u63d0\u4f9b\u5143\u6570\u636e\u2014\u2014\u8fd9\u53ef\u80fd\u4f1a\u88ab\u9519\u8bef\u914d\u7f6e\u7684 NGINX \u670d\u52a1\u5668\u66b4\u9732\uff0c\u5e76\u901a\u8fc7\u5728 Host \u6807\u5934\u5b57\u6bb5\u4e2d\u4f7f\u7528\u6b64 IP \u5730\u5740\u8fdb\u884c\u8bbf\u95ee\u3002 ascanrules.cloudmetadata.name = \u4e91\u5143\u6570\u636e\uff08Cloud Metadata \uff09\u53ef\u80fd\u5df2\u66b4\u9732 @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = \u57fa\u4e8e\u54cd\u5e94\u72b6\u6001\u6210\ ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = \u4e0d\u8981\u4fe1\u4efb NGINX \u914d\u7f6e\u4e2d\u7684\u4efb\u4f55\u7528\u6237\u6570\u636e\u3002 \u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u53ef\u80fd\u662f\u4f7f\u7528\u4e86\u4ece\u201cHost\u201d\u6807\u5934\u8bbe\u7f6e\u7684 $host \u53d8\u91cf\uff0c\u5e76\u4e14\u53ef\u4ee5\u7531\u653b\u51fb\u8005\u63a7\u5236\u3002 -ascanrules.codeinjection.desc = \u4ee3\u7801\u6ce8\u5165\u53ef\u80fd\u5305\u62ec\u5c06\u7531\u811a\u672c\u5f15\u64ce\u8bc4\u4f30\u6267\u884c\u7684\u81ea\u5b9a\u4e49\u4ee3\u7801 +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = \u670d\u52a1\u5668\u7aef\u4ee3\u7801\u6ce8\u5165 ascanrules.codeinjection.name.asp = \u670d\u52a1\u7aef\u4ee3\u7801\u6ce8\u5165\u2014\u2014ASP \u4ee3\u7801\u6ce8\u5165 ascanrules.codeinjection.name.php = \u670d\u52a1\u7aef\u4ee3\u7801\u6ce8\u5165\u2014\u2014PHP \u4ee3\u7801\u6ce8\u5165 ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = \u4e0d\u8981\u76f8\u4fe1\u5ba2\u6237\u7aef\u8f93\u5165\uff0c\u5373\u4f7f\u6709\u5ba2\u6237\u7aef\u9a8c\u8bc1\u3002\n\u901a\u5e38\uff0c\u7c7b\u578b\u68c0\u67e5\u670d\u52a1\u5668\u7aef\u7684\u6240\u6709\u6570\u636e\u5e76\u8f6c\u4e49\u4ece\u5ba2\u6237\u7aef\u63a5\u6536\u7684\u6240\u6709\u6570\u636e\u3002\n \u907f\u514d\u5c06 eval() \u51fd\u6570\u4e0e\u7528\u6237\u8f93\u5165\u6570\u636e\u7ed3\u5408\u4f7f\u7528\u3002 +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = \u653b\u51fb\u624b\u6cd5\u7528\u4e8e\u672a\u7ecf\u6388\u6743\u6267\u884c\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u3002\u8fd9\u79cd\u653b\u51fb\u662f\u53ef\u80fd\u8981\u662f\u4e00\u4e2a\u5e94\u7528\u7a0b\u5e8f\u63a5\u53d7\u4e0d\u53d7\u4fe1\u4efb\u7684\u8f93\u5165\u4ee5\u4e0d\u5b89\u5168\u7684\u65b9\u5f0f\u751f\u6210\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\uff0c\u6d89\u53ca\u4e0d\u5f53\u6570\u636e\u8fc7\u6ee4\u53ca \uff08\u6216\uff09 \u4e0d\u5f53\u8c03\u7528\u7684\u5916\u90e8\u7a0b\u5e8f\u3002 ascanrules.commandinjection.name = \u8fdc\u7a0b OS \u547d\u4ee4\u6ce8\u5165 -ascanrules.commandinjection.otherinfo.feedback-based = \u626b\u63cf\u89c4\u5219\u80fd\u591f\u901a\u8fc7\u5411\u8fd0\u884c\u6b64\u5e94\u7528\u7a0b\u5e8f\u7684\u64cd\u4f5c\u7cfb\u7edf\u53d1\u9001 [{0}] \u6765\u68c0\u7d22\u6587\u4ef6\u6216\u547d\u4ee4\u7684\u5185\u5bb9 -ascanrules.commandinjection.otherinfo.time-based = \u626b\u63cf\u89c4\u5219\u80fd\u591f\u901a\u8fc7\u5411\u8fd0\u884c\u6b64\u5e94\u7528\u7a0b\u5e8f\u7684\u64cd\u4f5c\u7cfb\u7edf\u53d1\u9001 [{0}] \u6765\u63a7\u5236\u5e94\u7528\u7a0b\u5e8f\u54cd\u5e94\u7684\u65f6\u95f4 +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = \u53ef\u4ee5\u901a\u8fc7 CRLF \u6ce8\u5165\u8bbe\u7f6e cookie\u3002\u4e5f\u53ef\u4ee5\u8bbe\u7f6e\u4efb\u610f\u7684HTTP\u54cd\u5e94\u62a5\u5934 \u3002\u6b64\u5916\uff0c\u4f7f\u7528\u8de8\u7ad9\u70b9\u811a\u672c\u7cbe\u5fc3\u5236\u4f5c\u6ce8\u5165\u54cd\u5e94\uff0c\u53ef\u80fd\u8fd8\u5b58\u5728\u7f13\u5b58\u4e2d\u6bd2\u6f0f\u6d1e\u3002 +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF \u6ce8\u5165 ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = \u4ed4\u7ec6\u68c0\u67e5\u63d0\u4ea4\u7684\u53c2\u6570\u3002 \u8fc7\u6ee4 CRLF\u4ee5\u7981\u6b62 CRLF \u6ce8\u5165\u3002 @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = \u5728 JSON \u54cd\u5e94\u4e2d\u53cd\u ascanrules.crosssitescripting.json.name = \u8de8\u7ad9\u811a\u672c\u5f31\u70b9\uff08\u53cd\u6620\u5728 JSON \u54cd\u5e94\u4e2d\uff09 ascanrules.crosssitescripting.name = \u8de8\u7ad9\u811a\u672c\u653b\u51fb\uff08\u53cd\u5c04\u578b\uff09 ascanrules.crosssitescripting.otherinfo.accesskey = accesskey \u5c5e\u6027\u6307\u5b9a\u7528\u4e8e\u6fc0\u6d3b/\u805a\u7126\u5143\u7d20\u7684\u5feb\u6377\u952e\u3002 \u6b64\u5c5e\u6027\u53ef\u4ee5\u89e6\u53d1\u975e\u5e38\u89c4\u6216\u81ea\u5b9a\u4e49\u6807\u7b7e\u7684\u8d1f\u8f7d\u3002 -ascanrules.crosssitescripting.otherinfo.nothtml = \u7531\u4e8e Content-Type \u4e0d\u662f HTML\uff0c\u56e0\u6b64\u7f6e\u4fe1\u5ea6\u8f83\u4f4e +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = \u53d1\u5e03\u72b6\u6001\u4e3b\u52a8\u626b\u63cf\u89c4\u5219 -ascanrules.directorybrowsing.desc = \u53ef\u4ee5\u67e5\u770b\u76ee\u5f55\u5217\u8868\u3002 \u76ee\u5f55\u5217\u8868\u53ef\u80fd\u4f1a\u663e\u793a\u9690\u85cf\u7684\u811a\u672c\u3001\u5305\u542b\u6587\u4ef6\u3001\u5907\u4efd\u6e90\u6587\u4ef6\u7b49\uff0c\u53ef\u4ee5\u8bbf\u95ee\u8fd9\u4e9b\u6587\u4ef6\u4ee5\u8bfb\u53d6\u654f\u611f\u4fe1\u606f\u3002 +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = \u76ee\u5f55\u6d4f\u89c8 ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = \u7981\u7528\u76ee\u5f55\u6d4f\u89c8\u3002 \u5982\u679c\u9700\u8981\uff0c\u8bf7\u786e\u4fdd\u5217\u51fa\u7684\u6587\u4ef6\u4e0d\u4f1a\u5f15\u53d1\u98ce\u9669\u3002 +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = \u53d1\u73b0\u9519\u8bef\u8bb0\u5f55\u6a21\u5757\u548c\u5904\u7406\u7a0b\u5e8f\uff08ELMAH[elmah.axd]\uff09HTTP\u6a21\u5757\u53ef\u7528\u3002\u8fd9\u4e2a\u6a21\u5757\u53ef\u80fd\u4f1a\u6cc4\u6f0f\u5927\u91cf\u6709\u4ef7\u503c\u7684\u4fe1\u606f ascanrules.elmah.name = ELMAH\u4fe1\u606f\u6cc4\u6f0f -ascanrules.elmah.otherinfo = \u57fa\u4e8e\u54cd\u5e94\u72b6\u6001\u4ee3\u7801ELMAH\u53ef\u80fd\u53d7\u5230\u8eab\u4efd\u9a8c\u8bc1\u6216\u8005\u6388\u6743\u673a\u5236\u7684\u4fdd\u62a4 +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https//www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttp\://www.nuget.org/packages/elmah\nhttp\://Elma\u2019s.github.io/ ascanrules.elmah.soln = \u8003\u8651\u5728\u751f\u4ea7\u4e2d\u662f\u5426\u9700\u8981ELMAH\uff0c\u5982\u679c\u6ca1\u6709\u5219\u7981\u6b62\u4f7f\u7528\u3002\u5982\u679c\u662f\u8fd9\u6837\uff0c\u5219\u786e\u4fdd\u5bf9\u5b83\u7684\u8bbf\u95ee\u9700\u8981\u8eab\u4efd\u9a8c\u8bc1\u548c\u6388\u6743\u3002\u53c2\u89c1\:https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = \u4e00\u4e2a\u6216\u591a\u4e2a .env \u6587\u4ef6\u4f3c\u4e4e\u4f4d\u4e8e\u670d\u52a1\u5668\u4e0a\u3002 \u8fd9\u4e9b\u6587\u4ef6\u901a\u5e38\u4f1a\u66b4\u9732\u57fa\u7840\u67b6\u6784\u6216\u7ba1\u7406\u5e10\u6237\u51ed\u636e\u3001API \u6216 APP \u5bc6\u94a5\u6216\u5176\u4ed6\u654f\u611f\u914d\u7f6e\u4fe1\u606f\u3002 +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env \u4fe1\u606f\u6cc4\u6f0f ascanrules.envfiles.otherinfo = \u57fa\u4e8e\u54cd\u5e94\u72b6\u6001\u4ee3\u7801\uff0c.env \u6587\u4ef6\u53ef\u80fd\u53d7\u5230\u8eab\u4efd\u9a8c\u8bc1\u6216\u6388\u6743\u673a\u5236\u7684\u4fdd\u62a4\u3002 ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = \u6ca1\u6709\u627e\u5230\u539f\u56 ascanrules.externalredirect.reason.refresh.header = \u54cd\u5e94\u5728\u5176 Refresh \u6807\u5934\u4e2d\u5305\u542b\u91cd\u5b9a\u5411\uff0c\u5141\u8bb8\u8bbe\u7f6e\u5916\u90e8 Url\u3002 ascanrules.externalredirect.reason.refresh.meta = \u54cd\u5e94\u5728\u5176\u5143 http-equiv \u6807\u8bb0\u4e2d\u5305\u542b\u7528\u4e8e\u201cRefresh\u201d\u7684\u91cd\u5b9a\u5411\uff0c\u5141\u8bb8\u8bbe\u7f6e\u5916\u90e8 Url\u3002 -ascanrules.formatstring.desc = \u683c\u5f0f\u5b57\u7b26\u4e32\u9519\u8bef\u53d1\u751f\u5f53\u6240\u63d0\u4ea4\u7684\u6570\u636e\u7684\u8f93\u5165\u5b57\u7b26\u4e32\u88ab\u8bc4\u4e3a\u547d\u4ee4\u7531\u5e94\u7528\u7a0b\u5e8f\u3002 -ascanrules.formatstring.error1 = \u6f5c\u5728\u7684\u683c\u5f0f\u5b57\u7b26\u4e32\u51fa\u9519\u3002\u811a\u672c\u5173\u95ed\u4e86 /%s \u7684\u8fde\u63a5 -ascanrules.formatstring.error2 = \u6f5c\u5728\u7684\u683c\u5f0f\u5b57\u7b26\u4e32\u65f6\u51fa\u9519\u3002 \u8be5\u811a\u672c\u5173\u95ed /%s \u548c /%x \u7684\u8fde\u63a5 -ascanrules.formatstring.error3 = \u6f5c\u5728\u7684\u683c\u5f0f\u5b57\u7b26\u4e32\u51fa\u9519\u3002 \u8be5\u811a\u672c\u5173\u95ed\u5728\u5fae\u8f6f\u4e0a\u683c\u5f0f\u5b57\u7b26\u4e32\u9519\u8bef\u7684\u8fde\u63a5 +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = \u683c\u5f0f\u5b57\u7b26\u4e32\u9519\u8bef ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = \u4f7f\u7528\u6b63\u786e\u5220\u9664\u574f\u5b57\u7b26\u4e32\u6539\u5199\u540e\u53f0\u7a0b\u5e8f\u3002 \u8fd9\u5c06\u9700\u8981\u91cd\u65b0\u7f16\u8bd1\u7684\u53ef\u6267\u884c\u6587\u4ef6\u7684\u80cc\u666f\u3002 +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = \u6700\u521d\u88ab\u89c2\u5bdf\u4e3a POST \u7684\u8bf7\u6c42\u4e5f\u63a5\u53d7 GET\u8bf7\u6c42\u3002 \u8fd9\u4e2a\u95ee\u9898\u672c\u8eab\u5e76\u4e0d\u4ee3\u8868\u5b89\u5168\u5f31\u70b9\uff0c\u4f46\u662f\uff0c\u5b83\u53ef\u80fd\u6709\u52a9\u4e8e\u7b80\u5316\u5176\u4ed6\u653b\u51fb\u3002 \u4f8b\u5982\uff0c\u5982\u679c\u539f\u59cb POST \u53d7\u8de8\u7ad9\u70b9\u811a\u672c (XSS) \u5f71\u54cd\uff0c\u5219\u6b64\u53d1\u73b0\u53ef\u80fd\u8868\u660e\u7b80\u5316\u7684\uff08\u57fa\u4e8e GET \u7684\uff09XSS \u4e5f\u53ef\u80fd\u5b58\u5728\u3002 ascanrules.getforpost.name = Content Security Policy (CSP) Header Not Set @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = \u9690\u85cf\u6587\u4ef6\u67e5\u627e\u5668 ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = \u8003\u8651\u8be5\u7ec4\u4ef6\u5728\u751f\u4ea7\u4e2d\u662f\u5426\u786e\u5b9e\u9700\u8981\uff0c\u5982\u679c\u4e0d\u662f\u5219\u7981\u7528\u5b83\u3002 \u5982\u679c\u662f\uff0c\u5219\u786e\u4fdd\u5bf9\u5176\u7684\u8bbf\u95ee\u9700\u8981\u9002\u5f53\u7684\u8eab\u4efd\u9a8c\u8bc1\u548c\u6388\u6743\uff0c\u6216\u8005\u9650\u5236\u5bf9\u5185\u90e8\u7cfb\u7edf\u6216\u7279\u5b9a\u6e90 IP \u7b49\u7684\u66b4\u9732\u3002 -ascanrules.htaccess.desc = htaccess \u6587\u4ef6\u53ef\u7528\u4e8e\u66f4\u6539 Apache Web \u670d\u52a1\u5668\u8f6f\u4ef6\u7684\u914d\u7f6e\uff0c\u5b83\u7528\u6765 \u542f\u7528/\u7981\u7528 Apache Web \u670d\u52a1\u5668\u8f6f\u4ef6\u5fc5\u987b\u63d0\u4f9b\u7684\u9644\u52a0\u529f\u80fd\u548c\u7279\u6027\u3002 +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess \u4fe1\u606f\u6cc4\u9732 ascanrules.htaccess.otherinfo = \u57fa\u4e8e\u54cd\u5e94\u72b6\u6001\u4ee3\u7801\uff0chtaccess \u6587\u4ef6\u53ef\u80fd\u53d7\u5230\u8eab\u4efd\u9a8c\u8bc1\u6216\u6388\u6743\u673a\u5236\u7684\u4fdd\u62a4\u3002 ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = \u66f4\u65b0\u53d7\u5f71\u54cd\u7684\u670d\u52a1\u5668\u8f6f\u4ef6\uff0c\u6216\u4fee\u6539\u811a\u672c\uff0c\u4ee5\u4fbf\u5b83\u4eec\u5728\u5c1d\u8bd5\u89e3\u5bc6\u4e4b\u524d\u6b63\u786e\u9a8c\u8bc1\u52a0\u5bc6\u6570\u636e\u3002 -ascanrules.parametertamper.desc = \u53c2\u6570\u64cd\u4f5c\u5bfc\u81f4\u663e\u793a\u9519\u8bef\u9875\u9762\u6216\u663e\u793a Java \u5806\u6808\u8ddf\u8e2a\u4fe1\u606f\u3002 \u8fd9\u8868\u660e\u7f3a\u4e4f\u5f02\u5e38\u5904\u7406\u548c\u8fdb\u4e00\u6b65\u5229\u7528\u7684\u6f5c\u5728\u533a\u57df\u3002 +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = \u53c2\u6570\u7be1\u6539 -ascanrules.parametertamper.soln = \u786e\u5b9a\u9519\u8bef\u7684\u539f\u56e0\u5e76\u4fee\u590d\u5b83\u3002 \u4e0d\u8981\u76f8\u4fe1\u5ba2\u6237\u7aef\u8f93\u5165\u5e76\u5728\u670d\u52a1\u5668\u7aef\u5f3a\u5236\u6267\u884c\u4e25\u683c\u68c0\u67e5\u3002 \u6b64\u5916\uff0c\u6b63\u786e\u6355\u83b7\u5f02\u5e38\u3002 \u5bf9\u5185\u90e8\u670d\u52a1\u5668\u9519\u8bef\u4f7f\u7528\u901a\u7528 500 \u9519\u8bef\u9875\u9762\u3002 +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = \u8def\u5f84\u904d\u5386 @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = \u5728 JSON \u54cd\u5e94\u4e2d\u53d1\ ascanrules.persistentxssattack.json.name = \u8de8\u7ad9\u811a\u672c\u5f31\u70b9\uff08\u5728 JSON \u54cd\u5e94\u4e2d\u6301\u4e45\u5316\uff09 ascanrules.persistentxssattack.name = \u6301\u7eed\u6027\u8de8\u7ad9\u811a\u672c\u653b\u51fb ascanrules.persistentxssattack.otherinfo = \u6e90 URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = \u7531\u4e8e\u5185\u5bb9\u7c7b\u578b\uff08 Content-Type\uff09 \u4e0d\u662f HTML\uff0c\u56e0\u6b64\u7f6e\u4fe1\u5ea6\u8f83\u4f4e +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = \u8de8\u7ad9\u70b9\u811a\u672c \uff08\u6301\u4e45\u7684\uff09- \u4e3b\u8981 ascanrules.persistentxssspider.name = \u8de8\u7ad9\u70b9\u811a\u672c \uff08\u6301\u4e45\u7684\uff09- Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = \u67d0\u4e9bPHP\u7248\u672c\u5728\u8bbe\u7f6e\u4e3a\u7528CGI\u8fd0\u884c\u65f6\uff0c\u4e0d\u80fd\u6b63\u786e\u5904\u7406\u7f3a\u5c11\u975e\u8f6c\u4e49\u201c\=\u201d\u5b57\u7b26\u7684\u67e5\u8be2\u5b57\u7b26\u4e32\uff0c\u4f7f\u5f97\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6210\u4e3a\u53ef\u80fd\u3002\u5728\u6b64\u60c5\u51b5\u4e0b\uff0c\u4f1a\u5f15\u53d1\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u5728Web\u670d\u52a1\u5668\u4e0a\u6267\u884c\uff0c\u5e76\u5c06\u7ed3\u679c\u8fd4\u56de\u81f3\u7f51\u9875\u6d4f\u89c8\u5668\u3002 +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = \u6267\u884c\u8fdc\u7a0b\u4ee3\u7801\uff1aCVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = \u5347\u7ea7\u5230PHP\u6700\u65b0\u7684\u7a33\u5b9a\u7248\u672c\uff0c\u6216\u4f7f\u7528Apache Web\u670d\u52a1\u5668\u548cmod_rewrite\u6a21\u5757\uff0c\u7528\u201cRewriteCond\u201d\u548c\u201cRewriteRule\u201d\u6307\u4ee4\u6765\u8fc7\u6ee4\u6389\u6076\u610f\u8bf7\u6c42\u3002 ascanrules.remotefileinclude.name = \u8fdc\u7a0b\u6587\u4ef6\u5305\u542b -ascanrules.serversideinclude.desc = \u67d0\u4e9b\u53c2\u6570\u53ef\u80fd\u4f1a\u5bfc\u81f4\u6267\u884c\u670d\u52a1\u5668\u7aef\u5305\u542b\uff08 Server Side Include \uff09\u547d\u4ee4\u3002 \u8fd9\u53ef\u80fd\u5141\u8bb8\u6267\u884c\u6570\u636e\u5e93\u8fde\u63a5\u6216\u4efb\u610f\u4ee3\u7801\u3002 +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = \u670d\u52a1\u5668\u7aef\u5305\u542b ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = \u4e0d\u8981\u76f8\u4fe1\u5ba2\u6237\u7aef\u8f93\u5165\u5e76\u5728\u670d\u52a1\u5668\u7aef\u5f3a\u5236\u6267\u884c\u4e25\u683c\u68c0\u67e5\u3002 \u7981\u7528\u670d\u52a1\u5668\u7aef\u5305\u542b\uff08server side includes\uff09\u3002\n\u8bf7\u53c2\u9605\u624b\u518c\u4ee5\u7981\u7528\u670d\u52a1\u5668\u7aef\u5305\u542b\uff08server side includes\uff09\u3002\n\u4f7f\u7528\u6700\u4f4e\u6743\u9650\u8fd0\u884c\u60a8\u7684 Web \u670d\u52a1\u5668\u6216\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u3002\n\u5bf9\u4e8e Apache\uff0c\u7981\u7528\u4ee5\u4e0b\u9009\u9879\uff1a\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = \u67d0\u4e9b PHP \u7248\u672c\u5728\u914d\u7f6e\u4e3a\u4f7f\u7528 CGI \u8fd0\u884c\u65f6\uff0c\u65e0\u6cd5\u6b63\u786e\u5904\u7406\u7f3a\u5c11\u672a\u8f6c\u4e49\u201c\=\u201d\u5b57\u7b26\u7684\u67e5\u8be2\u5b57\u7b26\u4e32\uff0c\u4ece\u800c\u5bfc\u81f4 PHP \u6e90\u4ee3\u7801\u6cc4\u9732\u548c\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002 \u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0cPHP \u6587\u4ef6\u7684\u5185\u5bb9\u76f4\u63a5\u63d0\u4f9b\u7ed9 Web \u6d4f\u89c8\u5668\u3002 \u6b64\u8f93\u51fa\u901a\u5e38\u5305\u542b PHP\uff0c\u4f46\u4e5f\u53ef\u80fd\u5305\u542b\u7eaf HTML\u3002 ascanrules.sourcecodedisclosurecve-2012-1823.name = \u6e90\u4ee3\u7801\u6cc4\u9732 - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = \u5347\u7ea7\u5230PHP\u6700\u65b0\u7684\u7a33\u5b9a\u7248\u672c\uff0c\u6216\u4f7f\u7528Apache Web\u670d\u52a1\u5668\u548cmod_rewrite\u6a21\u5757\uff0c\u7528\u201cRewriteCond\u201d\u548c\u201cRewriteRule\u201d\u6307\u4ee4\u6765\u8fc7\u6ee4\u6389\u6076\u610f\u8bf7\u6c42\u3002 -ascanrules.sourcecodedisclosurewebinf.desc = Web \u670d\u52a1\u5668\u5728 WEB-INF \u6587\u4ef6\u5939\u4e2d\u7684 Java \u7c7b\u6587\u4ef6\u4e2d\u516c\u5f00\u4e86 Java \u6e90\u4ee3\u7801\u3002 \u53ef\u4ee5\u53cd\u6c47\u7f16\u7c7b\u6587\u4ef6\u4ee5\u751f\u6210\u4e0e\u539f\u59cb\u6e90\u4ee3\u7801\u975e\u5e38\u5339\u914d\u7684\u6e90\u4ee3\u7801\u3002 +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = \u6e90\u4ee3\u7801\u62ab\u9732\u2014\u2014/WEB-INF \u6587\u4ef6\u5939 -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = /WEB-INF \u6587\u4ef6\u5939\u4e2d\u7684 Java \u7c7b\u516c\u5f00\u4e86\u5c5e\u6027\u6587\u4ef6\u7684\u5b58\u5728\u3002 \u5c5e\u6027\u6587\u4ef6\u4e0d\u5e94\u8be5\u516c\u5f00\u53ef\u8bbf\u95ee\uff0c\u901a\u5e38\u5305\u542b\u914d\u7f6e\u4fe1\u606f\u3001\u5e94\u7528\u7a0b\u5e8f\u51ed\u636e\u6216\u52a0\u5bc6\u5bc6\u94a5\u3002 +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = \u5728 Java \u7c7b [{0}] \u7684\u53cd\u6c47\u7f16 Java \u6e90\u4ee3\u7801\u4e2d\u627e\u5230\u4e86\u5bf9\u5c5e\u6027\u6587\u4ef6\u7684\u5f15\u7528\u3002 ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = \u5c5e\u6027\u6587\u4ef6\u62ab\u9732\u2014\u2014/WEB-INF \u6587\u4ef6\u5939 -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = Web \u670d\u52a1\u5668\u5e94\u914d\u7f6e\u4e3a\u4e0d\u5411 Web \u6d4f\u89c8\u5668\u63d0\u4f9b /WEB-INF \u6587\u4ef6\u5939\u6216\u5176\u5185\u5bb9\u3002 \u4e5f\u53ef\u4ee5\u5220\u9664 /WEB-INF \u6587\u4ef6\u5939\u3002 +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = Web \u670d\u52a1\u5668\u5e94\u914d\u7f6e\u4e3a\u4e0d\u5411 Web \u6d4f\u89c8\u5668\u63d0\u4f9b /WEB-INF \u6587\u4ef6\u5939\u6216\u5176\u5185\u5bb9\uff0c\u56e0\u4e3a\u5b83\u5305\u542b\u654f\u611f\u4fe1\u606f\uff0c\u4f8b\u5982\u5df2\u7f16\u8bd1\u7684 Java \u6e90\u4ee3\u7801\u548c\u53ef\u80fd\u5305\u542b\u51ed\u636e\u7684\u5c5e\u6027\u6587\u4ef6\u3002 \u5e94\u6df7\u6dc6\u4e0e\u5e94\u7528\u7a0b\u5e8f\u4e00\u8d77\u90e8\u7f72\u7684 Java \u7c7b\uff0c\u4f5c\u4e3a\u201c\u7eb5\u6df1\u9632\u5fa1\u201d\u65b9\u6cd5\u4e2d\u7684\u989d\u5916\u9632\u5fa1\u5c42\u3002 ascanrules.spring4shell.desc = \u8be5\u5e94\u7528\u7a0b\u5e8f\u4f3c\u4e4e\u5bb9\u6613\u53d7\u5230 CVE-2022-22965\uff08\u4e5f\u79f0\u4e3a Spring4Shell\uff09\u7684\u653b\u51fb - \u901a\u8fc7\u6570\u636e\u7ed1\u5b9a\u8fdb\u884c\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c (RCE)\u3002 @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = \u7981\u7528Health Actuators \u548c\u5176\u4ed6 #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = \u5b57\u6bb5\: [{0}], \u503c [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = \u4f7f\u7528\u5e03\u5c14\u6761\u4ef6 [{0}] \u548c [{1}] \u6210\u529f\u64cd\u4f5c\u4e86\u9875\u9762\u7ed3\u679c\n\u4e3a\u4e86\u8fdb\u884c\u6bd4\u8f83\uff0c\u88ab\u4fee\u6539\u7684\u53c2\u6570\u503c{2}\u5df2\u4ece HTML \u8f93\u51fa\u4e2d\u5220\u9664 -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = \u8fd4\u56de\u539f\u59cb\u53c2\u6570\u7684\u6570\u636e\u3002\n\u901a\u8fc7\u64cd\u7eb5\u53c2\u6570\u9650\u5236\u539f\u521d\u8fd4\u56de\u7684\u6570\u636e\uff0c\u6210\u529f\u68c0\u6d4b\u5230\u6f0f\u6d1e -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = \u672a\u8fd4\u56de\u539f\u59cb\u53c2\u6570\u7684\u6570\u636e\u3002\n\u901a\u8fc7\u64cd\u7eb5\u53c2\u6570\u6210\u529f\u68c0\u7d22\u6bd4\u6700\u521d\u8fd4\u56de\u7684\u6570\u636e\u66f4\u591a\u7684\u6570\u636e\u6765\u68c0\u6d4b\u6f0f\u6d1e +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] \u5b57\u6bb5\: [{1}] \u503c [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = \u539f\u503c\: [{0}]\u3002\u4fee\u6539\u540e\u7684\u503c\: [{1}]\u3002\u63a7\u5236\u503c\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = \u672a\u4fee\u6539\u7684\u6d88\u606f \u7ed9\u51fa HTTP \u72b6\u6001 [{0}]\uff0c\u6d88\u606f\u6b63\u6587\u7684\u957f\u5ea6 [{1}] \uff0c\u4fee\u6539\u7ed9 HTTP \u72b6\u6001 [{2}]\uff0c\u6d88\u606f\u6b63\u6587\u7684\u957f\u5ea6 [{3}]\u3002\u7b2c\u4e09\u4e2a \uff08\u975e SQL \u6ce8\u5165\u8bf1\u5bfc\u503c\uff09 \u7ed9\u51fa HTTP \u72b6\u6001 [{4}]\uff0c\u6d88\u606f\u6b63\u6587\u7684\u957f\u5ea6 [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}]\u53ef\u80fd\u7ed9\u51fa\u4e0e HTML \u7ed3\u679c\u5339\u914d\u7684\u9519\u8bef\u6d88\u606f\u6b63\u5219\u8868\u8fbe\u5f0f [{1}]\uff0c\u3002\n\u8be5\u6f0f\u6d1e\u662f\u901a\u8fc7\u64cd\u7eb5\u53c2\u6570\u5bfc\u81f4\u8fd4\u56de\u5e76\u8bc6\u522b\u6570\u636e\u5e93\u9519\u8bef\u6d88\u606f\u6765\u68c0\u6d4b\u7684 -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = \u672a\u4fee\u6539\u7684\u6d88\u606f\u7ed9\u51fa HTTP \u72b6\u6001 [{0}]\uff0c\u4fee\u6539\u7684\u6d88\u606f\u7ed9\u51fa HTTP \u72b6\u6001 [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = \u4f7f\u7528\u8868\u8fbe\u5f0f [{0}] \u4f5c\u4e3a\u53c2\u6570\u503c\u6210\u529f\u590d\u5236\u4e86\u539f\u59cb\u9875\u9762\u7ed3\u679c\n\u4e3a\u8fdb\u884c\u6bd4\u8f83\uff0c\u4ece HTML \u8f93\u51fa\u4e2d\u5220\u9664\u4e86\u88ab\u4fee\u6539\u7684\u53c2\u6570\u503c {1} -ascanrules.sqlinjection.alert.orderbybased.extrainfo = \u4f7f\u7528\u201cORDER BY\u201d\u8868\u8fbe\u5f0f [{0}] \u4f5c\u4e3a\u53c2\u6570\u503c\u6210\u529f\u590d\u5236\u4e86\u539f\u59cb\u9875\u9762\u7ed3\u679c\n\u4e3a\u8fdb\u884c\u6bd4\u8f83\uff0c\u4ece HTML \u8f93\u51fa\u4e2d\u5220\u9664\u4e86\u88ab\u4fee\u6539\u7684\u53c2\u6570\u503c {1} -ascanrules.sqlinjection.alert.timebased.extrainfo = \u67e5\u8be2\u65f6\u95f4\u53ef\u4f7f\u7528\u53c2\u6570\u503c [{0}] \u63a7\u5236\uff0c\u8fd9\u5bfc\u81f4\u8bf7\u6c42\u82b1\u8d39 [{1}] \u6beb\u79d2\uff0c\u800c\u503c [{2}] \u7684\u539f\u59cb\u672a\u4fee\u6539\u67e5\u8be2\u82b1\u8d39 [{3}] \u6beb\u79d2 +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = \u67e5\u8be2\u65f6\u95f4\u53ef\u4f7f\u7528\u53c2\u6570\u503c [{0}] \u63a7\u5236\uff0c\u8fd9\u5bfc\u81f4\u8bf7\u6c42\u82b1\u8d39 [{1}] \u6beb\u79d2\uff0c\u800c\u503c [{2}] \u7684\u539f\u59cb\u672a\u4fee\u6539\u67e5\u8be2\u82b1\u8d39 [{3}] \u6beb\u79d2\u3002 ascanrules.sqlinjection.alert.unionbased.attack = [{0}] \u5b57\u6bb5\: [{1}] \u503c [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = \u5173\u7cfb\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf [{0}] \u53ef\u80fd\uff0c\u6240\u7ed9\u5b9a\u7684 UNION \u7279\u5b9a\u7684\u9519\u8bef\u6d88\u606f\u6b63\u5219\u8868\u8fbe\u5f0f [{1}] \u548c HTML \u7684\u7ed3\u679c\u4e00\u81f4 \u3002\n\u6b64\u6f0f\u6d1e\u68c0\u6d4b\u901a\u8fc7\u4f7f\u7528SQL\u201cUNION\u201d\u5b50\u53e5\u64cd\u4f5c\u53c2\u6570\u4f1a\u5bfc\u81f4\u6570\u636e\u5e93\u9519\u8bef\u6d88\u606f\u8fd4\u56de\u5e76\u8ba4\u53ef +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = \u767b\u5f55\u9875\u9762\u4e0a\u53ef\u80fd\u5b58\u5728 SQL \u6ce8\u5165\uff0c\u53ef\u80fd\u5141\u8bb8\u7ed5\u8fc7\u5e94\u7528\u7a0b\u5e8f\u7684\u8eab\u4efd\u9a8c\u8bc1\u673a\u5236 ascanrules.sqlinjection.authbypass.name = SQL \u6ce8\u5165\u2014\u2014\u8eab\u4efd\u9a8c\u8bc1\u7ed5\u8fc7 ascanrules.sqlinjection.desc = SQL \u6ce8\u5165\u662f\u53ef\u80fd\u7684\u3002 @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = \u67e5\u8be2\u65f6\u9 ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = \u4f7f\u7528\u57fa\u4e8e UNION \u7684 SQL \u6ce8\u5165\u653b\u51fb\uff0c\u5e76\u5229\u7528 SQLite \u7684\u52a8\u6001\u7c7b\u578b\u673a\u5236\uff0cSQLite \u7248\u672c\u88ab\u786e\u5b9a\u4e3a [{0}]\u3002\n\u4f7f\u7528\u57fa\u4e8e\u5b57\u7b26\u4e32\u7684\u6ce8\u5165\u70b9\uff0c\u53ef\u4ee5\u63d0\u53d6\u5b8c\u6574\u7684 SQLite \u7248\u672c\u4fe1\u606f\uff0c\u4f46\u662f\u4f7f\u7528\u6570\u5b57\u6ce8\u5165\u70b9\uff0c\u53ea\u80fd\u63d0\u53d6\u90e8\u5206 SQLite \u7248\u672c\u4fe1\u606f\u3002\n\u6709\u5173 SQLite \u7248\u672c [{0}] \u7684\u66f4\u591a\u4fe1\u606f\uff0c\u8bf7\u8bbf\u95ee https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL \u6ce8\u5165 - SQLite -ascanrules.ssti.alert.otherinfo = \u8bc1\u636e\u4f4d\u4e8e [{0}]\n\u5185\u5bb9\uff1a\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = \u5f53\u7528\u6237\u8f93\u5165\u63d2\u5165\u5230\u6a21\u677f\u4e2d\u800c\u4e0d\u662f\u7528\u4f5c\u6e32\u67d3\u4e2d\u7684\u53c2\u6570\u65f6\uff0c\u7531\u6a21\u677f\u5f15\u64ce\u8fdb\u884c\u8bc4\u4f30\u6c42\u503c\u3002 \u6839\u636e\u6a21\u677f\u5f15\u64ce\uff0c\u5b83\u53ef\u80fd\u4f1a\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002 ascanrules.ssti.name = \u670d\u52a1\u5668\u7aef\u6a21\u677f\u6ce8\u5165 ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = \u4e0d\u8981\u5c06\u7528\u6237\u8f93\u5165\u63d2\u51 ascanrules.traceaxd.desc = \u53d1\u73b0 ASP.NET \u8ddf\u8e2a\u67e5\u770b\u5668 (trace.axd) \u53ef\u7528\u3002 \u8be5\u7ec4\u4ef6\u53ef\u80fd\u4f1a\u6cc4\u9732\u5927\u91cf\u6709\u4ef7\u503c\u7684\u4fe1\u606f\u3002 ascanrules.traceaxd.name = Trace.axd \u4fe1\u606f\u6cc4\u9732 -ascanrules.traceaxd.otherinfo = \u57fa\u4e8e\u54cd\u5e94\u72b6\u6001\u4ee3\u7801\uff0c\u8ffd\u8e2a\u67e5\u770b\u5668\u53ef\u80fd\u53d7\u5230\u8eab\u4efd\u9a8c\u8bc1\u6216\u6388\u6743\u673a\u5236\u7684\u4fdd\u62a4\u3002 +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = \u8bf7\u8003\u8651\u5728\u751f\u4ea7\u8fc7\u7a0b\u4e2d\u662f\u5426\u5b9e\u9645\u9700\u8981\u8ffd\u8e2a\u67e5\u770b\u5668\uff0c\u5982\u679c\u4e0d\u9700\u8981\uff0c\u5219\u7981\u7528\u5b83\u3002\u5982\u679c\u9700\u8981\uff0c\u5219\u786e\u4fdd\u5bf9\u5b83\u7684\u8bbf\u95ee\u9700\u8981\u8eab\u4efd\u9a8c\u8bc1\u548c\u6388\u6743\u3002 diff --git a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_zh_TW.properties b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_zh_TW.properties index 05ab86a34fa..7373114cca6 100644 --- a/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_zh_TW.properties +++ b/addOns/ascanrules/src/main/resources/org/zaproxy/zap/extension/ascanrules/resources/Messages_zh_TW.properties @@ -1,9 +1,9 @@ -ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. +ascanrules.bufferoverflow.desc = Buffer overflow errors are characterized by the overwriting of memory spaces of the background web process, which should have never been modified intentionally or unintentionally. Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults, and other process errors to occur. Usually these errors end execution of the application in an unexpected way. ascanrules.bufferoverflow.name = \u7de9\u885d\u5340\u6ea2\u4f4d -ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error +ascanrules.bufferoverflow.other = Potential Buffer Overflow. The script closed the connection and threw a 500 Internal Server Error. ascanrules.bufferoverflow.refs = https\://owasp.org/www-community/attacks/Buffer_overflow_attack -ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. +ascanrules.bufferoverflow.soln = Rewrite the background program using proper return length checking. This will require a recompile of the background executable. ascanrules.cloudmetadata.desc = The Cloud Metadata Attack attempts to abuse a misconfigured NGINX server in order to access the instance metadata maintained by cloud service providers such as AWS, GCP and Azure.\nAll of these providers provide metadata via an internal unroutable IP address '169.254.169.254' - this can be exposed by incorrectly configured NGINX servers and accessed by using this IP address in the Host header field. ascanrules.cloudmetadata.name = Cloud Metadata Potentially Exposed @@ -11,20 +11,20 @@ ascanrules.cloudmetadata.otherinfo = Based on the successful response status cod ascanrules.cloudmetadata.refs = https\://www.nginx.com/blog/trust-no-one-perils-of-trusting-user-input/ ascanrules.cloudmetadata.soln = Do not trust any user data in NGINX configs. In this case it is probably the use of the $host variable which is set from the 'Host' header and can be controlled by an attacker. -ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine +ascanrules.codeinjection.desc = A code injection may be possible including custom code that will be evaluated by the scripting engine. ascanrules.codeinjection.name = Server Side Code Injection ascanrules.codeinjection.name.asp = Server Side Code Injection - ASP Code Injection ascanrules.codeinjection.name.php = Server Side Code Injection - PHP Code Injection ascanrules.codeinjection.refs = https\://cwe.mitre.org/data/definitions/94.html\nhttps\://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection -ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\n Avoid the use of eval() functions combined with user input data. +ascanrules.codeinjection.soln = Do not trust client side input, even if there is client side validation in place.\nIn general, type check all data on the server side and escape all data received from the client.\nAvoid the use of eval() functions combined with user input data. ascanrules.commandinjection.desc = Attack technique used for unauthorized execution of operating system commands. This attack is possible when an application accepts untrusted input to build operating system commands in an insecure manner involving improper data sanitization, and/or improper calling of external programs. ascanrules.commandinjection.name = \u9060\u7aef\u4f5c\u696d\u7cfb\u7d71\u547d\u4ee4\u6ce8\u5165 -ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application -ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application +ascanrules.commandinjection.otherinfo.feedback-based = The scan rule was able to retrieve the content of a file or command by sending [{0}] to the operating system running this application. +ascanrules.commandinjection.otherinfo.time-based = The scan rule was able to control the timing of the application response by sending [{0}] to the operating system running this application. ascanrules.commandinjection.refs = https\://cwe.mitre.org/data/definitions/78.html\nhttps\://owasp.org/www-community/attacks/Command_Injection -ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. +ascanrules.crlfinjection.desc = Cookie can be set via CRLF injection. It may also be possible to set arbitrary HTTP response headers. In addition, by carefully crafting the injected response using cross-site script, cache poisoning vulnerability may also exist. ascanrules.crlfinjection.name = CRLF Injection ascanrules.crlfinjection.refs = https\://owasp.org/www-community/vulnerabilities/CRLF_Injection\nhttps\://cwe.mitre.org/data/definitions/113.html ascanrules.crlfinjection.soln = Type check the submitted parameter carefully. Do not allow CRLF to be injected by filtering CRLF. @@ -33,22 +33,22 @@ ascanrules.crosssitescripting.json.desc = A XSS attack was reflected in a JSON r ascanrules.crosssitescripting.json.name = Cross Site Scripting Weakness (Reflected in JSON Response) ascanrules.crosssitescripting.name = Cross Site Scripting (Reflected) ascanrules.crosssitescripting.otherinfo.accesskey = The accesskey attribute specifies a shortcut key to activate/focus an element. This attribute can trigger payloads for non-conventional or custom tags. -ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.crosssitescripting.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.desc = Release status active scan rules -ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. +ascanrules.directorybrowsing.desc = It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information. ascanrules.directorybrowsing.name = Directory Browsing ascanrules.directorybrowsing.refs = https\://httpd.apache.org/docs/mod/core.html\#options -ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. +ascanrules.directorybrowsing.soln = Disable directory browsing. If this is required, make sure the listed files does not induce risks. ascanrules.elmah.desc = The Error Logging Modules and Handlers (ELMAH [elmah.axd]) HTTP Module was found to be available. This module can leak a significant amount of valuable information. ascanrules.elmah.name = ELMAH \u8cc7\u8a0a\u5916\u6d29 -ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. +ascanrules.elmah.otherinfo = Based on response status code ELMAH may be protected by an authentication or authorization mechanism. ascanrules.elmah.refs = https\://www.troyhunt.com/aspnet-session-hijacking-with-google/\nhttps\://www.nuget.org/packages/elmah\nhttps\://elmah.github.io/ ascanrules.elmah.soln = Consider whether or not ELMAH is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. See also\: https\://elmah.github.io/a/securing-error-log-pages/ -ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. +ascanrules.envfiles.desc = One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. ascanrules.envfiles.name = .env \u8cc7\u8a0a\u5916\u6d29 ascanrules.envfiles.otherinfo = Based on response status code the .env file may be protected by an authentication or authorization mechanism. ascanrules.envfiles.refs = https\://www.google.com/search?q\=db_password+filetype%3Aenv\nhttps\://mobile.twitter.com/svblxyz/status/1045013939904532482 @@ -62,13 +62,13 @@ ascanrules.externalredirect.reason.notfound = No reason found for it... ascanrules.externalredirect.reason.refresh.header = The response contains a redirect in its Refresh header which allows an external Url to be set. ascanrules.externalredirect.reason.refresh.meta = The response contains a redirect in its meta http-equiv tag for 'Refresh' which allows an external Url to be set. -ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. -ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s -ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x -ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a microsoft format string error +ascanrules.formatstring.desc = A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. +ascanrules.formatstring.error1 = Potential Format String Error. The script closed the connection on a /%s. +ascanrules.formatstring.error2 = Potential Format String Error. The script closed the connection on a /%s and /%x. +ascanrules.formatstring.error3 = Potential Format String Error. The script closed the connection on a Microsoft format string error. ascanrules.formatstring.name = Format String Error ascanrules.formatstring.refs = https\://owasp.org/www-community/attacks/Format_string_attack -ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. +ascanrules.formatstring.soln = Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable. ascanrules.getforpost.desc = A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible. ascanrules.getforpost.name = GET for POST @@ -86,7 +86,7 @@ ascanrules.hidden.files.name = Hidden File Finder ascanrules.hidden.files.refs = https\://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html ascanrules.hidden.files.soln = Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc. -ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. +ascanrules.htaccess.desc = htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. ascanrules.htaccess.name = .htaccess Information Leak ascanrules.htaccess.otherinfo = Based on response status code htaccess file may be protected by an authentication or authorization mechanism. ascanrules.htaccess.refs = https\://developer.mozilla.org/en-US/docs/Learn/Server-side/Apache_Configuration_htaccess\nhttps\://httpd.apache.org/docs/2.4/howto/htaccess.html @@ -110,9 +110,9 @@ ascanrules.paddingoracle.name = Generic Padding Oracle ascanrules.paddingoracle.refs = https\://learn.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070\nhttps\://www.mono-project.com/docs/about-mono/vulnerabilities/\nhttps\://bugzilla.redhat.com/show_bug.cgi?id\=623799 ascanrules.paddingoracle.soln = Update the affected server software, or modify the scripts so that they properly validate encrypted data before attempting decryption. -ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. +ascanrules.parametertamper.desc = Parameter manipulation caused an error page or Java stack trace to be displayed. This indicated lack of exception handling and potential areas for further exploit. ascanrules.parametertamper.name = Parameter Tampering -ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. +ascanrules.parametertamper.soln = Identify the cause of the error and fix it. Do not trust client side input and enforce a tight check in the server side. Besides, catch the exception properly. Use a generic 500 error page for internal server error. ascanrules.pathtraversal.name = Path Traversal @@ -123,33 +123,33 @@ ascanrules.persistentxssattack.json.desc = A XSS attack was found in a JSON resp ascanrules.persistentxssattack.json.name = Cross Site Scripting Weakness (Persistent in JSON Response) ascanrules.persistentxssattack.name = Cross Site Scripting (Persistent) ascanrules.persistentxssattack.otherinfo = Source URL\: {0} -ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML +ascanrules.persistentxssattack.otherinfo.nothtml = Raised with LOW confidence as the Content-Type is not HTML. ascanrules.persistentxssprime.name = Cross Site Scripting (Persistent) - Prime ascanrules.persistentxssspider.name = Cross Site Scripting (Persistent) - Spider -ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. +ascanrules.remotecodeexecution.cve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling arbitrary code execution. In this case, an operating system command was caused to be executed on the web server, and the results were returned to the web browser. ascanrules.remotecodeexecution.cve-2012-1823.name = Remote Code Execution - CVE-2012-1823 ascanrules.remotecodeexecution.cve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. ascanrules.remotefileinclude.name = Remote File Inclusion -ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. +ascanrules.serversideinclude.desc = Certain parameters may cause Server Side Include commands to be executed. This may allow database connection or arbitrary code to be executed. ascanrules.serversideinclude.name = Server Side Include ascanrules.serversideinclude.refs = https\://httpd.apache.org/docs/current/howto/ssi.html -ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html +ascanrules.serversideinclude.soln = Do not trust client side input and enforce a tight check in the server side. Disable server side includes.\nRefer to manual to disable Sever Side Include.\nUse least privilege to run your web server or application server.\nFor Apache, disable the following\:\nOptions Indexes FollowSymLinks Includes\nAddType application/x-httpd-cgi .cgi\nAddType text/x-server-parsed-html .html. ascanrules.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanrules.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 ascanrules.sourcecodedisclosurecve-2012-1823.soln = Upgrade to the latest stable version of PHP, or use the Apache web server and the mod_rewrite module to filter out malicious requests using the "RewriteCond" and "RewriteRule" directives. -ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. +ascanrules.sourcecodedisclosurewebinf.desc = Java source code was disclosed by the web server in Java class files in the WEB-INF folder. The class files can be dis-assembled to produce source code which very closely matches the original source code. ascanrules.sourcecodedisclosurewebinf.name = Source Code Disclosure - /WEB-INF Folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.desc = A Java class in the /WEB-INF folder disclosed the presence of the properties file. Properties file are not intended to be publicly accessible, and typically contain configuration information, application credentials, or cryptographic keys. ascanrules.sourcecodedisclosurewebinf.propertiesfile.extrainfo = The reference to the properties file was found in the dis-assembled Java source code for Java class [{0}]. ascanrules.sourcecodedisclosurewebinf.propertiesfile.name = Properties File Disclosure - /WEB-INF folder -ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. +ascanrules.sourcecodedisclosurewebinf.propertiesfile.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers. It may also be possible to remove the /WEB-INF folder. ascanrules.sourcecodedisclosurewebinf.soln = The web server should be configured to not serve the /WEB-INF folder or its contents to web browsers, since it contains sensitive information such as compiled Java source code and properties files which may contain credentials. Java classes deployed with the application should be obfuscated, as an additional layer of defence in a "defence-in-depth" approach. ascanrules.spring4shell.desc = The application appears to be vulnerable to CVE-2022-22965 (otherwise known as Spring4Shell) - remote code execution (RCE) via data binding. @@ -164,19 +164,19 @@ ascanrules.springactuator.soln = Disable the Health Actuators and other actuator #ascanrules.sqlinjection.alert.errorbased.attack={1} ascanrules.sqlinjection.alert.booleanbased.attack = field\: [{0}], value [{1}] -ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter -ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter +ascanrules.sqlinjection.alert.booleanbased.extrainfo = The page results were successfully manipulated using the boolean conditions [{0}] and [{1}]\nThe parameter value being modified was {2}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.dataexists = Data was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter. +ascanrules.sqlinjection.alert.booleanbased.extrainfo.datanotexists = Data was NOT returned for the original parameter.\nThe vulnerability was detected by successfully retrieving more data than originally returned, by manipulating the parameter. ascanrules.sqlinjection.alert.errorbased.attack = [{0}] field\: [{1}], value [{2}] ascanrules.sqlinjection.alert.errorbased.differentiation.attack = Original Value\: [{0}]. Modified Value\: [{1}]. Control Value\: [{2}] -ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}] -ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised -ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}] -ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison -ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds +ascanrules.sqlinjection.alert.errorbased.differentiation.extrainfo = Unmodified message gave HTTP status [{0}], body of length [{1}], modified message gave HTTP status [{2}], body of length [{3}]. A third (non-SQL injection inducing value) gave HTTP status [{4}], body of length [{5}]. +ascanrules.sqlinjection.alert.errorbased.extrainfo = RDBMS [{0}] likely, given error message regular expression [{1}] matched by the HTML results.\nThe vulnerability was detected by manipulating the parameter to cause a database error message to be returned and recognised. +ascanrules.sqlinjection.alert.errorbased.httpstatuscode.extrainfo = Unmodified message gave HTTP status [{0}], modified message gave HTTP status [{1}]. +ascanrules.sqlinjection.alert.expressionbased.extrainfo = The original page results were successfully replicated using the expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.orderbybased.extrainfo = The original page results were successfully replicated using the "ORDER BY" expression [{0}] as the parameter value\nThe parameter value being modified was {1}stripped from the HTML output for the purposes of the comparison. +ascanrules.sqlinjection.alert.timebased.extrainfo = The query time is controllable using parameter value [{0}], which caused the request to take [{1}] milliseconds, when the original unmodified query with value [{2}] took [{3}] milliseconds. ascanrules.sqlinjection.alert.unionbased.attack = [{0}] field\: [{1}], value [{2}] -ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised +ascanrules.sqlinjection.alert.unionbased.extrainfo = RDBMS [{0}] likely, given UNION-specific error message regular expression [{1}] matched by the HTML results\nThe vulnerability was detected by manipulating the parameter with an SQL ''UNION'' clause to cause a database error message to be returned and recognised. ascanrules.sqlinjection.authbypass.desc = SQL injection may be possible on a login page, potentially allowing the application's authentication mechanism to be bypassed ascanrules.sqlinjection.authbypass.name = SQL \u6ce8\u5165 - \u7565\u904e\u9a57\u8b49 ascanrules.sqlinjection.desc = SQL injection may be possible. @@ -194,7 +194,7 @@ ascanrules.sqlinjection.sqlite.alert.timebased.extrainfo = The query time is con ascanrules.sqlinjection.sqlite.alert.versionnumber.extrainfo = Using a UNION based SQL Injection attack, and by exploiting SQLite''s dynamic typing mechanism, the SQLite version was determined to be [{0}].\nWith string-based injection points, full SQLite version information can be extracted, but with numeric injection points, only partial SQLite version information can be extracted.\nMore information on SQLite version [{0}] is available at https\://www.sqlite.org/changes.html ascanrules.sqlinjection.sqlite.name = SQL \u6ce8\u5165 - SQLite -ascanrules.ssti.alert.otherinfo = Proof found at [{0}] \ncontent\:\n[{1}] +ascanrules.ssti.alert.otherinfo = Proof found at [{0}]\ncontent\:\n[{1}] ascanrules.ssti.desc = When the user input is inserted in the template instead of being used as argument in rendering is evaluated by the template engine. Depending on the template engine it can lead to remote code execution. ascanrules.ssti.name = Server Side Template Injection ascanrules.ssti.refs = https\://portswigger.net/blog/server-side-template-injection @@ -208,7 +208,7 @@ ascanrules.sstiblind.soln = Instead of inserting the user input in the template, ascanrules.traceaxd.desc = The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information. ascanrules.traceaxd.name = Trace.axd Information Leak -ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. +ascanrules.traceaxd.otherinfo = Based on response status code Trace Viewer may be protected by an authentication or authorization mechanism. ascanrules.traceaxd.refs = https\://msdn.microsoft.com/en-us/library/bb386420.aspx\nhttps\://msdn.microsoft.com/en-us/library/wwh16c6c.aspx\nhttps\://www.dotnetperls.com/trace ascanrules.traceaxd.soln = Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ar_SA.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ar_SA.properties index 8b3c24989c9..4779947f89b 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ar_SA.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ar_SA.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = \u0645\u062c\u0647\u0648\u0644 ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs=[empty string] -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs=[empty string] ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_az_AZ.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_az_AZ.properties index c1099be84da..b72933e1fb6 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_az_AZ.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_az_AZ.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Paramertl\u0259rin \u00c7irkl\u0259ndirm\u0259si -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Nam\u0259lum ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} sah\u0259\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Sesiyan\u0131n Fix olunmas\u0131 ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} sah\u0259\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} sah\u0259\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Vaxt\u0131 bitib ascanbeta.sessionidexpiry.timelessthanonehour = Bir saatdan az @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} sah\u0259\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} sah\u0259\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = M\u0259nb\u0259 kodunun if\u015fa olunmas\u0131 - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Sours kodun if\u015fa olunmas\u0131 - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_bn_BD.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_bn_BD.properties index bf897827135..d5ff2e83d9e 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_bn_BD.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_bn_BD.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_bs_BA.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_bs_BA.properties index e1d90c1ab13..8a12da31457 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_bs_BA.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_bs_BA.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Nepoznat ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Fiksacija sesije ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ceb_PH.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ceb_PH.properties index 16a92552393..49d9ef4601a 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ceb_PH.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ceb_PH.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Sesyon na Pag-ayo ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_da_DK.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_da_DK.properties index a3f05ee3eb7..4e668dc98e6 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_da_DK.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_da_DK.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Ukendt ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_de_DE.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_de_DE.properties index bb82183d317..4391368bfb5 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_de_DE.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_de_DE.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = Eine Sicherungskopie der Datei wurde vom Web-Server offenbart +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Bearbeite keine Dateien in-Situ auf dem Webserver, und stelle sicher dass unn\u00f6tige Dateien (auch versteckte Dateien) aus dem Webserver entfernt werden. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unbekannt ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} Feld\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs=\ -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} Feld\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs=\ ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Abgelaufen ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} Feld\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = Der source code f\u00fcr [{0}] wurde auf [{1}] gefunden. ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Stellen Sie sicher, dass SVN-Metadaten-Dateien nicht auf dem Webserver oder Anwendungsserver bereitgestellt werden +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_el_GR.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_el_GR.properties index 332e18a3cd1..cb3b160ef30 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_el_GR.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_el_GR.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = \u0386\u03b3\u03c9\u03c3\u03c4\u03b7 \u03b8\u03cd\u03c1\u03b1 ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_es_ES.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_es_ES.properties index 6f89a769bb5..a2ab925df1e 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_es_ES.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_es_ES.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = Los ataques de Contaminaci\u00f3n de Par\u00e1metros HTTP (HTTP Parameter Pollution HPP) consisten en inyectar delimitadores de cadenas de consulta codificados en otros par\u00e1metros existentes. Si una aplicaci\u00f3n web no sanea adecuadamente la entrada del usuario, un usuario malintencionado puede comprometer la l\u00f3gica de la aplicaci\u00f3n para realizar ataques del lado del cliente o del lado del servidor. Una consecuencia de los ataques HPP es que el atacante puede anular los par\u00e1metros HTTP existentes codificados para modificar el comportamiento de una aplicaci\u00f3n, eludir los puntos de control de validaci\u00f3n de entrada, y acceder y posiblemente explotar variables que pueden estar fuera del alcance directo. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = Contaminaci\u00f3n de Par\u00e1metros HTTP (HPP) -ascanbeta.HTTPParamPoll.sol = Desinfectar la entrada del usuario de forma correcta para delimitadores de par\u00e1metros +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = Un backup del archivo fue divulgada por el servidor web +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Divulgaci\u00f3n del Archivo de Backup ascanbeta.backupfiledisclosure.otherinfo = Una copia de [{0}] est\u00e1 disponible en [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = No editar archivos in-situ en el servidor web y aseg\u00farese de que los archivos innecesarios (incluyendo archivos ocultos) se eliminen del servidor web. -ascanbeta.cookieslack.affect.response.no = Estas cookies NO influyen en la respuesta\: -ascanbeta.cookieslack.affect.response.yes = Estas cookies influyen en la respuesta\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Peticiones GET repetidas\: crean una cookie diferente, seguida de una solicitud normal con todas las cookies para estabilizar la sesi\u00f3n, compara las respuestas con el GET original. Esto puede revelar \u00e1reas donde la autenticaci\u00f3n o los atributos basados en cookies no se apliquen. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Detector de Cookie Slack ascanbeta.cookieslack.otherinfo.intro = Las cookies que no tienen efectos esperados pueden revelar defectos en la l\u00f3gica de la aplicaci\u00f3n. En el peor de los casos, esto puede revelar donde la autenticaci\u00f3n por token(s) de cookies no se aplican realmente. ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = La eliminaci\u00f3n de esta cookie parece haber invalidado la sesi\u00f3n\: [{0}] Una petici\u00f3n de seguimiento con todas las cookies originales todav\u00eda tuvo una respuesta diferente a la solicitud original. \n -ascanbeta.cookieslack.session.warning = NOTA\: Debido a su nombre, esta cookie puede ser importante, pero eliminarla parece no tener efecto\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) es un mecanismo basado en cabeceras HTTP que permite a un servidor indicar cualquier otro origen (dominio, esquema o puerto) distinto del suyo desde el que un navegador debe permitir la carga de recursos. Mitiga la Pol\u00edtica de Mismo Origen (Same-Origin Policy SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = Si un recurso web contiene informaci\u00f3n confidencial, ascanbeta.cors.vuln.desc = Esta configuraci\u00f3n incorrecta de CORS podr\u00eda permitir que un atacante realice consultas AJAX al sitio web vulnerable desde una p\u00e1gina maliciosa cargada por el user agent de la v\u00edctima.\nPara realizar consultas AJAX autenticadas, el servidor debe especificar el encabezado "Access-Control-Allow-Credentials\: true" y el encabezado "Access-Control-Allow-Origin" debe establecerse en nulo o el dominio de la p\u00e1gina maliciosa. Incluso si esta configuraci\u00f3n incorrecta no permite solicitudes AJAX autenticadas, a\u00fan se puede acceder a contenido confidencial no autenticado (por ejemplo, sitios web de intranet).\nUna p\u00e1gina maliciosa puede pertenecer a un sitio web malicioso, pero tambi\u00e9n a un sitio web de confianza, pero con fallos (por ejemplo, XSS, compatibilidad con HTTP sin TLS que permite la inyecci\u00f3n de c\u00f3digo a trav\u00e9s de MITM, etc.). ascanbeta.cors.vuln.name = Configuraci\u00f3n Incorrecta de CORS -ascanbeta.crossdomain.adobe.desc = Es posible que se produzca una falsificaci\u00f3n de petici\u00f3n en sitios cruzados basada en Flash/Silverlight, debido a una configuraci\u00f3n incorrecta en el servidor web. -ascanbeta.crossdomain.adobe.read.extrainfo = El servidor web permite peticiones maliciosas de lectura de datos entre dominios originadas desde componentes Flash/Silverlight servidos desde cualquier dominio de terceros, a este dominio. Si el usuario v\u00edctima ha iniciado sesi\u00f3n en este servicio, las solicitudes de lectura maliciosas se procesan utilizando los privilegios de la v\u00edctima, y pueden dar lugar a que los datos de este servicio se vean comprometidos por un sitio web de terceros no autorizado, a trav\u00e9s del navegador web de la v\u00edctima. Esto es particularmente probable que sea un problema si se utiliza una implementaci\u00f3n de sesi\u00f3n basada en cookies. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Configuraci\u00f3n incorrecta Cross-Domain - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure el archivo crossdomain.xml para restringir la lista de dominios que pueden realizar peticiones de lectura entre dominios a este servidor web, usando . S\u00f3lo debe conceder acceso a "*" (todos los dominios) si est\u00e1 seguro de que este servicio no hospeda ning\u00fan dato controlado, personalizado o privado. ascanbeta.crossdomain.adobe.send.extrainfo = El servidor web permite peticiones maliciosas de env\u00edo de datos entre dominios (pero no necesariamente de lectura) originadas desde componentes Flash/Silverlight servidos desde cualquier dominio de terceros, a este dominio. Si el usuario v\u00edctima ha iniciado sesi\u00f3n en este servicio, las solicitudes de env\u00edo maliciosas se procesan utilizando los privilegios de la v\u00edctima, y pueden dar lugar a ataques del tipo Cross Site Request Forgery (CSRF), a trav\u00e9s del navegador web de la v\u00edctima. Esto es particularmente probable que sea un problema si se utiliza una implementaci\u00f3n de sesi\u00f3n basada en cookies. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = No se pudo codificar el URI de ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure su servidor web o de aplicaciones para que utilice SSL (https). -ascanbeta.httpoxy.desc = El servidor inici\u00f3 una petici\u00f3n proxy a trav\u00e9s del proxy especificado en la cabecera HTTP Proxy de la petici\u00f3n. Httpoxy suele afectar al c\u00f3digo que se ejecuta en entornos CGI o similares a CGI.\nEsto puede permitir a los atacantes\:\n* Peticiones salientes del Proxy HTTP realizadas por la aplicaci\u00f3n web.\n* Dirigir el servidor para abrir conexiones salientes a una direcci\u00f3n y puerto de su elecci\u00f3n o\n* Ocupar los recursos del servidor forzando al software vulnerable a utilizar un proxy malicioso. +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Uso indebido de la Cabecera del Proxy ascanbeta.httpoxy.otherinfo = Se envi\u00f3 un mensaje saliente a {0} a trav\u00e9s del host y el puerto que ZAP inyect\u00f3 en el encabezado del proxy HTTP. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = la extensi\u00f3n de Red est\u00e1 deshabilitada ascanbeta.httpoxy.soln = La mejor mitigaci\u00f3n inmediata es bloquear las cabeceras de petici\u00f3n Proxy lo antes posible, y antes de que lleguen a su aplicaci\u00f3n. -ascanbeta.httpsashttp.desc = El contenido al que se accedi\u00f3 inicialmente por HTTPS (es decir, usando cifrado SSL/TLS) tambi\u00e9n es accesible por HTTP (sin cifrado). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = Contenido HTTPS Disponible v\u00eda HTTP ascanbeta.httpsashttp.otherinfo = ZAP intent\u00f3 conectarse a trav\u00e9s de\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Aseg\u00farese de que su servidor web, servidor de aplicaciones, balanceador de carga, etc. est\u00e9 configurado para servir dicho contenido solo a trav\u00e9s de HTTPS. Considere implementar, seguridad de transporte estricta para HTTP. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = El m\u00e9todo HTTP insegurp [{0}] se encuentra habilitado para este recurso, y es explotable. Se encontr\u00f3 que era probable establecer una conexi\u00f3n de socket en el t\u00fanel dirigido a un servicio de terceros, utilizando este m\u00e9todo HTTP. Esto podr\u00e1 permitir que el servidor se utilice como un retransmisor de spam an\u00f3nimo, o como un proxy web, evadiendo de estar forma las restricciones de la red. Tambi\u00e9n podr\u00e1 permitir que se utilice para poder establecer una VPN en el t\u00fanel, expandiendo de un forma efectiva el per\u00edmetro de la red para poder incluir los componentes no confiables. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = El m\u00e9todo CONNECT se us\u00f3 para establecer una conexi\u00f3n de socket a [{0}], a trav\u00e9s del servidor web. ascanbeta.insecurehttpmethod.delete.exploitable.desc = Este m\u00e9todo se usa en los servicios REST, para eliminar un recurso. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = Revisa la discusi\u00f3n en stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, para comprender las operaciones de REST revisa https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = Consulte la discusi ascanbeta.insecurehttpmethod.patch.exploitable.desc = Este m\u00e9todo ahora se usa m\u00e1s com\u00fanmente en los servicios REST, PATCH se usa para las capacidades de **modificar**. La solicitud PATCH solo debe contener los cambios en el recurso, no el recurso completo. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = Revisa la discusi\u00f3n en stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, para comprender las operaciones de REST revisa https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = C\u00f3digo de respuesta {0} para el M\u00c9TODO HTTP potencialmente inseguro -ascanbeta.insecurehttpmethod.put.exploitable.desc = Este m\u00e9todo se dise\u00f1\u00f3 originalmente para la operaciones con ficheros. Ahora se usa m\u00e1s com\u00fanmente en los servicios REST, PUT se usa con mayor frecuencia para las capacidades de **actualizaci\u00f3n**, PUT-ing (poniendo) en una URI de recurso conocido con el cuerpo de la solicitud que contiene la representaci\u00f3n reci\u00e9n actualizada del recurso original. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = Revisa la discusi\u00f3n en stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, para comprender las operaciones de REST revisa https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Deshabilite m\u00e9todos inseguros como TRACK, TRACE y CONNECT en el servidor web, y aseg\u00farese de que la implementaci\u00f3n del servicio subyacente no admita m\u00e9todos inseguros. ascanbeta.insecurehttpmethod.trace.exploitable.desc = El m\u00e9todo HTTP inseguro [{0}] est\u00e1 habilitado para este recurso y es explotable. Un atacante puede utilizar los m\u00e9todos "Track and Trace" para obtener acceso a la cookie del token o sesi\u00f3n de autorizaci\u00f3n de un usuario de la aplicaci\u00f3n, incluso si la cookie de sesi\u00f3n est\u00e1 protegida con el indicador ''HttpOnly''. Para que el ataque tenga \u00e9xito, el usuario de la aplicaci\u00f3n debe utilizar normalmente un explorador web antiguo o un explorador web que tenga una vulnerabilidad de "bypass" de la misma directiva de origen (SOP). @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = Este m\u00e9todo HTTP es ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = Consulte la discusi\u00f3n en stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = Existe una condici\u00f3n de desbordamiento de enteros (integer overflow) cuando un entero utilizado en un programa compilado se extiende m\u00e1s all\u00e1 de los l\u00edmites del rango y no se ha verificado correctamente desde el flujo de datos de entrada. -ascanbeta.integeroverflow.error1 = Desbordamiento potencial de entero. El c\u00f3digo de estado se modific\u00f3 en la entrada de una cadena larga de enteros que son aleatorios. -ascanbeta.integeroverflow.error2 = Desbordamiento potencial de entero. El c\u00f3digo de estado se modific\u00f3 en la entrada de una cadena larga de ceros. -ascanbeta.integeroverflow.error3 = Desbordamiento potencial de entero. El c\u00f3digo de estado se modific\u00f3 en la entrada de una cadena larga de unidades. -ascanbeta.integeroverflow.error4 = Desbordamiento potencial de entero. El c\u00f3digo de estado se modific\u00f3 en la entrada de una cadena larga de nueves. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Error Desbordamiento de Enteros ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = Para evitar desbordamientos y errores de divisi\u00f3n por 0 (cero) en la aplicaci\u00f3n, por favor reescriba el programa backend, comprobando si los valores de los enteros que se est\u00e1n procesando est\u00e1n dentro del rango permitido por la aplicaci\u00f3n. Esto requerir\u00e1 una recompilaci\u00f3n del ejecutable del backend. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Fuera de Banda XSS ascanbeta.oobxss.skipped = no se ha seleccionado ning\u00fan servicio de Escaneo Activo OAST. ascanbeta.proxydisclosure.attack = M\u00e9todos TRACE, OPTIONS con cabecera 'Max-Forwards'. Metodo TRACK. -ascanbeta.proxydisclosure.desc = {0} servidor(es) proxy detectado(s) o identificado(s). Esta informaci\u00f3n ayuda a un atacante potencial a determinar\: \n - Una lista de objetivos para un ataque contra la aplicaci\u00f3n.\n - Vulnerabilidades potenciales en los servidores proxy que dan servicio a la aplicaci\u00f3n.\n - La presencia o ausencia de cualquier componente basado en proxy que pueda causar que los ataques contra la aplicaci\u00f3n sean detectados, prevenidos o mitigados. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Utilizando los m\u00e9todos TRACE, OPTIONS y TRACK, se han identificado los siguientes servidores proxy entre ZAP y la aplicaci\u00f3n/servidor web\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = Se identificaron los siguientes servidores proxy 'silent' (silenciosos). Debido a su comportamiento, no se sabe en qu\u00e9 punto en la topolog\u00eda de red residen estos servidores proxy\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = El m\u00e9todo 'TRACE' est\u00e1 habilitado en uno o m\u00e1s de los servidores proxy, o en el servidor de origen. Este m\u00e9todo filtra toda la informaci\u00f3n enviada desde el navegador web y los proxies de vuelta al agente de usuario. Esto puede facilitar los ataques de 'Cross Site Tracing'. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Desconocido ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = Se ha identificado el siguiente servidor web/aplicaci\u00f3n\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Disvulgaci\u00f3n de Proxy ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Desactivar el m\u00e9todo 'TRACE' en los servidores proxy, as\u00ed como el servidor web/aplicaci\u00f3n de origen. \nDesactivar el m\u00e9todo 'OPTIONS' en los servidores proxy, as\u00ed como el servidor web/aplicaci\u00f3n de origen, si no es necesario para otros fines, tales como 'CORS' (Cross Origin Resource Sharing). \nConfigure los servidores web y de aplicaciones con p\u00e1ginas de error personalizadas, para evitar que se filtren al usuario p\u00e1ginas de error espec\u00edficas del producto "fingerprintable" (huella) en caso de errores HTTP, como solicitudes "TRACK" para p\u00e1ginas inexistentes.\nConfigure todos los proxies, servidores de aplicaciones y servidores web para evitar la divulgaci\u00f3n de la informaci\u00f3n sobre tecnolog\u00eda y versi\u00f3n en las cabeceras de respuesta HTTP "Server" y "X-Powered-By".\n ascanbeta.relativepathconfusion.desc = El servidor web est\u00e1 configurado para servir respuestas a URL ambiguas de forma que se pueda confundir la "path relative" (ruta relativa) correcta de la URL. Los recursos (CSS, im\u00e1genes, etc.) tambi\u00e9n se especifican en la respuesta de la p\u00e1gina utilizando URL relativas, en lugar de absolutas. En un ataque, si el navegador web analiza la respuesta de "contenido cruzado" de forma permisiva, o puede ser enga\u00f1ado para que analice de forma permisiva la respuesta de "cross-content" (contenido cruzado), utilizando t\u00e9cnicas como el framing, entonces el navegador web puede ser enga\u00f1ado para que interprete HTML como CSS (u otros tipos de contenido), dando lugar a una vulnerabilidad XSS. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = Se ha especificado un Content Type "{0}". Si el navegador web emplea reglas de an\u00e1lisis estricto, esto evitar\u00e1 que los ataques cruzados de contenido tengan \u00e9xito. El modo Quirks en el navegador web desactivar\u00eda el an\u00e1lisis sint\u00e1ctico estricto. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No se ha especificado ninguna cabecera X-Frame-Options, por lo que la p\u00e1gina se puede enmarcar, y esto se puede utilizar para activar el Modo Quirks, permitiendo eludir el Content Type especificado. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = Se ha especificado m\u00e1s de una etiqueta en la etiqueta HTML para definir la ubicaci\u00f3n de las URL relativas, lo cual no es v\u00e1lido. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No se especific\u00f3 ninguna etiqueta en la etiqueta HTML para definir la ubicaci\u00f3n de las URL relativas. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No se especific\u00f3 ning\u00fan Content Type, por lo que no se requiere el modo Quirks para explotar la vulnerabilidad en el navegador web. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = El modo Quirks se activa expl\u00edcitamente mediante " en la respuesta HTTP especificar\u00e1 de forma inequ\u00edvoca la URL base para todas las URL relativas del documento.\nUtilizar la cabecera de respuesta HTTP "Content-Type" para dificultar que el atacante fuerce al navegador web a malinterpretar el tipo de contenido de la respuesta.\nUtilice la cabecera de respuesta HTTP "X-Content-Type-Options\: nosniff" para evitar que el navegador "husmee" el tipo de contenido de la respuesta.\nUtilice un DOCTYPE moderno como "<\!doctype html>" para evitar que la p\u00e1gina se renderice en el navegador web utilizando el "Modo Quirks", ya que esto hace que el navegador web ignore el tipo de contenido.\nEspecifique la cabecera de respuesta HTTP "X-Frame-Options" para evitar que el modo Quirks se active en el navegador web mediante ataques de framing. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} campo\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = La Cookie se configura en respuesta cuando el campo de la cookie [{0}] se encuentra establecido en NULL\: [{1}]\nLa Cookie se configura en respuesta con el valor de la cookie otorgada (v\u00e1lida) en la petici\u00f3n [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = La URL en la que se de ascanbeta.sessionfixation.desc = La Fijaci\u00f3n de Sesi\u00f3n puede ser posible. Si este problema se produce con una URL de inicio de sesi\u00f3n (donde el usuario se autentica en la aplicaci\u00f3n), entonces la URL puede ser dada por un atacante, junto con un identificador de sesi\u00f3n fijo, a una v\u00edctima, para m\u00e1s tarde asumir la identidad de la v\u00edctima utilizando el identificador de sesi\u00f3n dado. Si el problema ocurre con una p\u00e1gina que no es de inicio de sesi\u00f3n, la URL y el identificador de sesi\u00f3n fijo s\u00f3lo pueden ser utilizados por un atacante para rastrear las acciones de un usuario no autenticado. Si la vulnerabilidad se produce en un campo de cookie o en un campo de formulario (par\u00e1metro POST) en lugar de en un par\u00e1metro de URL (GET), es posible que tambi\u00e9n se requiera alguna otra vulnerabilidad para establecer el campo de cookie en el navegador de la v\u00edctima, a fin de permitir que se explote la vulnerabilidad. ascanbeta.sessionfixation.name = Fijaci\u00f3n de Sesi\u00f3n ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Evitar que el atacante obtenga un identificador de sesi\u00f3n aplicando identificadores de sesi\u00f3n estrictos y asignando identificadores de sesi\u00f3n \u00fanicamente cuando la aplicaci\u00f3n se autentique correctamente.\n2) El servidor deber\u00eda crear siempre un nuevo identificador de sesi\u00f3n en el momento de la autenticaci\u00f3n, independientemente de si ya existe una sesi\u00f3n.\n3) Vincular el identificador de sesi\u00f3n a alguna combinaci\u00f3n identificable de atributos del cliente, como la direcci\u00f3n IP o el certificado SSL del cliente.\n4) Las sesiones, cuando se destruyen, deben destruirse tanto en el servidor como en el cliente.\n5) Implementar un mecanismo de cierre de sesi\u00f3n que destruya todas las sesiones anteriores del cliente.\n6) Implementar tiempos de espera de sesi\u00f3n absolutos.\n7) Cambie de una implementaci\u00f3n de identificador de sesi\u00f3n basada en URL a una basada en cookies o formularios, ya que estas \u00faltimas suelen requerir vulnerabilidades adicionales para poder ser explotadas por un atacante. +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} campo\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = se puede acceder al identificador de sesi\u00f3n {0} campo [{1}], valor [{2}] mediante JavaScript en el navegador web -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = La URL en la que se descubri\u00f3 el problema estaba marcada como p\u00e1gina de inicio de sesi\u00f3n. -ascanbeta.sessionidaccessiblebyjavascript.desc = Una cookie ID de sesi\u00f3n enviada por el servidor (cuando la URL se modifica estableciendo el campo de par\u00e1metro con nombre en NULL) puede ser accedida por JavaScript en el cliente. En conjunci\u00f3n con otra vulnerabilidad, esto puede permitir el secuestro de la sesi\u00f3n. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Cookie ID de la Sesi\u00f3n Accesible para JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs=[cadena vac\u00eda] -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Utilice el flag (bandera) 'httponly' cuando establezca una cookie que contenga una ID sesi\u00f3n, para evitar que JavaScript pueda acceder a ella en el navegador web. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} campo\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = se puede ingresar al identificador de la sesi\u00f3n {0} campo [{1}], valor [{2}] hasta el valor [{3}] (ya que la cookie se obtuvo en {4}), a menos de que se elimine la sesi\u00f3n. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = La URL en la que se descubri\u00f3 el problema estaba marcada como p\u00e1gina de inicio de sesi\u00f3n. ascanbeta.sessionidexpiry.browserclose = navegador cerrado -ascanbeta.sessionidexpiry.desc = La cookie de una ID Sesi\u00f3n enviada por el servidor (cuando la URL se modifica estableciendo el campo de par\u00e1metros con el nombre en NULL) se establece para que sea v\u00e1lida durante un per\u00edodo de tiempo excesivo. Esto puede ser explotado por un atacante si el usuario se olvida de desconectarse, si la funcionalidad de cierre de sesi\u00f3n no acaba correctamente con el per\u00edodo de sesiones, o si el identificador de sesi\u00f3n est\u00e1 comprometido por otros medios. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = La Expiraci\u00f3n del Tiempo/Antiguedad-M\u00e1xima de la ID Sesion es excesivo #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs=[cadena vac\u00eda] ascanbeta.sessionidexpiry.soln = 1) Utiliza las directivas de cookies 'Expire' o 'Max-Age' al establecer una cookie que contenga un identificador de sesi\u00f3n, para evitar que est\u00e9 disponible por per\u00edodos prolongados.\n2) Aseg\u00farese de que la funcionalidad de cierre de sesi\u00f3n existe y que termina correctamente el per\u00edodo de sesiones.\n3) Utilizar otras medidas preventivas para asegurar que si un identificador de sesi\u00f3n est\u00e1 comprometido, no pueda ser explotado. ascanbeta.sessionidexpiry.timeexpired = Expirado ascanbeta.sessionidexpiry.timelessthanonehour = Menos de una hora @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = M\u00e1s de una semana ascanbeta.sessionidexposedinurl.alert.attack = {0} campo\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = El campo {0} [{1}] contiene un identificador de la sesi\u00f3n que est\u00e1 expuesta [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = La URL en la que se descubri\u00f3 el problema estaba marcada como p\u00e1gina de inicio de sesi\u00f3n. -ascanbeta.sessionidexposedinurl.desc = En la URL se expone un identificador de sesi\u00f3n. Al compartir dicha URL de un sitio web (que contiene el identificador de sesi\u00f3n), un usuario ingenuo puede estar concediendo inadvertidamente acceso a sus datos, comprometiendo su confidencialidad, integridad y disponibilidad. Las URL que contienen el identificador de sesi\u00f3n tambi\u00e9n aparecen en los marcadores del navegador web, en los archivos de registro del servidor web y en los archivos de registro del servidor proxy. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = ID Sesi\u00f3n Expuesta #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Utilice una implementaci\u00f3n de gesti\u00f3n de sesiones m\u00e1s segura, como la que utiliza cookies de sesi\u00f3n, que no se comparten tan f\u00e1cilmente de forma inadvertida y que no suelen aparecer en los archivos de registro del servidor ni en los marcadores del navegador web. ascanbeta.sessionidsentinsecurely.alert.attack = {0} campo\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = el identificador de la sesi\u00f3n {0} campo [{1}], el valor [{2}] quiz\u00e1s pueda enviarse por medio de un mecanismo que es inseguro. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = La URL en la que se descubri\u00f3 el problema estaba marcada como p\u00e1gina de inicio de sesi\u00f3n. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = El flag 'secure' no se configur\u00f3 en la cookie de sesi\u00f3n proporcionada por el servidor. -ascanbeta.sessionidsentinsecurely.desc = Un identidicador de sesi\u00f3n puede ser enviado a trav\u00e9s de un mecanismo inseguro. En el caso de una cookie enviada en la petici\u00f3n, esto ocurre cuando se utiliza HTTP, en lugar de HTTPS. En el caso de una cookie enviada por el servidor en respuesta (cuando la URL se modifica estableciendo el campo de par\u00e1metro con nombre a NULL), el flag 'secure' no se establece, permitiendo que la cookie se env\u00ede posteriormente a trav\u00e9s de HTTP en lugar de a trav\u00e9s de HTTPS. Esto puede permitir que un esp\u00eda pasivo en la ruta de red obtenga acceso completo a la sesi\u00f3n de la v\u00edctima. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = ID de Sesi\u00f3n Transmitido de una manera Insegura #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Utilice la \u00faltima versi\u00f3n disponible de SSL/TLS (para HTTPS) para todas las p\u00e1ginas en las que se comunique un identificador de sesi\u00f3n entre el navegador y el servidor web.\n2) No permita que se fuerce la comunicaci\u00f3n al protocolo HTTP sin cifrar.\n3) Utilice el flag"secure" cuando establezca una cookie que contenga un identificador de sesi\u00f3n, para evitar su posterior transmisi\u00f3n por un mecanismo inseguro.\n4) Reenv\u00ede las peticiones de p\u00e1ginas HTTP no seguras a la p\u00e1gina HTTPS segura equivalente. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = El servidor est\u00e1 ejecutando una versi\u00f3n del Bash shell que permite a los atacantes remotos ejecutar un c\u00f3digo arbitrario +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = De CVE-2014-6271\: GNU Bash a trav\u00e9s de 4.3 procesa cadenas de arrastre despu\u00e9s de las definiciones de funci\u00f3n en los valores de las variables de entorno, lo que permite a atacantes remotos ejecutar c\u00f3digo arbitrario a trav\u00e9s de un entorno crafteado, como lo demuestran los vectores que involucran la funci\u00f3n ForceCommand en OpenSSH sshd, los m\u00f3dulos mod_cgi y mod_cgid en el servidor HTTP Apache, scripts ejecutados por clientes DHCP no especificados, y otras situaciones en las que la configuraci\u00f3n del entorno se produce a trav\u00e9s de un l\u00edmite de privilegios de la ejecuci\u00f3n de Bash, tambi\u00e9n conocido como "ShellShock." NOTA\: la correcci\u00f3n original de este problema era incorrecta; se ha asignado CVE-2014-7169 para cubrir la vulnerabilidad que sigue presente tras la correcci\u00f3n incorrecta. ascanbeta.shellshock.name = Ejecuci\u00f3n Remota de C\u00f3digo - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Actualizar Bash en el servidor, a la \u00faltima versi\u00f3n +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Usando el ataque, se indujo y detect\u00f3 un retraso de [{0}] milisegundos ascanbeta.sourcecodedisclosure.desc = El c\u00f3digo fuente de la p\u00e1gina actual fue revelado por el servidor web. ascanbeta.sourcecodedisclosure.gitbased.evidence = El c\u00f3digo fuente de [{0}] se extrajo usando [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Divulgaci\u00f3n de C\u00f3digo Fuente - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Aseg\u00farese de que los archivos de metadatos Git no se despliegan en el servidor web o en el servidor de aplicaciones. +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = La salida para el nombre de archivo del c\u00f3digo fuente [{0}] difiere suficientemente de la del par\u00e1metro aleatorio [{1}], en un [{2}%], en comparaci\u00f3n con un umbral de [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Divulgaci\u00f3n de C\u00f3digo Fuente - Inclusi\u00f3n de archivos ascanbeta.sourcecodedisclosure.svnbased.extrainfo = El c\u00f3digo fuente de [{0}] se encontr\u00f3 en [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Divulgaci\u00f3n del C\u00f3digo Fuente - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Aseg\u00farese de que los archivos de metadatos SVN no se despliegan en el servidor web o en el servidor de aplicaciones. +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Algunas versiones de PHP, cuando se configuran para ejecutarse utilizando CGI, no manejan correctamente las cadenas de consulta que carecen de un car\u00e1cter "\=" sin may\u00fasculas, lo que permite la divulgaci\u00f3n del c\u00f3digo fuente de PHP y la ejecuci\u00f3n de c\u00f3digo arbitrario. En este caso, el contenido del archivo PHP se serv\u00eda directamente al navegador web. Esta salida contendr\u00e1 t\u00edpicamente PHP, aunque tambi\u00e9n puede contener HTML directo. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Divulgaci\u00f3n del C\u00f3digo Fuente - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://www.cve.org/CVERecord?id\=CVE-2022-42889\nh ascanbeta.text4shell.skipped = no se ha seleccionado ning\u00fan servicio de Escaneo Activo OAST. ascanbeta.text4shell.soln = Actualice Apache Commons Text a la versi\u00f3n 1.10.0 o superior. -ascanbeta.usernameenumeration.alert.attack = Manipule el [{0}] campo\: [{1}] y controle la salida -ascanbeta.usernameenumeration.alert.extrainfo = El par\u00e1metro [{0}] [{1}] se encarga de filtrar la informaci\u00f3n acerca de si un usuario existe. Las [{5}] diferencias que se encuentra en el resultado, para el valor del nombre de usuario original v\u00e1lido [{2}], y el valor del nombre de usuario no v\u00e1lido [{3}] son\: \n[{4}] -ascanbeta.usernameenumeration.desc = Se pueden enumerar los nombres de usuario, basados en distintas respuestas de HTTP, al momento que se proporcionan los nombres de usuario v\u00e1lidos e inv\u00e1lidos. Esto aumenta much\u00edsimo la posibilidad de \u00e9xito de ataques de contrase\u00f1a realizados por fuerza bruta, contra el sistema. Se debe tener en cuenta que se pueden disminuir los falsos positivos incrementando la opci\u00f3n 'Fuerza de ataque' en ZAP. Debe comprobar manualmente el campo "Otra Informaci\u00f3n" para saber si esto es un problema. realmente. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Posible Enumeraci\u00f3n de Nombre de Usuario ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = No divulgue detalles sobre si un nombre de usuario es v\u00e1lido o inv\u00e1lido. En particular, en los intentos fallidos de inicio de sesi\u00f3n, no distingas entre un usuario no v\u00e1lido y una contrase\u00f1a no v\u00e1lida en el mensaje de error, el t\u00edtulo de la p\u00e1gina, el contenido de la p\u00e1gina, las cabeceras HTTP o la l\u00f3gica de redireccionamiento. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_fa_IR.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_fa_IR.properties index c5e6e096170..63f458217f9 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_fa_IR.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_fa_IR.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = \u0627\u0641\u0634\u0627\u06cc \u067e\u0631\u0648\u0646\u062f\u0647 \u067e\u0634\u062a\u06cc\u0628\u0627\u0646 ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_fil_PH.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_fil_PH.properties index 50f2b8b4c54..71414fe016f 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_fil_PH.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_fil_PH.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = Ang pag-atake ng HTTP Parameter Polusyon (HPP) ay binubuo ng pag-inject ng mga naka-encode na query string delimiter sa iba pang umiiral na mga parameter. Kung ang isang webaplikasyon ay hindi maayos na sanitize ang input ng user, ang isang nakakahamak na user ay maaaring ikompromiso ang lohika ng aplikasyon upang maisagawa ang alinman sa pag-atake ng client-side o server. Ang isang kinahinatnan ng pag-atake ng HPP ay ang pag-atake ng potensyal na pag-override ng umiiral na hard-code na mga parameter ng HTTP upang baguhin ang pag-uugali ng isang application, pag-bypass ang mga checkpoint ng pagpapatunay ng input, at pag-access at maaaring pagsamantalahan ang mga variable na maaaring direktang maabot. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = Polusyon ng Parameter ng HTTP -ascanbeta.HTTPParamPoll.sol = Maayos na sanitize ang input ng user para sa mga delimiter ng parameter +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = Ang isang backup ng file ay isiwalat ng web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Paglilitaw ng Backup ng File ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Huwag baguhin ang mga file na in-situ sa server ng web, at tiyakin na ang mga hindi kinakailangang mga file (kabilang ang mga nakatagong file) ay aalisin mula sa web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Maaaring posible ang posibleng pagpapasok ng kahilingan sa pamamagitan ng Flash/Silverlight sa pamamagitan ng isang misconfiguration sa web server. -ascanbeta.crossdomain.adobe.read.extrainfo = Pinapayagan ng web server ang mga nakakahamak na data ng cross-domain na mga kahilingan sa pagbabasa mula sa mga bahagi ng Flash/Silverlight na nagsilbi mula sa anumang ikatlong partido na domain, sa domain na ito. Kung ang user ng biktima ay naka-log in sa serbisyong ito, ang mga kahina-hinalang read request ay pinoproseso gamit ang mga pribilehiyo ng biktima, at maaaring magresulta sa data mula sa serbisyong ito na nakompromiso ng isang hindi awtorisadong third party na web site, sa pamamagitan ng web browser ng biktima. Ito ay partikular na malamang na maging isang isyu kung ang pagpapatupad ng pagpapatupad ng session na Cookie ay ginagamit. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Pag-configure ng Cross-Domain - Adobe - Basahin ascanbeta.crossdomain.adobe.read.soln = I-configure ang file na crossdomain.xml upang paghigpitan ang listahan ng mga domain na pinapayagang gumawa ng mga hiling sa cross-domain na basahin sa web server na ito, gamit . Dapat mo lamang bigyan ng access sa "*" (all domains) kung ikaw ay tiyak na ang serbisyong ito ay hindi nagho-host ng anumang access-controlled, personalized, o pribadong data. ascanbeta.crossdomain.adobe.send.extrainfo = Pinapayagan ng web server ang nakahahamak na data ng cross-domain na ipadala (ngunit hindi kinakailangan basahin) ang mga kahilingan na nagmula sa mga bahagi ng Flash/Silverlight na nagsilbi mula sa anumang ikatlong partido na domain, sa domain na ito. Kung ang user ng biktima ay naka-log in sa serbisyong ito, ang mga kahilingan sa pagpapadala ng mga nakakahamak ay pinoproseso gamit ang mga pribilehiyo ng biktima, at maaaring magresulta sa pag-atake ng Cross Site Request Forgery (CSRF), sa pamamagitan ng web browser ng biktima. Ito ay partikular na malamang na maging isang isyu kung ang pagpapatupad ng pagpapatupad ng session na Cookie ay ginagamit. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = Ang hindi secure na paraan ng HTTP [{0}] ay pinagana para sa mapagkukunan na ito, at magagamit. Napag-alaman na posible na magtatag ng koneksyon ng tunneled socket sa isang third party service, gamit ang HTTP na paraan. Ito ay magpapahintulot sa serbisyo na magamit bilang isang hindi nakikilalang spam relay, o bilang isang proxy ng web, na nililimitahan ang mga paghihigpit sa network. Pinapayagan din nito na magamit upang maitatag ang isang tunneled VPN, epektibong pagpapalawak ng perimeter ng network upang isama ang mga hindi pinagkakatiwalaang mga bahagi. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = Ang pamamaraan ng CONNECT ay ginamit upang magtatag ng koneksyon ng socket sa [{0}], sa pamamagitan ng web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Huwag paganahin ang mga pamamaraan ng hindi secure na paraan tulad ng TRACK, TRACE, at CONNECT sa web server, at tiyakin na ang pagpapatuloy ng pagpapatupad ng serbisyo ay hindi sumusuporta sa mga pamamaraan ng hindi secure. ascanbeta.insecurehttpmethod.trace.exploitable.desc = Ang hindi secure na paraan ng HTTP [{0}] ay pinagana para sa mapagkukunan na ito, at magagamit. Ang mga pamamaraan ng TRACK and TRACE ay maaaring gamitin ng isang magsasalakay, upang makakuha ng daan at permiso ng token / session cookie ng isang gumagamit ng application, kahit na ang session cookie ay protektado gamit ang ''HttpOnly'' na bandila. Para sa matagumpay na pag-atake, ang user ng application ay kadalasang gumagamit ng isang mas lumang web browser, o isang web browser na may baluktot na bypass na Same Origin Policy (SOP). @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potensyal na Integer Overflow. Ang kalagayan ng code ay nagbago sa input ng isang mahabang string ng mga random na integer. -ascanbeta.integeroverflow.error2 = Potensyal na Integer Overflow. Binago ang code ng katayuan sa input ng isang mahabang string ng mga zero. -ascanbeta.integeroverflow.error3 = Potensyal na Integer Overflow. Ang code ng katayuan ay nagbago sa input ng isang mahabang string ng mga bago. -ascanbeta.integeroverflow.error4 = Potensyal na Integer Overflow. Ang code ng katayuan ay nagbago sa input ng isang mahabang string ng nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Error sa Pag-overlay ng Integer ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Ang hindi alam ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} patlang\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Itakda ang cookie bilang tugon kapag ang patlang ng cookie na [{0}] ay nakatakda sa NULL\: [{1}]\nAng cookie na itinakda bilang tugon sa halaga ng cookie (valid) na cookie sa kahilingan [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = Ang url kung saan natu ascanbeta.sessionfixation.desc = Maaaring posible ang pag-aayos ng Session. Kung ang isyu na ito ay nangyayari sa isang login na URL (kung saan pinatutunayan ng user ang kanilang sarili sa application), maaaring maibigay ang URL ng isang magsasalakay, kasama ang isang fixed session id, sa isang biktima, upang ipagpalagay na mamaya ang pagkakakilanlan ng biktima gamit ang ibinigay na session id. Kung ang isyu ay nangyayari sa isang hindi naka-login na pahina, ang URL at fixed session id ay maaari lamang gamitin ng isang magsasalakay upang masubaybayan ang mga aksyon na hindi awtorisadong user. Kung ang kahinaan ay nangyayari sa isang patlang ng cookie o isang field ng form (POST parameter) sa halip na sa isang URL (GET) na parameter, pagkatapos ay ang ilang iba pang mga kahinaan ay maaaring kinakailangan din upang itakda ang patlang ng cookie sa browser ng biktima, upang payagan ang kahinaan upang mapagsamantalahan. ascanbeta.sessionfixation.name = Pag-aayos ng Session ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} patlang\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = sesyon identifier {0} field [{1}], halaga [{2}] ay ma-access gamit ang JavaScript sa web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = Ang url kung saan natuklasan ang isyu ay na-flag bilang isang pahina ng logon. -ascanbeta.sessionidaccessiblebyjavascript.desc = Ang Sesyon ID cookie na ipinadala ng server (kapag ang URL na ito ay binagong mga setting na nakapangalan sa parameter field na NULL) ito ay posibleng mapasukan ng JavaScript sa client. Kaugnay sa isa pang kahinaan, ito ay maaring payagan ng sesyon upang hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Sesyon ID ng Cookie na magagamit sa JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Gamitin ang 'httponly na flag kung ang setting sa cookie ay naglalaman ng isang sesyon id, upang maiwasan ang mga ito mula sa pagiging ma-access sa JavaScript sa web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} patlang\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = sesyon identifier {0} patlang [{1}], halaga [{2}] ay maaring ma-access hanggang [{3}] (mula ang cookie ay natanggap sa {4}), maliban ang sesyon ay nasira. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = Ang url kung saan natuklasan ang isyu ay na-flag bilang isang pahina ng logon. ascanbeta.sessionidexpiry.browserclose = i-browse ang sarado -ascanbeta.sessionidexpiry.desc = Ang Sesyon ID sa cookie na ipinadala ng server (kapag ang URL na ito ay binago sa pamamagitan ng pagtatakda ng parameter na field sa NULL) ay itinakda para maging balido para sa isang sobrang tagal na panahon. Ito ay maaring pagsasamantalahan ng attacker kung ang user ay nakakalimot mag-log out, kung ang lumabas na pag-andar ay hindi tama na sirain ang sesyon, o kung ang mga id ng sesyon ay nakompromiso sa ilang iba pang mga paraan. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Sesyon ID na Expiry Time/Max-Age ay sumobra #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Gamitin ang 'Expire' o Max-Age' na cookie na mga directive na kung ang setting na cookie ang naglalaman na isang sesyon id, para ito ay maiwasan na pwedeng gamitin para sa pagpatagal ng punto ng oras.\n2) Pasiguro na ang mga logout na mga functionality ay umiiral, at ito ay tama ng magwawasak ng sesyon.\n3) Gamitin ang ibang mga iniiwasan na mga sukat para ito ay mapatunayan na hindi isang sesyon id ay nakumprimiso, ito ay nagdudulot ng paggamit muli. ascanbeta.sessionidexpiry.timeexpired = Paso na ascanbeta.sessionidexpiry.timelessthanonehour = Mas mababa sa oras @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = Higit na isang linggo ascanbeta.sessionidexposedinurl.alert.attack = {0} patlang\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] naglalaman ng isang nakalantad na tagatukoy ng session [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = Ang url kung saan natuklasan ang isyu ay na-flag bilang isang pahina ng logon. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Gumamit ng mas ligtas na pagpapatupad ng pamamahala ng session, tulad ng isa na gumagamit ng cookies ng session, na hindi kasing madaling ibinabahagi nang hindi sinasadya, at hindi karaniwang lumilitaw sa mga file ng log ng server o mga bookmark ng web browser. ascanbeta.sessionidsentinsecurely.alert.attack = {0} patlang\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = sesyon na identifer {0} field [{1}], halaga [{2}] ay posibleng mapadala sa pamamagitan ng hindi secure na mekanismo. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = Ang url kung saan natuklasan ang isyu ay na-flag bilang isang pahina ng logon. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = Ang 'secure' flag ay hindi nai-set sa sesyon na cookie na ibinigay ng server. -ascanbeta.sessionidsentinsecurely.desc = Ang sesyon id ay pwedeng maipadala sa pamamagitan ng hindi maaasahan na mekanismo. Sa case na ang cookie na ipinadala sa pakiusap, nayayari ito kung ang HTTP, sa halip na HTTPS ay ginamit. Sa case ng ang cookie ay pinadala sa server na tugon (kung ang URL ay binago ang setting na nakapangalan sa parameter field na NULL), ang 'secure flag ay hindi naka-set, ito ay pumapayag sa cookie na maipadala mamaya sa HTTP sa halip na sa HTTPS. Ito ay maaring payagan ang passive eavesdropper sa network path para maka kuha ng buong access sa sesyon ng biktima. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Sesyon ID na nai-transmit na hindi protektado #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Gamitin ang pinakabagong magagamit na bersyon sa SSL/TLS (para sa HTTPS) para sa lahat ng mga pahina na ang sesyon id ay namamahagi sa pagitan ng browser at ng web server.\n2) Huwag payagan ang komunikasyon na pilitin na hindi ma encrypt ang HTTP protocol.\n3) Gamitin ang 'secure' na flag kung ikaw ay mag set sa cookie na naglalaman na session id, para maiwasan ang kasunod na mga transmisyon sa hindi secure na mekanismo.\n4) I-abante ang hindi secure na HTTP na pahina na mga kahilingan para ma-secure ang HTTPS na tugon ng pahina. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = Ang server ay nagpapatakbo ng isang bersyon ng Bash shell na nagbibigay-daan sa mga malayong mga attaker na magsagawa ng arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = Miula CVE-2014-6271\: GNU Bash sa pamamgitan ng 4.3 nagpoproseso ng mga trailing ng mga string matapos ang mga kahulugan ng mga values sa mga environment ng mga variables, na nagpapahintulot ng malayong mga attacker na nagsasagawa ng arbitrary code sa pamamagitan ng isang crafted na environment, tulad ng demonstrasyon sa vectors na kinasasangkutan ng ForceCommand feature sa OpenSSH sshd, ang mod_cgi na mga modyul sa Apche HTTP Server, ang mga script ay naka execute gamit ang hindi naka specify na mga DHCP clients, at ibang mga situation na setting ng environment na nagaganap sa kabila hanggang sa pribilehiyo mula sa Bash na execution, aka "ShellShock."Paunawa\: ang orihinal na ayusin para sa mga isyung hindi tama\: CVE-2014-7169 ay tinalaga upang masakop ang mga kahinaan ay pa rin sa kasalukuyan matapos ang maling pag-ayos. ascanbeta.shellshock.name = Malayong Code pagpapatupad - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = I-update ang Bash sa server sa pinakabagong bersyon +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Gamitin ang ateke, isang abala sa [{0}] na milliseconds ay induced at na-detect ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = Ang source code ay para sa [{0}] ay matatagpuan sa [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Tiyakin na ang SVN metadata na mga file ay hindi naipadala sa web server o application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Ibang mga PHP na mga bersyon, na kung na-configure ay ito ay pinagana gamit ang CGI, huwag nang hawakan ng maayos ang query na mga string na nakukulang ng unescaped "-" na karakter, na nagpapagana ng PHP source code disclosure, at ang arbitrary code excution. sa halimbawang ito, ang mga laman ng PHP file ay maglingod ng direkta sa web browser. Ang output ay karamihan naglalaman ng PHP, Bagamat ito ay naglalaman din ng straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulahin ang [{0}] field\: [{1}] at subaybayan ang output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] ang may-kinalaman sa impormasyon sa kung umiiral ang isang user na umiiral. Ang [{5}] pagkakaiba ng output, para sa mga balidong orihinal na username na halaga [{2}], at imbalidong username na halaga [{3}] ay mga -ascanbeta.usernameenumeration.desc = Ito ay maaring posibleng isa-isahin ang mga username, batay sa magkakaibang HTTP na mga sagot kapag naglaan ng balido o imbalidong mga username. Ito ay lubhang madagdagan ang posibilidad ng tagumpay ng password ng pagpwersa ng taong ganid na pag-aatake laban sa system. Tandaan na ang maling positibo maaring kung minsan ay mababawasan ng pagtaas sa 'Atake ng lakas' na Opsyon sa ZAP. Mangayaring suriin nang manu-mano ang 'Other info' field upang kumpirmahin kung ito ay talagang isang isyu. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Posibleng Username na pagbibilang ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Huwag ibubunyag ang mga detalye ng kung isang username ay balido o hindi balido. Higit sa lahat, para sa mga bigong pag-login pagtatangka, hindi ikumpara ang invalid user at isang imbalidong password sa mensahe ng error, pamagat ng pahina, nilalaman ng mga pahina, HTTP ulunanm o redirection na lohika. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_fr_FR.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_fr_FR.properties index 0e306a634ed..6922d5e9246 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_fr_FR.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_fr_FR.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = Les attaques par pollution de param\u00e8tre HTTP (HPP\: HTTP Parameter Pollution) consistent \u00e0 injecter des d\u00e9limiteurs de cha\u00eene de requ\u00eate encod\u00e9e dans des param\u00e8tres existants. Si une application web n'assaini pas bien les entr\u00e9es d'utilisateur, un utilisateur malveillant peut compromettre la logique de l'application pour lancer des attaques c\u00f4t\u00e9 client ou c\u00f4t\u00e9 serveur. Une cons\u00e9quence des attaques HPP est que l'agresseur peut potentiellement substituer des param\u00e8tres HTTP existants cod\u00e9s en dur pour modifier le comportement d'une application, contourner les points de contr\u00f4le de validation d'entr\u00e9e et acc\u00e9der et exploiter \u00e9ventuellement des variables qui peuvent \u00eatre hors de port\u00e9e directe. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = Pollution de param\u00e8tre HTTP -ascanbeta.HTTPParamPoll.sol = Assainissez correctement les d\u00e9limiteurs de param\u00e8tre des donn\u00e9es d'utilisateur +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = Une sauvegarde du fichier a \u00e9t\u00e9 d\u00e9voil\u00e9e par le serveur web +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Divulgation de fichier de sauvegarde ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Ne modifiez pas les fichiers in situ sur le serveur web, et faites en sorte que les fichiers inutiles (y compris les fichiers cach\u00e9s) soient supprim\u00e9s du serveur web. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Contrefa\u00e7on de requ\u00eate inter-site de type Flash/Silverlight possible, en raison d'un probl\u00e8me de configuration sur le serveur web. -ascanbeta.crossdomain.adobe.read.extrainfo = Le serveur internet permet des requ\u00eates inter-domaines malveillantes pour la lecture de donn\u00e9es en provenance des composants Flash/Silverlight, servies de n'importe quel domaine de tierce partie \u00e0 ce domaine. Si l'utilisateur et victime est connect\u00e9 \u00e0 ce service, les requ\u00eates de lecture malveillantes sont trait\u00e9es en utilisant les privil\u00e8ges de la victime, ce qui conduirait \u00e0 la compromission des donn\u00e9es de ce service par un site internet tiers non autoris\u00e9, via le navigateur internet de la victime. Ceci sera d'autant plus probl\u00e9matique si une impl\u00e9mentation de session bas\u00e9e sur les cookies est utilis\u00e9e. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Mauvaise configuration inter-domaine - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configurez le fichier crossdomain.xml pour restreindre la liste des domaines autoris\u00e9s \u00e0 faire des requ\u00eates inter-domaines en lecture \u00e0 ce serveur web, \u00e0 l'aide de . Vous devriez donner uniquement acc\u00e8s \u00e0 "*" (tous domaines) si vous \u00eates certain que ce service n'h\u00e9berge pas des donn\u00e9es sous contr\u00f4le d'acc\u00e8s, personnalis\u00e9es ou priv\u00e9es. ascanbeta.crossdomain.adobe.send.extrainfo = Le serveur internet permet des requ\u00eates inter-domaines malveillantes pour la lecture (mais pas n\u00e9cessairement pour l'\u00e9criture) de donn\u00e9es en provenance des composants Flash/Silverlight, servies de n'importe quel domaine d'une tierce partie \u00e0 ce domaine. Si l'utilisateur et victime est connect\u00e9 \u00e0 ce service, les requ\u00eates d'envoi malveillantes sont trait\u00e9es en utilisant les privil\u00e8ges de la victime, conduisant ainsi \u00e0 des attaques de type contrefa\u00e7on de requ\u00eates inter-site (CSRF) via le navigateur de la victime. Ceci est particuli\u00e8rement probl\u00e9matique si l'impl\u00e9mentation de la session est bas\u00e9e sur les cookies. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = La m\u00e9thode HTTP non s\u00e9curis\u00e9e [{0}] est activ\u00e9e pour cette ressource et est exploitable. Il s''est av\u00e9r\u00e9 possible d''\u00e9tablir une connexion tunnel par un socket vers le service d''un tiers, gr\u00e2ce \u00e0 cette m\u00e9thode HTTP. Cela permettrait au service d''\u00eatre utilis\u00e9 comme un relais de spam anonyme, ou comme un proxy web, contournant ainsi les restrictions du r\u00e9seau. Il serait \u00e9galement de l''utiliser pour \u00e9tablir un tunnel VPN, \u00e9tendant en fait le p\u00e9rim\u00e8tre du r\u00e9seau pour y inclure des composants indignes de confiance. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = La m\u00e9thode CONNECT a \u00e9t\u00e9 utilis\u00e9e pour \u00e9tablir une connexion de socket vers [{0}], via le serveur internet. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = D\u00e9sactivez les m\u00e9thodes non s\u00e9curis\u00e9es comme TRACK, TRACE et CONNECT sur le serveur internet et faites en sorte que l'impl\u00e9mentation sous-jacente du service ne supporte pas de m\u00e9thodes non s\u00e9curis\u00e9es. ascanbeta.insecurehttpmethod.trace.exploitable.desc = La m\u00e9thode HTTP non s\u00e9curis\u00e9e [{0}] est activ\u00e9e pour cette ressource et est exploitable. Les m\u00e9thodes TRACK and TRACE peuvent \u00eatre utilis\u00e9es par un attaquant pour acc\u00e9der au jeton d''autorisation/cookie de session d''un utilisateur de l''application, m\u00eame si le cookie de session est prot\u00e9g\u00e9 \u00e0 l''aide de l''indicateur ''HttpOnly''. Pour que l''attaque r\u00e9ussisse, l''utilisateur de l''application doit g\u00e9n\u00e9ralement utiliser un navigateur internet plus ancien, ou un navigateur qui a une faille dans la politique de m\u00eame origine (SOP). @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = \u00c9ventuel d\u00e9bordement d'entier. Le code d'\u00e9tat a chang\u00e9 lors de l'entr\u00e9e d'une longue cha\u00eene de nombres entiers al\u00e9atoires. -ascanbeta.integeroverflow.error2 = \u00c9ventuel d\u00e9bordement d'entier. Le code d'\u00e9tat a chang\u00e9 lors de l'entr\u00e9e d'une longue cha\u00eene de z\u00e9ros. -ascanbeta.integeroverflow.error3 = \u00c9ventuel d\u00e9bordement d'entier. Le code d'\u00e9tat a chang\u00e9 lors de l'entr\u00e9e d'une longue cha\u00eene de uns. -ascanbeta.integeroverflow.error4 = \u00c9ventuel d\u00e9bordement d'entier. Le code d'\u00e9tat a chang\u00e9 lors de l'entr\u00e9e d'une longue cha\u00eene de neuf. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Erreur de d\u00e9bordement d'entier ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Inconnu ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = champ {0}\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie d\u00e9fini dans la r\u00e9ponse lorsque le champ de cookie [{0}] est renseign\u00e9 \u00e0 NULL\: [{1}] \nCookie d\u00e9fini dans la r\u00e9ponse avec la valeur (valide) du cookie emprunt\u00e9e \u00e0 la requ\u00eate [{1}]\: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = L'url \u00e0 laquelle ascanbeta.sessionfixation.desc = Une attaque par fixation de session serait possible. Si ce probl\u00e8me apparait dans le cas d'une URL de connexion (o\u00f9 l'utilisateur s'authentifie aupr\u00e8s de l'application), alors l'URL pourrait \u00eatre fournie \u00e0 la victime avec un identificateur de session fixe par un aggresseur, de mani\u00e8re \u00e0 ce que ce dernier puisse usurper l'identit\u00e9 de la victime avec l'identificateur de session donn\u00e9. Si ce probl\u00e8me apparait avec une autre page internet, l'URL et son identificateur de seesion fixe ne peuvent qu'\u00eatre utilis\u00e9s pour tracer les actions d'un utilisateur non authentifi\u00e9. Si la vuln\u00e9rabilit\u00e9 se produit sur un champ de cookie ou de formulaire (param\u00e8tre POST) plut\u00f4t que sur une URL (GET), alors une autre faille peut aussi \u00eatre n\u00e9cessaire pour renseigner le champ du cookie, afin que la vuln\u00e9rabilit\u00e9 soit exploitable. ascanbeta.sessionfixation.name = Fixation de session ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = champ {0}\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = Le champ [{1}] d''identificateur de session {0}, valeur [{2}] peut \u00eatre consult\u00e9 par JavaScript dans le navigateur internet -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = L'url \u00e0 laquelle le probl\u00e8me a \u00e9t\u00e9 d\u00e9couvert a \u00e9t\u00e9 signal\u00e9e comme une page de connexion. -ascanbeta.sessionidaccessiblebyjavascript.desc = Un cookie avec un identificateur de session envoy\u00e9 par le serveur (lorsque l'URL est modifi\u00e9e en d\u00e9finissant \u00e0 NULL le champ de param\u00e8tre) peut \u00eatre acc\u00e9d\u00e9 par JavaScript sur le client. Conjointement avec une autre vuln\u00e9rabilit\u00e9, cela peut permettre de d\u00e9tourner la session. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Cookie d'ID de session accessible par JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs=\ -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Utilisez l'indicateur 'httponly' lorsque vous renseignez un cookie contenant un identificateur de session, pour emp\u00eacher que celui-ci soit accessible par JavaScript dans le navigateur internet. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = champ {0}\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = champ [{1}] d''identificateur de session {0}, de valeur [{2}] est accessible jusqu''\u00e0 [{3}] (\u00e9tant donn\u00e9 que le cookie a \u00e9t\u00e9 re\u00e7u \u00e0 {4}), sauf si la session est d\u00e9truite. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = L'url \u00e0 laquelle le probl\u00e8me a \u00e9t\u00e9 d\u00e9couvert a \u00e9t\u00e9 signal\u00e9e comme une page de connexion. ascanbeta.sessionidexpiry.browserclose = fermeture du navigateur -ascanbeta.sessionidexpiry.desc = Un cookie avec identificateur de session envoy\u00e9 par le serveur (quand l'URL est modifi\u00e9e en d\u00e9finissant \u00e0 NULL le champ de param\u00e8tre) reste valide pour une dur\u00e9e trop longue. Ceci peut \u00eatre exploit\u00e9 par un attaquant si l'utilisateur oublie de se d\u00e9connecter, si la fonctionnalit\u00e9 de d\u00e9connexion ne d\u00e9truit pas correctement la session, ou si l'identificateur de session est compromis d'une autre mani\u00e8re. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Le temps d'expiration ou l'\u00e2ge max de l'ID de session est excessif #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs=\ ascanbeta.sessionidexpiry.soln = 1) Utilisez les directives de cookie 'Expire' ou 'Max-Age' lorsque vous d\u00e9finissez un cookie contenant un identificateur de session, pour \u00e9viter que celui-ci soit disponible pour une dur\u00e9e prolong\u00e9e.\n2) Assurez-vous de la pr\u00e9sence d'une fonction de d\u00e9cennexio, et que la session est d\u00e9truite correctement.\n3) Utilisez d'autres mesures pr\u00e9ventives pour \u00e9viter que l'identificateur de session ne soit exploitable au cas o\u00f9 celui-ci soit divulgu\u00e9. ascanbeta.sessionidexpiry.timeexpired = Expir\u00e9 ascanbeta.sessionidexpiry.timelessthanonehour = Moins d'une heure @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = Plus d'une semaine ascanbeta.sessionidexposedinurl.alert.attack = champ {0}\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = Le champ {0} [{1}] contient un identificateur de session expos\u00e9 [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = L'url \u00e0 laquelle le probl\u00e8me a \u00e9t\u00e9 d\u00e9couvert a \u00e9t\u00e9 signal\u00e9e comme une page de connexion. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = ID de session expos\u00e9 #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Utilisez une impl\u00e9mentation de gestion de session plus s\u00fbre, telle que celle utilisant des cookies de session, qui ne sont pas aussi facilement partag\u00e9es par inadvertance, et qui n'apparaissent g\u00e9n\u00e9ralement pas dans les fichiers de journalisation des serveur ou dans les signets des navigateurs internet. ascanbeta.sessionidsentinsecurely.alert.attack = champ {0}\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = L''identificateur de session {0} champ [{1}], valeur [{2}] peut \u00eatre envoy\u00e9 par l''interm\u00e9diaire d''un m\u00e9canisme non s\u00e9curis\u00e9. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = L'url \u00e0 laquelle le probl\u00e8me a \u00e9t\u00e9 d\u00e9couvert a \u00e9t\u00e9 signal\u00e9e comme une page de connexion. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = L'indicateur 'secure' n'\u00e9tait pas d\u00e9fini dans le cookie de session fourni par le serveur. -ascanbeta.sessionidsentinsecurely.desc = Un identificateur de session pourrait \u00eatre envoy\u00e9 par un m\u00e9canisme non s\u00e9curis\u00e9. Dans le cas d'un cookie envoy\u00e9 dans la requ\u00eate, cela se produit lorsque HTTP est utilis\u00e9 plut\u00f4t que HTTPS. Dans le cas d'un cookie envoy\u00e9 dans une r\u00e9ponse par le serveur (lorsque l'URL est modifi\u00e9e en fixant \u00e0 NULL le champ de param\u00e8tre nomm\u00e9), l'indicateur "secure" n'est pas renseign\u00e9, ce qui permet de renvoyer le cookie plus tard par HTTP plut\u00f4t que par HTTPS. Cela peut permettre \u00e0 une personne malveillante de s'ins\u00e9rer passivement dans l'\u00e9change de donn\u00e9es dans le r\u00e9seau pour obtenir un acc\u00e8s complet \u00e0 la session de la victime. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = ID de session transmis de fa\u00e7on non s\u00e9curis\u00e9e #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Utilisez la version la plus r\u00e9cente de SSL/TLS (pour HTTPS) sur toutes les pages o\u00f9 un identificateur de session est communiqu\u00e9 entre le navigateur et le serveur internet.\n2) Ne permettez pas que la communication puisse \u00eatre contrainte \u00e0 revenir au protocole non crypt\u00e9 HTTP.\n3) Utilisez la balise 'secure' lorsque vous renseignez un cookie contenant un identificateur de session, vous \u00e9viterez ainsi sa transmission ult\u00e9rieure par un m\u00e9canisme non s\u00e9curis\u00e9.\n4) Dirigez les requ\u00eates pour des pages HTTP non s\u00e9curis\u00e9es vers leur \u00e9quivalent s\u00e9curis\u00e9 HTTPS. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = Le serveur ex\u00e9cute une version de l'interpr\u00e9teur Bash permettant \u00e0 des attaquants distants d'ex\u00e9cuter du code arbitraire +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = De CVE-2014-6271\: le GNU Bash jusqu'\u00e0 4.3 traite l'arri\u00e8re des cha\u00eenes d'apr\u00e8s les d\u00e9finitions de fonction donn\u00e9es par les valeurs des variables d'environnement, ce qui permet aux agresseurs distants d'ex\u00e9cuter du code arbitraire via un certain environnement, comme en t\u00e9moignent les vecteurs impliquant la fonction ForceCommand de OpenSSH sshd, les modules mod_cgi et mod_cgid du serveur HTTP Apache, les scripts ex\u00e9cut\u00e9s par des clients DHCP non pr\u00e9cis\u00e9s et d'autres situations dans lesquelles l'initialisation de l'environnement se fait par l'ex\u00e9cution de Bash \u00e0 travers une limite de privil\u00e8ge, alias "ShellShock". A NOTER\: le correctif original de ce probl\u00e8me \u00e9tait incorrect; CVE-2014-7169 a \u00e9t\u00e9 d\u00e9sign\u00e9 pour couvrir la vuln\u00e9rabilit\u00e9 qui est toujours pr\u00e9sente apr\u00e8s le fix incorrect. ascanbeta.shellshock.name = Ex\u00e9cution de code \u00e0 distance - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Mettez \u00e0 jour Bash sur le serveur avec la version la plus r\u00e9cente +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = \u00c0 l''aide de l''attaque, un d\u00e9lai de millisecondes [{0}] a \u00e9t\u00e9 induit et d\u00e9tect\u00e9 ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = Le code source de [{0}] a \u00e9t\u00e9 trouv\u00e9 \u00e0 [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Divulgation de Code Source - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Assurez-vous que les fichiers de m\u00e9tadonn\u00e9es SVN ne sont pas d\u00e9ploy\u00e9s vers le serveur internetou le serveur applicatif +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Certaines versions PHP, lorsqu'il est configur\u00e9 pour ex\u00e9cuter \u00e0 l'aide de CGI, ne manipulez pas correctement les cha\u00eenes de requ\u00eate qui n'ont pas un caract\u00e8re de \u00ab \= \u00bb sans s\u00e9quence d'\u00e9chappement, ce qui permet la divulgation de code source PHP et l'ex\u00e9cution de code arbitraire. Dans ce cas, le contenu du fichier PHP a \u00e9t\u00e9 fourni directement au navigateur internet. Cette sortie contiendra g\u00e9n\u00e9ralement du code PHP, mais il peut \u00e9galement contenir du pur HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipuler le champ [{0}]\: [{1}] et surveiller la sortie -ascanbeta.usernameenumeration.alert.extrainfo = La valeur [{1}] du param\u00e8tre [{0}] divulgue de l''information sur la question de savoir si un utilisateur existe. Les diff\u00e9rences [{5}] de sortie, pour le nom d''utilisateur original valide [{2}], et pour le nom d''utilisateur invalide [{3}] sont\:\n[{4}] -ascanbeta.usernameenumeration.desc = Il peut \u00eatre possible d'\u00e9num\u00e9rer les noms d'utilisateur, en se basant sur des r\u00e9ponses HTTP diff\u00e9rentes selon les noms d'utilisateur valides et non valides fournis. Cela augmenterait consid\u00e9rablement les chances de succ\u00e8s d'une attaque par force brute sur les mots de passe d'un syst\u00e8me. Notez que les faux positifs peuvent parfois \u00eatre minimis\u00e9s en augmentant l'option 'Force d'attaque' dans ZAP. V\u00e9rifiez s'il vous pla\u00eet manuellement le champ 'Autres infos' pour confirmer qu'il y a effectivement un probl\u00e8me. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = \u00c9num\u00e9ration de noms d'utilisateur possible ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Ne d\u00e9voilez pas de d\u00e9tail selon que le nom d'utilisateur est valide ou non. En particulier, pour les tentatives de connexion infructueuses, ne distinguez pas entre un nom d'utilisateur non valide et un mot de passe non valide, que ce soit dans le message d'erreur, la page titre, le contenu de page, les en-t\u00eates HTTP ou la logique de redirection. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ha_HG.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ha_HG.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ha_HG.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ha_HG.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_he_IL.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_he_IL.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_he_IL.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_he_IL.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_hi_IN.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_hi_IN.properties index 10e050b86ca..524a32e1ad6 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_hi_IN.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_hi_IN.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP \u092a\u0948\u0930\u093e\u092e\u0940\u091f\u0930 \u092a\u094d\u0930\u0926\u0942\u0937\u0923 (HPP) \u0939\u092e\u0932\u094b\u0902 \u0938\u0947 \u092e\u093f\u0932\u0915\u0930 \u0905\u0928\u094d\u092f \u092e\u094c\u091c\u0942\u0926\u093e \u092e\u093e\u0928\u0915\u094b\u0902 \u092e\u0947\u0902 \u090f\u0928\u094d\u0915\u094b\u0921\u0947\u0921 \u0915\u094d\u0935\u0947\u0930\u0940 \u0938\u094d\u091f\u094d\u0930\u093f\u0902\u0917 \u0938\u0940\u092e\u093e\u0902\u0915\u0915 \u0907\u0902\u091c\u0947\u0915\u094d\u0936\u0928 \u0932\u0917\u093e\u0928\u0947 \u0915\u093e\u0964 \u0905\u0917\u0930 \u090f\u0915 \u0935\u0947\u092c \u0905\u0928\u0941\u092a\u094d\u0930\u092f\u094b\u0917 \u0920\u0940\u0915 \u0938\u0947 \u0909\u092a\u092f\u094b\u0917\u0915\u0930\u094d\u0924\u093e \u0915\u0947 \u0907\u0928\u092a\u0941\u091f sanitize \u0928\u0939\u0940\u0902, \u090f\u0915 \u0926\u0941\u0930\u094d\u092d\u093e\u0935\u0928\u093e\u092a\u0942\u0930\u094d\u0923 \u0909\u092a\u092f\u094b\u0917\u0915\u0930\u094d\u0924\u093e \u0915\u0947 \u0924\u0930\u094d\u0915 \u092f\u093e \u0924\u094b \u0938\u0930\u094d\u0935\u0930-\u0938\u093e\u0907\u0921 \u092f\u093e \u0915\u094d\u0932\u093e\u0907\u0902\u091f-\u0938\u093e\u0907\u0921 \u0939\u092e\u0932\u094b\u0902 \u0915\u094b \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0905\u0928\u0941\u092a\u094d\u0930\u092f\u094b\u0917 \u0915\u0947 \u0938\u092e\u091d\u094c\u0924\u093e \u0915\u0930 \u0938\u0915\u0924\u0947 \u0939\u0948\u0902\u0964 HPP \u0939\u092e\u0932\u094b\u0902 \u0915\u093e \u090f\u0915 \u0928\u0924\u0940\u091c\u093e \u092f\u0939 \u0939\u0948 \u0915\u093f \u0939\u092e\u0932\u093e\u0935\u0930 \u0938\u0902\u092d\u0935\u0924\u0903 \u092e\u094c\u091c\u0942\u0926\u093e \u0939\u093e\u0930\u094d\u0921 \u0915\u094b\u0921\u093f\u0924 HTTP \u092a\u0948\u0930\u093e\u092e\u0940\u091f\u0930 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0915\u093f\u0938\u0940 \u0905\u0928\u0941\u092a\u094d\u0930\u092f\u094b\u0917 \u0915\u0947 \u0935\u094d\u092f\u0935\u0939\u093e\u0930 \u0915\u094b \u0938\u0902\u0936\u094b\u0927\u093f\u0924, \u0907\u0928\u092a\u0941\u091f \u0938\u0924\u094d\u092f\u093e\u092a\u0928 \u091a\u094c\u0915\u093f\u092f\u094b\u0902, \u092c\u093e\u0908\u092a\u093e\u0938 \u0914\u0930 \u0924\u0915 \u092a\u0939\u0941\u0901\u091a\u0928\u0947 \u0914\u0930 \u0938\u0902\u092d\u0935\u0924\u0903 \u091a\u0930 \u0915\u093f \u092a\u094d\u0930\u0924\u094d\u092f\u0915\u094d\u0937 \u092a\u0939\u0941\u0901\u091a \u0938\u0947 \u092c\u093e\u0939\u0930 \u0939\u094b \u0938\u0915\u0924\u0947 \u0939\u0948\u0902 \u092b\u093e\u092f\u0926\u093e \u0909\u0920\u093e\u0928\u0947 \u0915\u094b \u0913\u0935\u0930\u0930\u093e\u0907\u0921 \u0915\u0930 \u0938\u0915\u0924\u0947 \u0939\u0948\u0902\u0964 ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP \u092a\u0948\u0930\u093e\u092e\u0940\u091f\u0930 \u092a\u094d\u0930\u0926\u0942\u0937\u0923 -ascanbeta.HTTPParamPoll.sol = \u0920\u0940\u0915 \u0938\u0947 \u0909\u092a\u092f\u094b\u0917\u0915\u0930\u094d\u0924\u093e \u0907\u0928\u092a\u0941\u091f \u0915\u0947 \u0932\u093f\u090f \u092a\u0948\u0930\u093e\u092e\u0940\u091f\u0930 \u0938\u0940\u092e\u093e\u0902\u0915\u0915 sanitize +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = \u092b\u093c\u093e\u0907\u0932 \u0915\u0940 \u090f\u0915 \u092c\u0948\u0915\u0905\u092a \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u0915\u0947 \u0926\u094d\u0935\u093e\u0930\u093e \u092c\u0924\u093e\u092f\u093e \u0917\u092f\u093e \u0925\u093e +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = \u092c\u0948\u0915\u0905\u092a \u092b\u093c\u093e\u0907\u0932 \u092a\u094d\u0930\u0915\u091f\u0940\u0915\u0930\u0923 ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = \u0928\u0939\u0940\u0902 \u092b\u093c\u093e\u0907\u0932\u094b\u0902 \u092e\u0947\u0902-\u0938\u094d\u0935\u0938\u094d\u0925\u093e\u0928\u0940 \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u092a\u0930 \u0938\u0902\u092a\u093e\u0926\u093f\u0924 \u0915\u0930\u0947\u0902, \u0914\u0930 \u0938\u0941\u0928\u093f\u0936\u094d\u091a\u093f\u0924 \u0915\u0930\u0947\u0902 \u0915\u093f \u0938\u0902\u092f\u0941\u0915\u094d\u0924 \u0930\u093e\u0937\u094d\u091f\u094d\u0930 \u0915\u0947 \u0906\u0935\u0936\u094d\u092f\u0915 \u092b\u093c\u093e\u0907\u0932\u0947\u0902 (\u091b\u0941\u092a\u0940 \u0939\u0941\u0908 \u092b\u093c\u093e\u0907\u0932\u094b\u0902 \u0938\u0939\u093f\u0924) \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u0938\u0947 \u0928\u093f\u0915\u093e\u0932 \u0926\u093f\u090f \u091c\u093e\u0924\u0947 \u0939\u0948\u0902\u0964 -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = \u092b\u094d\u0932\u0948\u0936/Silverlight \u0906\u0927\u093e\u0930\u093f\u0924 \u0915\u094d\u0930\u0949\u0938-\u0938\u093e\u0907\u091f \u0905\u0928\u0941\u0930\u094b\u0927 \u091c\u093e\u0932\u0938\u093e\u091c\u0940 \u0938\u0902\u092d\u0935, \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u092a\u0930 \u090f\u0915 \u092e\u093f\u0938\u0915\u0949\u0928\u094d\u092b\u093c\u093f\u0917\u0930\u0947\u0936\u0928 \u0915\u0947 \u0915\u093e\u0930\u0923 \u0939\u094b \u0938\u0915\u0924\u093e \u0939\u0948\u0964 -ascanbeta.crossdomain.adobe.read.extrainfo = \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u0915\u093f\u0938\u0940 \u092d\u0940 \u0924\u0943\u0924\u0940\u092f \u092a\u0915\u094d\u0937 \u0921\u094b\u092e\u0947\u0928 \u0938\u0947 \u0907\u0938 \u0921\u094b\u092e\u0947\u0928 \u0915\u0947 \u0932\u093f\u090f \u0938\u0947\u0935\u093e \u0915\u0940 \u092b\u094d\u0932\u0948\u0936/Silverlight \u0918\u091f\u0915\u094b\u0902 \u0938\u0947 \u0939\u094b\u0928\u0947 \u0935\u093e\u0932\u0947 \u0905\u0928\u0941\u0930\u094b\u0927\u094b\u0902 \u092a\u0922\u093c\u0947\u0902 \u0926\u0941\u0930\u094d\u092d\u093e\u0935\u0928\u093e\u092a\u0942\u0930\u094d\u0923 \u0915\u094d\u0930\u0949\u0938-\u0921\u094b\u092e\u0947\u0928 \u0921\u0947\u091f\u093e \u092a\u0930\u092e\u093f\u091f\u0964 \u0905\u0917\u0930 \u0936\u093f\u0915\u093e\u0930 \u0909\u092a\u092f\u094b\u0917\u0915\u0930\u094d\u0924\u093e \u0907\u0938 \u0938\u0947\u0935\u093e \u092e\u0947\u0902 \u0932\u0949\u0917 \u0907\u0928 \u0915\u093f\u092f\u093e \u0939\u0948, \u0926\u0941\u0930\u094d\u092d\u093e\u0935\u0928\u093e\u092a\u0942\u0930\u094d\u0923 \u092a\u0922\u093c\u0947\u0902 \u0905\u0928\u0941\u0930\u094b\u0927\u094b\u0902 \u0936\u093f\u0915\u093e\u0930 \u0915\u0947 \u0935\u093f\u0936\u0947\u0937\u093e\u0927\u093f\u0915\u093e\u0930 \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0915\u0947 \u0938\u0902\u0938\u093e\u0927\u093f\u0924 \u0915\u0930 \u0930\u0939\u0947 \u0939\u0948\u0902, \u0914\u0930 \u0907\u0938 \u0938\u0947\u0935\u093e \u0915\u0947 \u0926\u094d\u0935\u093e\u0930\u093e \u090f\u0915 \u0905\u0928\u0927\u093f\u0915\u0943\u0924 \u0924\u0943\u0924\u0940\u092f \u092a\u0915\u094d\u0937 \u0935\u0947\u092c \u0938\u093e\u0907\u091f, \u092a\u0940\u0921\u093c\u093f\u0924 \u0915\u0947 \u0935\u0947\u092c \u092c\u094d\u0930\u093e\u0909\u091c\u093c\u0930 \u0915\u0947 \u092e\u093e\u0927\u094d\u092f\u092e \u0938\u0947 \u0938\u092e\u091d\u094c\u0924\u093e \u0915\u093f\u092f\u093e \u091c\u093e \u0930\u0939\u093e \u0938\u0947 \u0921\u0947\u091f\u093e \u092e\u0947\u0902 \u092a\u0930\u093f\u0923\u093e\u092e \u0915\u0930 \u0938\u0915\u0924\u0947 \u0939\u0948\u0902\u0964 \u092f\u0939 \u0935\u093f\u0936\u0947\u0937 \u0930\u0942\u092a \u0938\u0947 \u0905\u0917\u0930 \u090f\u0915 \u0938\u0924\u094d\u0930 \u0915\u0941\u0915\u0940 \u0906\u0927\u093e\u0930\u093f\u0924 \u0915\u094d\u0930\u093f\u092f\u093e\u0928\u094d\u0935\u092f\u0928 \u0909\u092a\u092f\u094b\u0917 \u092e\u0947\u0902 \u0939\u0948 \u090f\u0915 \u092e\u0941\u0926\u094d\u0926\u093e \u0939\u094b \u091c\u093e\u0928\u0947 \u0915\u0940 \u0938\u0902\u092d\u093e\u0935\u0928\u093e \u0939\u0948\u0964 +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = \u0915\u094d\u0930\u0949\u0938-\u0921\u094b\u092e\u0947\u0928 Misconfiguration - \u090f\u0921\u094b\u092c - \u092a\u0922\u093c\u0947\u0902 ascanbeta.crossdomain.adobe.read.soln = \u0915\u094d\u0930\u0949\u0938-\u0921\u094b\u092e\u0947\u0928 \u092a\u0920\u0928 \u0905\u0928\u0941\u0930\u094b\u0927 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0907\u0938 \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930, \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0938\u094d\u0935\u0940\u0915\u0943\u0924 \u0921\u094b\u092e\u0947\u0928 \u0915\u0940 \u0938\u0942\u091a\u0940 \u0915\u094b \u0938\u0940\u092e\u093f\u0924 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f crossdomain.xml \u092b\u093c\u093e\u0907\u0932 \u0915\u094b \u0915\u0949\u0928\u094d\u092b\u093c\u093f\u0917\u0930 \u0915\u0930\u0947\u0902 < \u092f\u0939 domain\="example.com \u0915\u0940 \u0905\u0928\u0941\u092e\u0924\u093f \u0926\u0947\u0902 \u092a\u0939\u0941\u0901\u091a-\u0938\u0947-" >\u0964 \u0906\u092a \u0915\u0947\u0935\u0932 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u092a\u0939\u0941\u0901\u091a \u0926\u0947\u0928\u093e \u091a\u093e\u0939\u093f\u090f "*" (\u0938\u092d\u0940 \u0921\u094b\u092e\u0947\u0928) \u092f\u0926\u093f \u0906\u092a \u0906\u0936\u094d\u0935\u0938\u094d\u0924 \u0939\u0948\u0902 \u0915\u093f \u0907\u0938 \u0938\u0947\u0935\u093e \u0915\u0947 \u0915\u093f\u0938\u0940 \u092d\u0940 \u092a\u0939\u0941\u0901\u091a-\u0928\u093f\u092f\u0902\u0924\u094d\u0930\u093f\u0924, \u0935\u094d\u092f\u0915\u094d\u0924\u093f\u0917\u0924 \u092f\u093e \u0928\u093f\u091c\u0940 \u0921\u0947\u091f\u093e \u0939\u094b\u0938\u094d\u091f \u0928\u0939\u0940\u0902 \u0915\u0930\u0924\u093e \u0939\u0948\u0964 ascanbeta.crossdomain.adobe.send.extrainfo = \u092a\u0930\u092e\u093f\u091f \u0926\u0941\u0930\u094d\u092d\u093e\u0935\u0928\u093e\u092a\u0942\u0930\u094d\u0923 \u0915\u094d\u0930\u0949\u0938-\u0921\u094b\u092e\u0947\u0928 \u0921\u0947\u091f\u093e \u092d\u0947\u091c\u0947\u0902 (\u0932\u0947\u0915\u093f\u0928 \u091c\u0930\u0942\u0930\u0940 \u0928\u0939\u0940\u0902 \u0915\u093f \u092a\u0922\u093c\u0947\u0902) \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u0905\u0928\u0941\u0930\u094b\u0927 \u0915\u0930\u0924\u093e \u0939\u0948 \u092b\u094d\u0932\u0948\u0936/Silverlight \u0918\u091f\u0915\u094b\u0902 \u0938\u0947 \u0939\u094b\u0928\u0947 \u0935\u093e\u0932\u0947 \u0915\u093f\u0938\u0940 \u092d\u0940 \u0924\u0943\u0924\u0940\u092f \u092a\u0915\u094d\u0937 \u0921\u094b\u092e\u0947\u0928 \u0938\u0947 \u0907\u0938 \u0921\u094b\u092e\u0947\u0928 \u0915\u0947 \u0932\u093f\u090f \u0938\u0947\u0935\u093e \u0915\u0940\u0964 \u092f\u0926\u093f \u0936\u093f\u0915\u093e\u0930 \u0909\u092a\u092f\u094b\u0917\u0915\u0930\u094d\u0924\u093e \u0907\u0938 \u0938\u0947\u0935\u093e \u092e\u0947\u0902 \u0932\u0949\u0917 \u0907\u0928 \u0915\u093f\u092f\u093e \u0939\u0948, \u0924\u094b \u0926\u0941\u0930\u094d\u092d\u093e\u0935\u0928\u093e\u092a\u0942\u0930\u094d\u0923 \u0905\u0928\u0941\u0930\u094b\u0927\u094b\u0902 \u0936\u093f\u0915\u093e\u0930 \u0915\u0947 \u0935\u093f\u0936\u0947\u0937\u093e\u0927\u093f\u0915\u093e\u0930 \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0915\u0947 \u0938\u0902\u0938\u093e\u0927\u093f\u0924 \u0915\u0930 \u0930\u0939\u0947 \u0939\u0948\u0902, \u0914\u0930 \u0915\u094d\u0930\u0949\u0938 \u0938\u093e\u0907\u091f \u0905\u0928\u0941\u0930\u094b\u0927 \u091c\u093e\u0932\u0938\u093e\u091c\u0940 (CSRF) \u092a\u094d\u0930\u0915\u093e\u0930 \u0939\u092e\u0932\u094b\u0902, \u092a\u0940\u0921\u093c\u093f\u0924 \u0915\u0947 \u0935\u0947\u092c \u092c\u094d\u0930\u093e\u0909\u091c\u093c\u0930 \u0915\u0947 \u092e\u093e\u0927\u094d\u092f\u092e \u0938\u0947 \u092a\u0930\u093f\u0923\u093e\u092e \u0915\u0930 \u0938\u0915\u0924\u0947 \u0939\u0948\u0902 \u092d\u0947\u091c\u0928\u0947 \u0915\u0947\u0964 \u092f\u0939 \u0935\u093f\u0936\u0947\u0937 \u0930\u0942\u092a \u0938\u0947 \u0905\u0917\u0930 \u090f\u0915 \u0938\u0924\u094d\u0930 \u0915\u0941\u0915\u0940 \u0906\u0927\u093e\u0930\u093f\u0924 \u0915\u094d\u0930\u093f\u092f\u093e\u0928\u094d\u0935\u092f\u0928 \u0909\u092a\u092f\u094b\u0917 \u092e\u0947\u0902 \u0939\u0948 \u090f\u0915 \u092e\u0941\u0926\u094d\u0926\u093e \u0939\u094b \u091c\u093e\u0928\u0947 \u0915\u0940 \u0938\u0902\u092d\u093e\u0935\u0928\u093e \u0939\u0948\u0964 @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = \u0905\u0938\u0941\u0930\u0915\u094d\u0937\u093f\u0924 HTTP \u0935\u093f\u0927\u093f [{0}] \u0907\u0938 \u0938\u0902\u0938\u093e\u0927\u0928 \u0915\u0947 \u0932\u093f\u090f \u0938\u0915\u094d\u0937\u092e \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0939\u0948, \u0914\u0930 \u0926\u094b\u0939\u0928 \u0939\u0948\u0964 \u092f\u0939 \u0938\u0947\u0935\u093e \u0907\u0938 HTTP \u092a\u0926\u094d\u0927\u0924\u093f \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0915\u0947, \u090f\u0915 \u0924\u0940\u0938\u0930\u0940 \u092a\u093e\u0930\u094d\u091f\u0940 \u0915\u0947 \u0932\u093f\u090f \u090f\u0915 tunneled \u0938\u0949\u0915\u0947\u091f \u0915\u0928\u0947\u0915\u094d\u0936\u0928 \u0938\u094d\u0925\u093e\u092a\u093f\u0924 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0938\u0902\u092d\u0935 \u0939\u094b \u092a\u093e\u092f\u093e \u0925\u093e\u0964 \u092f\u0939 \u0938\u0947\u0935\u093e \u090f\u0915 \u0905\u0928\u093e\u092e \u0938\u094d\u092a\u0948\u092e \u0930\u093f\u0932\u0947 \u0915\u0947 \u0930\u0942\u092a \u092e\u0947\u0902, \u092f\u093e \u090f\u0915 \u0935\u0947\u092c \u092a\u094d\u0930\u0949\u0915\u094d\u0938\u0940 \u0928\u0947\u091f\u0935\u0930\u094d\u0915 \u092a\u094d\u0930\u0924\u093f\u092c\u0902\u0927\u094b\u0902 \u0915\u094b \u0926\u0930\u0915\u093f\u0928\u093e\u0930, \u0915\u0947 \u0930\u0942\u092a \u092e\u0947\u0902 \u0907\u0938\u094d\u0924\u0947\u092e\u093e\u0932 \u0915\u093f\u092f\u093e \u091c\u093e \u0915\u0930\u0928\u0947 \u0915\u0940 \u0905\u0928\u0941\u092e\u0924\u093f \u0939\u094b\u0917\u0940\u0964 \u092f\u0939 \u092d\u0940 \u0907\u0938\u0947 \u090f\u0915 tunneled \u0935\u0940\u092a\u0940\u090f\u0928, \u092a\u094d\u0930\u092d\u093e\u0935\u0940 \u0922\u0902\u0917 \u0938\u0947 \u0905\u0935\u093f\u0936\u094d\u0935\u0938\u094d\u0924 \u0918\u091f\u0915\u094b\u0902 \u0915\u094b \u0936\u093e\u092e\u093f\u0932 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0928\u0947\u091f\u0935\u0930\u094d\u0915 \u092a\u0930\u093f\u0927\u093f \u0915\u093e \u0935\u093f\u0938\u094d\u0924\u093e\u0930 \u0938\u094d\u0925\u093e\u092a\u093f\u0924 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0907\u0938\u094d\u0924\u0947\u092e\u093e\u0932 \u0915\u093f\u092f\u093e \u091c\u093e \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0905\u0928\u0941\u092e\u0924\u093f \u0926\u0947\u0924\u093e \u0939\u0948\u0964 +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = \u0915\u0928\u0947\u0915\u094d\u091f \u0935\u093f\u0927\u093f [{0}], \u090f\u0915 \u0938\u0949\u0915\u0947\u091f \u0915\u0928\u0947\u0915\u094d\u0936\u0928 \u0926\u094d\u0935\u093e\u0930\u093e \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u0938\u094d\u0925\u093e\u092a\u093f\u0924 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0907\u0938\u094d\u0924\u0947\u092e\u093e\u0932 \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0925\u093e\u0964 ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = \u0910\u0938\u0947 \u091f\u094d\u0930\u0948\u0915, \u091f\u094d\u0930\u0947\u0938, \u0914\u0930 \u0915\u0928\u0947\u0915\u094d\u091f \u0905\u0938\u0941\u0930\u0915\u094d\u0937\u093f\u0924 \u0924\u0930\u0940\u0915\u0947 \u0915\u094b \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u092a\u0930 \u0905\u0915\u094d\u0937\u092e \u0915\u0930\u0947\u0902, \u0914\u0930 \u0938\u0941\u0928\u093f\u0936\u094d\u091a\u093f\u0924 \u0915\u0930\u0947\u0902 \u0915\u093f \u0905\u0902\u0924\u0930\u094d\u0928\u093f\u0939\u093f\u0924 \u0938\u0947\u0935\u093e \u0915\u093e\u0930\u094d\u092f\u093e\u0928\u094d\u0935\u092f\u0928 \u0905\u0938\u0941\u0930\u0915\u094d\u0937\u093f\u0924 \u0924\u0930\u0940\u0915\u0947 \u0915\u093e \u0938\u092e\u0930\u094d\u0925\u0928 \u0928\u0939\u0940\u0902 \u0915\u0930\u0924\u093e\u0964 ascanbeta.insecurehttpmethod.trace.exploitable.desc = \u0905\u0938\u0941\u0930\u0915\u094d\u0937\u093f\u0924 HTTP \u0935\u093f\u0927\u093f [{0}] \u0907\u0938 \u0938\u0902\u0938\u093e\u0927\u0928 \u0915\u0947 \u0932\u093f\u090f \u0938\u0915\u094d\u0937\u092e \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0939\u0948, \u0914\u0930 \u0926\u094b\u0939\u0928 \u0939\u0948\u0964 \u091f\u094d\u0930\u0948\u0915 \u0914\u0930 \u091f\u094d\u0930\u0947\u0938 \u0935\u093f\u0927\u093f\u092f\u093e\u0901 \u0906\u0915\u094d\u0930\u092e\u0923\u0915\u0930\u094d\u0924\u093e \u0926\u094d\u0935\u093e\u0930\u093e, \u092d\u0932\u0947 \u0939\u0940 \u0938\u0924\u094d\u0930 \u0915\u0941\u0915\u0940 ''HttpOnly'' \u0927\u094d\u0935\u091c \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930 \u0938\u0941\u0930\u0915\u094d\u0937\u093f\u0924 \u0939\u0948 \u092a\u094d\u0930\u093e\u0927\u093f\u0915\u093e\u0930 \u091f\u094b\u0915\u0928/\u0938\u0924\u094d\u0930 \u0915\u0941\u0915\u0940 \u090f\u0915 \u0905\u0928\u0941\u092a\u094d\u0930\u092f\u094b\u0917 \u0909\u092a\u092f\u094b\u0917\u0915\u0930\u094d\u0924\u093e, \u0915\u0947 \u0932\u093f\u090f \u092a\u0939\u0941\u0901\u091a \u092a\u094d\u0930\u093e\u092a\u094d\u0924 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0907\u0938\u094d\u0924\u0947\u092e\u093e\u0932 \u0915\u093f\u092f\u093e \u091c\u093e \u0938\u0915\u0924\u093e\u0964 \u0907\u0938 \u0939\u092e\u0932\u0947 \u0915\u0947 \u0932\u093f\u090f \u0938\u092b\u0932 \u0939\u094b\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f, \u0905\u0928\u0941\u092a\u094d\u0930\u092f\u094b\u0917 \u0909\u092a\u092f\u094b\u0917\u0915\u0930\u094d\u0924\u093e \u0906\u092e \u0924\u094c\u0930 \u092a\u0930 \u090f\u0915 \u092c\u0921\u093c\u0947 \u0935\u0947\u092c \u092c\u094d\u0930\u093e\u0909\u091c\u093c\u0930, \u092f\u093e \u090f\u0915 \u0935\u0947\u092c \u092c\u094d\u0930\u093e\u0909\u091c\u093c\u0930 \u0939\u0948 \u091c\u094b \u0939\u0948 \u090f\u0915 \u090f\u0915 \u0939\u0940 \u092e\u0942\u0932 \u0928\u0940\u0924\u093f (\u092d\u0947\u0926\u094d\u092f\u0924\u093e \u092c\u093e\u092f\u092a\u093e\u0938 \u0936\u0930\u093e\u092c\u0940) \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0928\u093e \u091a\u093e\u0939\u093f\u090f\u0964 @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} \u0915\u094d\u0937\u0947\u0924\u094d\u0930\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = \u0915\u0941\u0915\u0940 \u0915\u0940 \u092a\u094d\u0930\u0924\u093f\u0915\u094d\u0930\u093f\u092f\u093e \u092e\u0947\u0902 \u0938\u0947\u091f \u091c\u092c \u0915\u0941\u0915\u0940 \u092b\u093c\u0940\u0932\u094d\u0921 [{0}] \u0928\u0932 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0938\u0947\u091f \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0939\u0948\: [{1}] \u0915\u0947 \u0938\u093e\u0925 \u092a\u094d\u0930\u0924\u093f\u0915\u094d\u0930\u093f\u092f\u093e \u092e\u0947\u0902 \u0938\u0947\u091f \u0915\u0941\u0915\u0940 \u0909\u0927\u093e\u0930 \u0932\u093f\u092f\u093e (\u092e\u093e\u0928\u094d\u092f) \u0915\u0941\u0915\u0940 \u092e\u093e\u0928 \u0905\u0928\u0941\u0930\u094b\u0927 [{1}] \u092e\u0947\u0902\: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = Url \u092a\u0930 \u091 ascanbeta.sessionfixation.desc = \u0938\u0924\u094d\u0930 \u0928\u093f\u0930\u094d\u0927\u093e\u0930\u0923 \u0938\u0902\u092d\u0935 \u0939\u094b \u0938\u0915\u0924\u093e \u0939\u0948\u0964 \u092f\u0926\u093f \u090f\u0915 \u0932\u0949\u0917\u093f\u0928 (\u091c\u0939\u093e\u0901 \u0909\u092a\u092f\u094b\u0917\u0915\u0930\u094d\u0924\u093e \u0938\u094d\u0935\u092f\u0902 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0905\u0928\u0941\u092a\u094d\u0930\u092f\u094b\u0917 authenticates) URL \u0915\u0947 \u0938\u093e\u0925 \u092f\u0939 \u0938\u092e\u0938\u094d\u092f\u093e \u0939\u094b\u0924\u0940 \u0939\u0948, \u0924\u094b \u092f\u0942\u0906\u0930\u090f\u0932 \u090f\u0915 \u0928\u093f\u0936\u094d\u091a\u093f\u0924 \u0938\u0924\u094d\u0930 id, \u0915\u0947 \u0938\u093e\u0925 \u0938\u093e\u0925 \u090f\u0915 \u0939\u092e\u0932\u093e\u0935\u0930 \u0926\u094d\u0935\u093e\u0930\u093e \u0936\u093f\u0915\u093e\u0930 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f, \u0906\u0926\u0947\u0936 \u092e\u0947\u0902 \u092c\u093e\u0926 \u092e\u0947\u0902 \u0926\u093f\u090f \u0917\u090f \u0938\u0924\u094d\u0930 id \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0936\u093f\u0915\u093e\u0930 \u0915\u0940 \u092a\u0939\u091a\u093e\u0928 \u092e\u093e\u0928 \u0915\u0947 \u0932\u093f\u090f \u0926\u0940 \u091c\u093e \u0938\u0915\u0924\u0940 \u0939\u0948\u0964 \u092f\u0926\u093f \u0915\u093f\u0938\u0940 \u0917\u0948\u0930-\u0932\u0949\u0917\u0907\u0928 \u092a\u0947\u091c \u0915\u0947 \u0938\u093e\u0925 \u0938\u092e\u0938\u094d\u092f\u093e \u0939\u094b\u0924\u0940 \u0939\u0948, \u092f\u0942\u0906\u0930\u090f\u0932 \u0914\u0930 \u092b\u093f\u0915\u094d\u0938\u094d\u0921 \u0938\u0924\u094d\u0930 id \u0915\u0947\u0935\u0932 \u090f\u0915 \u0939\u092e\u0932\u093e\u0935\u0930 \u0928\u0947 \u090f\u0915 \u091c\u093f\u0938\u092e\u0947\u0902 \u0905\u092a\u094d\u0930\u092e\u093e\u0923\u093f\u0915 \u0909\u092a\u092f\u094b\u0917\u0915\u0930\u094d\u0924\u093e \u0915\u093e\u0930\u094d\u092f\u094b\u0902 \u0915\u094b \u091f\u094d\u0930\u0948\u0915 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0907\u0938\u094d\u0924\u0947\u092e\u093e\u0932 \u0915\u093f\u092f\u093e \u091c\u093e \u0938\u0915\u0924\u093e\u0964 \u092f\u0926\u093f \u091c\u094b\u0916\u093f\u092e \u092a\u0930 \u090f\u0915 \u0915\u0941\u0915\u0940 \u092b\u093c\u0940\u0932\u094d\u0921 \u092f\u093e \u0915\u093f\u0938\u0940 \u092a\u094d\u0930\u092a\u0924\u094d\u0930 \u092b\u093c\u0940\u0932\u094d\u0921 (\u092a\u094b\u0938\u094d\u091f \u092a\u0948\u0930\u093e\u092e\u0940\u091f\u0930) \u0915\u0947 \u092c\u091c\u093e\u092f \u090f\u0915 URL (\u091c\u093e\u0913) \u092a\u0948\u0930\u093e\u092e\u0940\u091f\u0930 \u092a\u0930 \u0939\u094b\u0924\u0940 \u0939\u0948, \u0924\u092c \u0915\u0941\u091b \u0905\u0928\u094d\u092f \u092d\u0947\u0926\u094d\u092f\u0924\u093e \u092d\u0940 \u0915\u0941\u0915\u0940 \u0915\u094d\u0937\u0947\u0924\u094d\u0930 \u092d\u0947\u0926\u094d\u092f\u0924\u093e \u0915\u093e \u0936\u094b\u0937\u0923 \u0915\u093f\u092f\u093e \u091c\u093e \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0905\u0928\u0941\u092e\u0924\u093f \u0926\u0947\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u092a\u0940\u0921\u093c\u093f\u0924 \u0915\u0947 \u092c\u094d\u0930\u093e\u0909\u091c\u093c\u0930 \u092a\u0930, \u0938\u0947\u091f \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u092a\u0921\u093c \u0938\u0915\u0924\u093e \u0939\u0948\u0964 ascanbeta.sessionfixation.name = \u0938\u0924\u094d\u0930 \u0928\u093f\u0930\u094d\u0927\u093e\u0930\u0923 ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} \u0915\u094d\u0937\u0947\u0924\u094d\u0930\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = Url \u092a\u0930 \u091c\u094b \u092e\u0941\u0926\u094d\u0926\u0947 \u0915\u0940 \u0916\u094b\u091c \u0915\u0940 \u0925\u0940 \u090f\u0915 \u0932\u0949\u0917\u0911\u0928 \u092a\u0943\u0937\u094d\u0920 \u0915\u0947 \u0930\u0942\u092a \u092e\u0947\u0902 \u091d\u0902\u0921\u0940 \u0926\u093f\u0916\u093e\u0915\u0930 \u0930\u0935\u093e\u0928\u093e \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0925\u093e\u0964 -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} \u0915\u094d\u0937\u0947\u0924\u094d\u0930\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = \u091c\u092c \u0924\u0915 \u0915\u093f \u0938\u0924\u094d\u0930 \u0915\u094b \u0928\u0937\u094d\u091f \u0915\u0930 \u0926\u093f\u092f\u093e \u0939\u0948 \u0938\u0924\u094d\u0930 \u092a\u0939\u091a\u093e\u0928\u0915\u0930\u094d\u0924\u093e {0} \u092b\u093c\u0940\u0932\u094d\u0921 [{1}], [{2}] \u092e\u0942\u0932\u094d\u092f [(\u0915\u0941\u0915\u0940 {4} \u092a\u0930 \u092a\u094d\u0930\u093e\u092a\u094d\u0924 \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0925\u093e \u0915\u0947 \u092c\u093e\u0926 \u0938\u0947){3} \u0924\u0915], \u092a\u0939\u0941\u0901\u091a\u093e \u091c\u093e \u0938\u0915\u0924\u093e \u0939\u0948\u0964 ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = Url \u092a\u0930 \u091c\u094b \u092e\u0941\u0926\u094d\u0926\u0947 \u0915\u0940 \u0916\u094b\u091c \u0915\u0940 \u0925\u0940 \u090f\u0915 \u0932\u0949\u0917\u0911\u0928 \u092a\u0943\u0937\u094d\u0920 \u0915\u0947 \u0930\u0942\u092a \u092e\u0947\u0902 \u091d\u0902\u0921\u0940 \u0926\u093f\u0916\u093e\u0915\u0930 \u0930\u0935\u093e\u0928\u093e \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0925\u093e\u0964 ascanbeta.sessionidexpiry.browserclose = \u092c\u094d\u0930\u093e\u0909\u091c\u093c\u0930 \u092c\u0902\u0926 \u0915\u0930\u0947\u0902 -ascanbeta.sessionidexpiry.desc = \u090f\u0915 \u0938\u0924\u094d\u0930 Id \u0915\u0941\u0915\u0940 \u091c\u092c (URL \u0928\u0932 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0928\u093e\u092e\u093e\u0902\u0915\u093f\u0924 \u092a\u0948\u0930\u093e\u092e\u0940\u091f\u0930 \u092b\u093c\u0940\u0932\u094d\u0921 \u0938\u0947\u091f\u093f\u0902\u0917 \u0915\u0947 \u0926\u094d\u0935\u093e\u0930\u093e \u0938\u0902\u0936\u094b\u0927\u093f\u0924 \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0939\u0948) \u0938\u0930\u094d\u0935\u0930 \u0926\u094d\u0935\u093e\u0930\u093e \u092d\u0947\u091c\u093e \u0917\u092f\u093e \u090f\u0915 \u0905\u0924\u094d\u092f\u0927\u093f\u0915 \u0938\u092e\u092f \u0905\u0935\u0927\u093f \u0915\u0947 \u0932\u093f\u090f \u092e\u093e\u0928\u094d\u092f \u0939\u094b\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0938\u0947\u091f \u0939\u0948\u0964 \u092f\u0939 \u090f\u0915 \u0939\u092e\u0932\u093e\u0935\u0930 \u0926\u094d\u0935\u093e\u0930\u093e \u0926\u094b\u0939\u0928 \u0939\u094b \u0938\u0915\u0924\u093e \u0939\u0948 \u0905\u0917\u0930 \u092c\u093e\u0939\u0930, \u0932\u0949\u0917 \u0911\u0928 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0909\u092a\u092f\u094b\u0917\u0915\u0930\u094d\u0924\u093e \u092d\u0942\u0932\u0924\u093e \u092f\u0926\u093f \u0932\u0949\u0917\u0906\u0909\u091f \u0915\u093e\u0930\u094d\u092f\u0915\u094d\u0937\u092e\u0924\u093e \u0938\u0924\u094d\u0930 \u0938\u0939\u0940 \u0922\u0902\u0917 \u0938\u0947 \u0928\u0937\u094d\u091f \u0928\u0939\u0940\u0902 \u0915\u0930\u0924\u093e \u0939\u0948, \u092f\u093e \u092f\u0926\u093f \u0938\u0924\u094d\u0930 id \u0926\u094d\u0935\u093e\u0930\u093e \u0915\u0941\u091b \u0905\u0928\u094d\u092f \u0905\u0930\u094d\u0925 \u0939\u0948 \u0938\u092e\u091d\u094c\u0924\u093e \u0915\u093f\u092f\u093e \u0939\u0948\u0964 +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = \u0905\u0924\u094d\u092f\u0927\u093f\u0915 \u0938\u0924\u094d\u0930 ID \u0938\u092e\u093e\u092a\u094d\u0924\u093f \u0938\u092e\u092f/Max-\u0906\u092f\u0941 \u0939\u0948 #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) '\u0928\u093f\u0936\u094d\u0935\u093e\u0938\u0928' \u092f\u093e '\u0905\u0927\u093f\u0915\u0924\u092e \u0906\u092f\u0941' \u0915\u0941\u0915\u0940 \u0928\u093f\u0930\u094d\u0926\u0947\u0936\u094b\u0902 \u091c\u092c \u092f\u0941\u0915\u094d\u0924 \u090f\u0915 \u0938\u0924\u094d\u0930 id \u0915\u0941\u0915\u0940 \u0938\u0947\u091f\u093f\u0902\u0917 \u092f\u0939 \u0938\u092e\u092f \u0915\u0940 \u0932\u0902\u092c\u0940 \u0905\u0935\u0927\u093f \u0915\u0947 \u0932\u093f\u090f \u0909\u092a\u0932\u092c\u094d\u0927 \u0939\u094b\u0928\u0947 \u0938\u0947 \u0930\u094b\u0915\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0947\u0902\u0964 2) \u0938\u0941\u0928\u093f\u0936\u094d\u091a\u093f\u0924 \u0915\u0930\u0947\u0902 \u0915\u093f \u0932\u0949\u0917 \u0906\u0909\u091f \u0915\u093e\u0930\u094d\u092f\u0915\u094d\u0937\u092e\u0924\u093e \u092e\u094c\u091c\u0942\u0926 \u0939\u0948, \u0914\u0930 \u0915\u093f \u092f\u0939 \u0938\u0939\u0940 \u0922\u0902\u0917 \u0938\u0947 \u0938\u0924\u094d\u0930 \u0915\u094b \u0928\u0937\u094d\u091f \u0915\u0930 \u0926\u0947\u0924\u093e \u0939\u0948\u0964 3) \u0905\u0917\u0930 \u090f\u0915 \u0938\u0924\u094d\u0930 id \u0938\u092e\u091d\u094c\u0924\u093e \u0915\u093f\u092f\u093e \u0939\u0948, \u0907\u0938\u0947 \u0928\u0939\u0940\u0902 \u0915\u093e \u0936\u094b\u0937\u0923 \u0915\u093f\u092f\u093e \u091c\u093e \u0938\u0915\u0924\u093e \u0915\u093f \u092f\u0939 \u0938\u0941\u0928\u093f\u0936\u094d\u091a\u093f\u0924 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0905\u0928\u094d\u092f preventative \u0909\u092a\u093e\u092f\u094b\u0902 \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0947\u0902\u0964 ascanbeta.sessionidexpiry.timeexpired = \u0915\u0940 \u0938\u092e\u092f \u0938\u0940\u092e\u093e \u0938\u092e\u093e\u092a\u094d\u0924 ascanbeta.sessionidexpiry.timelessthanonehour = \u0915\u092e \u0938\u0947 \u0915\u092e \u090f\u0915 \u0918\u0902\u091f\u093e @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = \u0905\u0927\u093f\u0915 \u0938\ ascanbeta.sessionidexposedinurl.alert.attack = {0} \u0915\u094d\u0937\u0947\u0924\u094d\u0930\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} [{1}] \u092b\u093c\u0940\u0932\u094d\u0921 \u090f\u0915 \u0909\u091c\u093e\u0917\u0930 \u0938\u0924\u094d\u0930 \u092a\u0939\u091a\u093e\u0928\u0915\u0930\u094d\u0924\u093e [{2}] \u0936\u093e\u092e\u093f\u0932 \u0939\u0948\u0902 ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = Url \u092a\u0930 \u091c\u094b \u092e\u0941\u0926\u094d\u0926\u0947 \u0915\u0940 \u0916\u094b\u091c \u0915\u0940 \u0925\u0940 \u090f\u0915 \u0932\u0949\u0917\u0911\u0928 \u092a\u0943\u0937\u094d\u0920 \u0915\u0947 \u0930\u0942\u092a \u092e\u0947\u0902 \u091d\u0902\u0921\u0940 \u0926\u093f\u0916\u093e\u0915\u0930 \u0930\u0935\u093e\u0928\u093e \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0925\u093e\u0964 -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = \u0909\u091c\u093e\u0917\u0930 \u0938\u0924\u094d\u0930 ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = \u090f\u0915 \u0905\u0927\u093f\u0915 \u0938\u0941\u0930\u0915\u094d\u0937\u093f\u0924 \u0938\u0924\u094d\u0930 \u092a\u094d\u0930\u092c\u0902\u0927\u0928 \u0915\u093e\u0930\u094d\u092f\u093e\u0928\u094d\u0935\u092f\u0928, \u091c\u0948\u0938\u0947 \u0915\u093f \u0938\u0924\u094d\u0930 \u0915\u0941\u0915\u0940\u091c\u093c \u091c\u094b \u0930\u0942\u092a \u092e\u0947\u0902 \u0906\u0938\u093e\u0928\u0940 \u0938\u0947 \u0905\u0928\u091c\u093e\u0928\u0947 \u0938\u093e\u091d\u093e \u0915\u0930 \u0930\u0939\u0947 \u0939\u0948\u0902 \u0928\u0939\u0940\u0902 \u0939\u0948, \u0914\u0930 \u091c\u094b \u0938\u0930\u094d\u0935\u0930 \u0932\u0949\u0917 \u092b\u093e\u0907\u0932 \u092f\u093e \u0935\u0947\u092c \u092c\u094d\u0930\u093e\u0909\u091c\u093c\u0930 \u092c\u0941\u0915\u092e\u093e\u0930\u094d\u0915\u094d\u0938 \u092e\u0947\u0902 \u0938\u093e\u092e\u093e\u0928\u094d\u092f\u0924\u092f\u093e \u092a\u094d\u0930\u0915\u091f \u0928\u0939\u0940\u0902 \u0915\u0930\u0924\u0947 \u0939\u0948\u0902, \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0924\u093e \u0939\u0948 \u090f\u0915 \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0947\u0902\u0964 ascanbeta.sessionidsentinsecurely.alert.attack = {0} \u0915\u094d\u0937\u0947\u0924\u094d\u0930\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = Url \u092a\u0930 \u091c\u094b \u092e\u0941\u0926\u094d\u0926\u0947 \u0915\u0940 \u0916\u094b\u091c \u0915\u0940 \u0925\u0940 \u090f\u0915 \u0932\u0949\u0917\u0911\u0928 \u092a\u0943\u0937\u094d\u0920 \u0915\u0947 \u0930\u0942\u092a \u092e\u0947\u0902 \u091d\u0902\u0921\u0940 \u0926\u093f\u0916\u093e\u0915\u0930 \u0930\u0935\u093e\u0928\u093e \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0925\u093e\u0964 ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = \u0938\u0930\u094d\u0935\u0930 \u0926\u0942\u0930\u0938\u094d\u0925 \u0939\u092e\u0932\u093e\u0935\u0930\u094b\u0902 \u092a\u0930 \u0938\u094d\u0935\u0948\u091a\u094d\u091b\u093f\u0915 \u0915\u094b\u0921 \u0915\u094b \u0928\u093f\u0937\u094d\u092a\u093e\u0926\u093f\u0924 \u0915\u0930\u0928\u0947 \u0915\u0940 \u0905\u0928\u0941\u092e\u0924\u093f \u0926\u0947\u0924\u093e \u0939\u0948 \u092a\u093e\u0930\u094d\u091f\u0940 \u0915\u0940 \u092f\u094b\u091c\u0928\u093e \u092c\u0928\u093e\u0908 \u0916\u094b\u0932 \u0915\u0947 \u0915\u093f\u0938\u0940 \u0938\u0902\u0938\u094d\u0915\u0930\u0923 \u091a\u0932 \u0930\u0939\u093e \u0939\u0948 +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = CVE-2014-6271 \u0938\u0947\: \u0917\u094d\u0928\u0942 Bash 4.3 \u0915\u0947 \u092e\u093e\u0927\u094d\u092f\u092e \u0938\u0947 \u0924\u093e\u0930 \u0915\u0947 \u092a\u0940\u091b\u0947 \u091a\u0932 \u0938\u092e\u093e\u0930\u094b\u0939 \u092a\u0930\u093f\u092d\u093e\u0937\u093e\u090f\u0901 \u092a\u0930\u093f\u0935\u0947\u0936 \u091a\u0930, \u0915\u0947 \u092c\u093e\u0926 \u092e\u0942\u0932\u094d\u092f\u094b\u0902 \u092e\u0947\u0902 \u091c\u094b \u0935\u0948\u0915\u094d\u091f\u0930 OpenSSH sshd, mod_cgi \u0914\u0930 mod_cgid \u092e\u0947\u0902 \u092e\u0949\u0921\u094d\u092f\u0942\u0932 \u0915\u094b Apache HTTP \u0938\u0930\u094d\u0935\u0930, \u0905\u0928\u093f\u0930\u094d\u0926\u093f\u0937\u094d\u091f DHCP \u0915\u094d\u0932\u093e\u0907\u0902\u091f, \u0914\u0930 \u0905\u0928\u094d\u092f \u0938\u094d\u0925\u093f\u0924\u093f\u092f\u094b\u0902 \u092e\u0947\u0902 \u091c\u094b \u0938\u0947\u091f\u093f\u0902\u0917 \u092a\u0930\u094d\u092f\u093e\u0935\u0930\u0923 Bash \u0928\u093f\u0937\u094d\u092a\u093e\u0926\u0928 \u0938\u0947 \u090f\u0915 \u0935\u093f\u0936\u0947\u0937\u093e\u0927\u093f\u0915\u093e\u0930 \u0938\u0940\u092e\u093e \u092a\u093e\u0930 \u0939\u094b\u0924\u0940 \u0939\u0948 \u0926\u094d\u0935\u093e\u0930\u093e \u0928\u093f\u0937\u094d\u092a\u093e\u0926\u093f\u0924 \u0932\u093f\u092a\u093f\u092f\u094b\u0902 \u092e\u0947\u0902 ForceCommand \u0938\u0941\u0935\u093f\u0927\u093e \u0915\u094b \u0936\u093e\u092e\u093f\u0932 \u0915\u0930\u0915\u0947 \u092a\u094d\u0930\u0926\u0930\u094d\u0936\u0928 \u0915\u0947 \u0930\u0942\u092a \u092e\u0947\u0902 \u0926\u0942\u0930\u0938\u094d\u0925 \u0939\u092e\u0932\u093e\u0935\u0930\u094b\u0902 \u090f\u0915 \u0917\u0922\u093c\u0940 \u0917\u0908 \u092a\u0930\u094d\u092f\u093e\u0935\u0930\u0923 \u0915\u0947 \u091c\u0930\u093f\u090f \u092e\u0928\u092e\u093e\u0928\u093e \u0915\u094b\u0921 \u0915\u094b \u0928\u093f\u0937\u094d\u092a\u093e\u0926\u093f\u0924 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0905\u0928\u0941\u092e\u0924\u093f \u0926\u0947\u0924\u093e \u0939\u0948 \u0938\u0902\u0938\u093e\u0927\u093f\u0924 \u0915\u0930\u0924\u093e \u0939\u0948, \u0909\u0930\u094d\u092b "ShellShock." \u0928\u094b\u091f\: \u0907\u0938 \u0938\u092e\u0938\u094d\u092f\u093e \u0915\u0947 \u092e\u0942\u0932 \u0928\u093f\u0926\u093e\u0928 \u0917\u0932\u0924 \u0925\u093e; CVE-2014-7169 \u0917\u093c\u0932\u0924 \u0924\u092f \u0915\u0930\u0928\u0947 \u0915\u0947 \u092c\u093e\u0926 \u0905\u092d\u0940 \u092d\u0940 \u092e\u094c\u091c\u0942\u0926 \u0939\u0948 \u0907\u0938 \u092d\u0947\u0926\u094d\u092f\u0924\u093e \u0915\u094b \u0915\u0935\u0930 \u0915\u0930\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0905\u0938\u093e\u0907\u0928 \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0939\u0948\u0964 ascanbeta.shellshock.name = \u0930\u093f\u092e\u094b\u091f \u0915\u094b\u0921 \u0915\u093e \u0928\u093f\u0937\u094d\u092a\u093e\u0926\u0928 - \u0936\u0947\u0932 \u0936\u0949\u0915 ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = \u092a\u093e\u0930\u094d\u091f\u0940 \u0915\u0940 \u092f\u094b\u091c\u0928\u093e \u092c\u0928\u093e\u0908 \u0915\u093e \u0928\u0935\u0940\u0928\u0924\u092e \u0938\u0902\u0938\u094d\u0915\u0930\u0923 \u0915\u094b \u0938\u0930\u094d\u0935\u0930 \u092a\u0930 \u0905\u0926\u094d\u092f\u0924\u0928 +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = \u0939\u092e\u0932\u0947 \u0915\u093e \u0909\u092a\u092f\u094b\u0917, [{0}] \u092e\u093f\u0932\u0940\u0938\u0947\u0915\u0947\u0902\u0921\u094b\u0902 \u0915\u0940 \u090f\u0915 \u0935\u093f\u0932\u0902\u092c \u092a\u094d\u0930\u0947\u0930\u093f\u0924 \u092a\u093e\u092f\u093e \u0917\u092f\u093e \u0914\u0930 \u0925\u093e ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = [{0}] \u0915\u0947 \u0932\u093f\u090f \u0938\u094d\u0930\u094b\u0924 \u0915\u094b\u0921 [{1}] \u092a\u0930 \u092a\u093e\u092f\u093e \u0917\u092f\u093e \u0925\u093e ascanbeta.sourcecodedisclosure.svnbased.name = \u0938\u094d\u0930\u094b\u0924 \u0915\u094b\u0921 \u092a\u094d\u0930\u0915\u091f\u0940\u0915\u0930\u0923 - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = \u0938\u0941\u0928\u093f\u0936\u094d\u091a\u093f\u0924 \u0915\u0930\u0947\u0902 \u0915\u093f Git \u092e\u0947\u091f\u093e\u0921\u0947\u091f\u093e \u092b\u093c\u093e\u0907\u0932\u0947\u0902 \u0935\u0947\u092c \u0938\u0930\u094d\u0935\u0930 \u092f\u093e \u0938\u0930\u094d\u0935\u0930 \u0905\u0928\u0941\u092a\u094d\u0930\u092f\u094b\u0917 \u0915\u0947 \u0932\u093f\u090f \u0924\u0948\u0928\u093e\u0924 \u0928\u0939\u0940\u0902 \u0915\u0930 \u0930\u0939\u0947 \u0939\u0948\u0902 +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = \u0915\u094d\u0935\u0947\u0930\u0940 \u0924\u093e\u0930 \u0915\u093f PHP \u0938\u094d\u0930\u094b\u0924 \u0915\u094b\u0921 \u092a\u094d\u0930\u0915\u091f\u0940\u0915\u0930\u0923, \u0914\u0930 \u092e\u0928\u092e\u093e\u0928\u093e \u0915\u094b\u0921 \u0928\u093f\u0937\u094d\u092a\u093e\u0926\u0928 \u0915\u094b \u0938\u0915\u094d\u0937\u092e \u0915\u0930\u0928\u0947 \u0915\u0947 \u090f\u0915 unescaped "\=" \u0935\u0930\u094d\u0923, \u0915\u092e\u0940 \u0915\u0941\u091b PHP \u0938\u0902\u0938\u094d\u0915\u0930\u0923 \u0939\u0948, \u091c\u092c CGI, \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0915\u0947 \u091a\u0932\u093e\u0928\u0947 \u0915\u0947 \u0932\u093f\u090f \u0915\u0949\u0928\u094d\u092b\u093c\u093f\u0917\u0930 \u0915\u093f\u092f\u093e \u0917\u092f\u093e \u0938\u0939\u0940 \u0924\u0930\u0940\u0915\u0947 \u0938\u0947 \u0939\u0948\u0902\u0921\u0932 \u0928\u0939\u0940\u0902\u0964 \u0907\u0938 \u092e\u093e\u092e\u0932\u0947 \u092e\u0947\u0902, PHP \u092b\u093c\u093e\u0907\u0932 \u0915\u0940 \u0938\u093e\u092e\u0917\u094d\u0930\u0940 \u0938\u0940\u0927\u0947 \u0935\u0947\u092c \u092c\u094d\u0930\u093e\u0909\u091c\u093c\u0930 \u0915\u0947 \u0932\u093f\u090f \u0938\u0947\u0935\u093e \u0915\u0940 \u0925\u0947\u0964 \u0939\u093e\u0932\u093e\u0902\u0915\u093f \u092f\u0939 \u092d\u0940 \u0939\u094b \u0938\u0915\u0924\u0940 \u0939\u0948 \u0938\u0940\u0927\u0940 HTML \u0907\u0938 \u0906\u0909\u091f\u092a\u0941\u091f \u092e\u0947\u0902 \u0906\u092e\u0924\u094c\u0930 \u092a\u0930 PHP, \u0936\u093e\u092e\u093f\u0932 \u0939\u094b\u0902\u0917\u0947\u0964 ascanbeta.sourcecodedisclosurecve-2012-1823.name = \u0938\u094d\u0930\u094b\u0924 \u0915\u094b\u0921 \u092a\u094d\u0930\u0915\u091f\u0940\u0915\u0930\u0923 - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_hr_HR.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_hr_HR.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_hr_HR.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_hr_HR.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_hu_HU.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_hu_HU.properties index 7673f283a1b..96ccceadfe2 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_hu_HU.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_hu_HU.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Ismeretlen ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Lej\u00e1rt ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_id_ID.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_id_ID.properties index 7a4f42ab3a7..73028b0b9e8 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_id_ID.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_id_ID.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = Serangan Parameter Polusi HTTP (HPP) terdiri dari penyisipan string kuadrat yang disandikan ke parameter lain yang ada. Jika aplikasi web tidak membersihkan masukan pengguna dengan benar, pengguna jahat dapat mengkompromikan logika aplikasi untuk melakukan serangan sisi klien atau server-side. Salah satu konsekuensi dari serangan HPP adalah bahwa penyerang berpotensi mengesampingkan parameter HTTP kode keras yang ada untuk memodifikasi perilaku aplikasi, melewati titik validasi masukan, dan mengakses dan mungkin memanfaatkan variabel yang mungkin tidak terjangkau secara langsung. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = Parameter Polusi HTTP -ascanbeta.HTTPParamPoll.sol = Sebaiknya bersihkan masukan pengguna untuk pembatas parameter +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = Cadangan dari file itu diungkapkan oleh web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Pengungkapan Berkas Cadangan ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Jangan mengedit file di-situ di web server, dan memastikan bahwa un-file yang diperlukan (termasuk file yang tersembunyi) akan dihapus dari server web. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Pemecatan permintaan cross-site berbasis Flash / Silverlight dimungkinkan, karena kesalahan konfigurasi pada server web. -ascanbeta.crossdomain.adobe.read.extrainfo = Web server memungkinkan berbahaya cross-domain data membaca permintaan yang berasal dari Flash/Silverlight komponen disajikan dari pihak ketiga domain, untuk domain ini. Jika korban pengguna login ke layanan ini, berbahaya baca permintaan diproses menggunakan hak-hak korban, dan dapat mengakibatkan data dari layanan ini sedang dikompromikan oleh aplikasi pihak ketiga situs web, melalui web korban browser. Hal ini sangat mungkin menjadi masalah jika Cookie berdasarkan sesi pelaksanaan di gunakan. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Misconfiguration Lintas Domain-Adobe-Baca ascanbeta.crossdomain.adobe.read.soln = Konfigurasikan file crossdomain.xml untuk membatasi daftar domain yang diizinkan membuat permintaan baca lintas domain ke server web ini, dengan menggunakan . Anda seharusnya hanya memberikan akses ke "*" (semua domain) jika Anda yakin bahwa layanan ini tidak menghosting data yang dikendalikan, dipersonalisasi, atau pribadi. ascanbeta.crossdomain.adobe.send.extrainfo = Web server memungkinkan berbahaya cross-domain mengirim data (tetapi tidak harus baca) permintaan yang berasal dari Flash/Silverlight komponen disajikan dari pihak ketiga domain, untuk domain ini. Jika korban pengguna login ke layanan ini, berbahaya mengirim permintaan diproses menggunakan hak-hak korban, dan dapat mengakibatkan Cross Site Request Forgery (CSRF) jenis serangan, melalui korban browser web. Hal ini sangat mungkin menjadi masalah jika Cookie berdasarkan sesi pelaksanaan di gunakan. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = Metode HTTP yang tidak aman [{0}] diaktifkan untuk sumber ini, dan dapat dieksploitasi. Ditemukan kemungkinan membuat sambungan soket terowongan ke layanan pihak ketiga, dengan menggunakan metode HTTP ini. Ini akan memungkinkan layanan tersebut digunakan sebagai relay spam anonim, atau sebagai proxy web, yang melewati batasan jaringan. Ini juga memungkinkannya digunakan untuk membuat VPN terowongan, yang secara efektif memperluas perimeter jaringan untuk menyertakan komponen yang tidak tepercaya. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Nonaktifkan metode tidak aman seperti TRACK, TRACE, dan CONNECT pada server web, dan pastikan bahwa implementasi layanan yang mendasarinya tidak mendukung metode yang tidak aman. ascanbeta.insecurehttpmethod.trace.exploitable.desc = Metode HTTP yang tidak aman [{0}] diaktifkan untuk sumber ini, dan dapat dieksploitasi. Metode TRACK dan TRACE dapat digunakan oleh penyerang, untuk mendapatkan akses ke kuota otorisasi / cookie sesi dari pengguna aplikasi, meskipun cookie sesi dilindungi menggunakan bendera ''HttpOnly''. Agar serangan berhasil, pengguna aplikasi biasanya harus menggunakan browser web lawas, atau browser web yang memiliki kerentanan bypass Same Origin Policy (SOP). @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potensi Integer Overflow. Kode status berubah pada input string panjang bilangan bulat acak. -ascanbeta.integeroverflow.error2 = Potensi Integer Overflow. Kode status berubah pada input string panjang angka nol. -ascanbeta.integeroverflow.error3 = Potensi Integer Overflow. Kode status berubah pada input string panjang yang ada. -ascanbeta.integeroverflow.error4 = Potensi Integer Overflow. Kode status berubah pada input string panjang sembilan tahun. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Kesalahan Overeger Overflow ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Tidak diketahui ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = Bidang {0}\:[{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie ditetapkan sebagai tanggapan saat bidang cookie [{0}] disetel ke NULL\: [{1}] Cookie ditetapkan sebagai tanggapan dengan nilai cookie yang dipinjam (berlaku) sesuai permintaan [{1}]\: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = Url di mana masalah it ascanbeta.sessionfixation.desc = Sesi Fiksasi mungkin dilakukan. Jika masalah ini terjadi dengan URL login (di mana pengguna mengotentikasi diri mereka sendiri untuk aplikasi), maka URL yang dapat diberikan oleh seorang penyerang, selain tetap session id, untuk korban, untuk kemudian mengasumsikan identitas korban menggunakan diberikan session id. Jika terjadi masalah dengan non-halaman login, URL dan tetap session id hanya dapat digunakan oleh penyerang untuk melacak aplikasi yang tidak berkepentingan tindakan pengguna. Jika terjadi kerentanan pada cookie bidang atau bentuk lapangan (POSTING parameter) bukan pada URL (GET) parameter, maka beberapa kerentanan juga mungkin diperlukan dalam rangka untuk mengatur cookie lapangan pada browser korban, untuk memungkinkan kerentanan yang dapat dimanfaatkan. ascanbeta.sessionfixation.name = Fiksasi Sesi ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = Bidang {0}\:[{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], nilai [{2}] dapat diakses menggunakan JavaScript di browser web{1} -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = Url di mana masalah itu ditemukan ditandai sebagai halaman log masuk. -ascanbeta.sessionidaccessiblebyjavascript.desc = Kuki Id sesi yang dikirim oleh server (bila URL dimodifikasi dengan menyetel bidang parameter yang dinamai ke NULL) dapat diakses oleh JavaScript di server. Sehubungan dengan kerentanan lain, ini memungkinkan sesi dibajak. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Kuki Sesi ID yang Dapat Diakses ke JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Gunakan bendera 'httponly' saat menyetel cookie yang berisi id sesi, untuk mencegahnya diakses oleh JavaScript di browser web. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = Bidang {0}\:[{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], nilai [{2}] dapat diakses sampai [{3}] (karena cookie diterima pada {4}), kecuali jika sesi tersebut dimusnahkan. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = Url di mana masalah itu ditemukan ditandai sebagai halaman log masuk. ascanbeta.sessionidexpiry.browserclose = browser tutup -ascanbeta.sessionidexpiry.desc = Kuki Id sesi yang dikirim oleh server (bila URL diubah dengan menyetel bidang parameter bernama ke NULL) ditetapkan berlaku untuk jangka waktu yang berlebih. Ini mungkin dapat dimanfaatkan oleh penyerang jika pengguna lupa log out, jika fungsionalitas logout tidak menghancurkan sesi dengan benar, atau jika id sesi dikompromikan dengan beberapa cara lain. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Sesi ID kadaluwarsa Sisa / Max-Age itu Berlebihan #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Gunakan perintah kado 'Kadaluarsa' atau 'Max-Age' saat menyetel kue yang berisi id sesi, agar tidak tersedia dalam jangka waktu lama. 2) Pastikan bahwa fungsi logout ada, dan itu benar menghancurkan sesi. 3) Gunakan tindakan pencegahan lainnya untuk memastikan bahwa jika id sesi disusupi, hal itu mungkin tidak dieksploitasi. ascanbeta.sessionidexpiry.timeexpired = Kadaluarsa ascanbeta.sessionidexpiry.timelessthanonehour = Kurang dari satu jam @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = Lebih dari satu minggu ascanbeta.sessionidexposedinurl.alert.attack = Bidang {0}\:[{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} bidang [{1}] berisi pengenal sesi terpapar [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = Url di mana masalah itu ditemukan ditandai sebagai halaman log masuk. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = ID sesi terpapar #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Penggunaan yang lebih aman sesi implementasi manajemen, seperti salah satu yang menggunakan cookie sesi, yang tidak mudah bersama secara tidak sengaja, dan yang tidak biasanya muncul dalam file log server atau web browser bookmark. ascanbeta.sessionidsentinsecurely.alert.attack = Bidang {0}\:[{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], nilai [{2}] dapat dikirim melalui mekanisme yang tidak aman. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = Url di mana masalah itu ditemukan ditandai sebagai halaman log masuk. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = Flag 'aman' tidak disetel pada cookie sesi yang disediakan oleh server. -ascanbeta.sessionidsentinsecurely.desc = Session id dapat dikirim melalui mekanisme yang tidak aman. Dalam kasus cookie yang dikirim dalam permintaan, hal ini terjadi ketika HTTP, bukan HTTPS, digunakan. Dalam kasus cookie yang dikirim oleh server di respon (ketika URL dimodifikasi dengan menetapkan parameter bernama lapangan untuk NULL), 'aman' bendera tidak diatur, yang memungkinkan cookie akan dikirim kemudian melalui HTTP daripada melalui HTTPS. Hal ini dapat memungkinkan pasif lubang kebocoran pada jaringan jalan untuk mendapatkan akses penuh ke sesi korban. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = ID sesi ditransmisikan dengan tidak aman #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Menggunakan versi terbaru yang tersedia dari SSL/TLS (HTTPS) untuk semua halaman di mana session id dikomunikasikan antara browser dan web server.\n2) tidak memungkinkan komunikasi dipaksa turun ke protokol HTTP tidak terenkripsi.\n3) Menggunakan 'aman' bendera ketika pengaturan cookie yang berisi session id, untuk mencegah transmisi berikutnya dengan mekanisme yang tidak aman.\n4) Teruskan non-secure HTTP halaman permintaan untuk secure HTTPS setara halaman. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = Server menjalankan versi shell Bash yang memungkinkan penyerang jarak jauh mengeksekusi kode yang sewenang-wenang +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = Dari CVE-2014-6271\: GNU Bash melalui 4.3 proses mengikuti string setelah definisi fungsi dalam nilai variabel lingkungan, yang memungkinkan penyerang jarak jauh mengeksekusi kode acak melalui lingkungan yang dibuat, seperti yang ditunjukkan oleh vektor yang melibatkan fitur ForceCommand di sshd OpenSSH, modul mod_cgi dan mod_cgid di Apache HTTP Server, skrip yang dijalankan oleh klien DHCP yang tidak ditentukan, dan situasi lain di mana pengaturan lingkungan terjadi di batas hak istimewa dari eksekusi Bash, alias "ShellShock." CATATAN\: perbaikan asli untuk masalah ini salah; CVE-2014-7169 telah ditugaskan untuk menutupi kerentanan yang masih ada setelah perbaikan yang tidak benar. ascanbeta.shellshock.name = Eksekusi Kode Jarak Jauh - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Perbarui Bash di server ke versi terbaru +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Menggunakan serangan, penundaan [{0}] milidetik diinduksi dan terdeteksi ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = Kode sumber untuk [{0}] ditemukan di [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Pengungkapan Kode Sumber - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Pastikan file metadata SVN tidak dikirim ke server web atau server aplikasi +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Beberapa versi PHP, ketika dikonfigurasi untuk dijalankan menggunakan CGI, jangan menangani string kueri dengan benar yang tidak memiliki karakter "\=" yang tidak digerakkan, yang memungkinkan pengungkapan kode sumber PHP, dan eksekusi kode sewenang-wenang. Dalam hal ini, isi file PHP tersebut langsung ditayangkan ke web browser. Output ini biasanya berisi PHP, meskipun mungkin juga berisi HTML langsung. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Pengungkapan Kode Sumber - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Memanipulasi bidang [{0}]\: [{1}] dan pantau hasilnya -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] membocorkan informasi tentang apakah pengguna ada Perbedaan [dalam output] [1]], untuk nilai nama pengguna asli yang sah [{2}], dan nilai nama pengguna tidak valid [{3}] adalah\: [{4}] -ascanbeta.usernameenumeration.desc = Ada kemungkinan untuk menghitung nama pengguna, berdasarkan tanggapan HTTP yang berbeda saat nama pengguna yang valid dan tidak valid disediakan. Hal ini akan sangat meningkatkan kemungkinan keberhasilan serangan brute force secara paksa terhadap sistem. Perhatikan bahwa false positive terkadang diminimalkan dengan meningkatkan 'Attack Strength' Option di ZAP. Harap periksa bidang 'Info Lainnya' secara manual untuk mengonfirmasi apakah ini benar-benar menjadi masalah. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Kemungkinan Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Jangan membocorkan rincian apakah nama pengguna sah atau tidak benar. Secara khusus, untuk upaya login yang tidak berhasil, jangan membedakan antara pengguna yang tidak benar dan kata sandi yang tidak benar dalam pesan kesalahan, judul halaman, isi halaman, header HTTP, atau logika redirection. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_it_IT.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_it_IT.properties index 6cdc50b1c83..af35d05cc54 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_it_IT.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_it_IT.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = Gli attacchi di tipo Inquinamento del Parametro HTTP (HPP) sono costituiti da delimitatori di stringa di query codificate iniettare in altri parametri esistenti. Se un'applicazione web non disinfetta correttamente l'input dell'utente, un utente malintenzionato pu\u00f2 compromettere la logica dell'applicazione per eseguire attacchi sia lato client sia lato server. Una conseguenza degli attacchi HPP \u00e8 che l'attaccante pu\u00f2 potenzialmente sovrascrivere parametri HTTP hardcoded per modificare il comportamento di un'applicazione, bypassare i checkpoint di convalida dell'input e accedere e potenzialmente abusare le variabili che potessero essere fuori dalla portata diretta. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = Inquinamento del parametro HTTP -ascanbeta.HTTPParamPoll.sol = Disinfettare correttamente l'input dell'utente per delimitatori di parametro +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = Una copia di backup del file \u00e8 stata divulgata dal server web +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Divulgazione di File di backup ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Non modificare i file in situ sul server web e assicurarsi che i file non necessari (compresi i file nascosti) vengano rimossi dal server web. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = E' possibile una contraffazione della richiesta cross-site basata su Flash/Silverlight, a causa di un errore di configurazione sul server web. -ascanbeta.crossdomain.adobe.read.extrainfo = Il server web permette richieste con intento malevolo di lettura cross-domain provenienti da componenti Flash/Silverlight serviti da qualsiasi dominio di terze parti, a questo dominio. Se l'utente vittima ha effettuato l'accesso a questo servizio, le richieste di lettura dannose vengono elaborate utilizzando i privilegi della vittima e possono portare alla compromissione dei dati da questo servizio da parte di un sito web di terze parti non autorizzate, tramite browser della vittima. Ci\u00f2 \u00e8 probabilmente un problema se \u00e8 in uso un'implementazione di sessione basato su Cookie . +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Configurazione errata su pi\u00f9 domini - Adobe - lettura ascanbeta.crossdomain.adobe.read.soln = Configurare il file crossdomain.xml per limitare l'elenco dei domini che sono autorizzati a fare richieste di lettura cross-domain a questo server web utilizzando . Si dovrebbe garantire accesso a "*" (tutti i domini) se si \u00e8 certi che questo servizio non ospita nessun dato ad accesso controllato, personale o privato. ascanbeta.crossdomain.adobe.send.extrainfo = Il server web permette di inviare dati attraverso invii dannosi cross-dominio (senza necessariamente leggere) con richieste che hanno origine da componenti Flash/Silverlight serviti da un qualsiasi dominio di terze parti, verso questo dominio. Se l'utente vittima ha avuto accesso al servizio, le richieste dannose di invio vengono processate usando i privilegi della vittima, e possono causare un attacco di tipo Cross Site Request Forgery (CSRF) , attraverso il browser della vittima. Questo \u00e8 molto probabilmente un problema se viene usata una implementazione della sessione basata sui Cookie. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = Il metodo HTTP insicuro [{0}] \u00e8 abilitato per questa risorsa ed \u00e8 sfruttabile. \u00c8 possibile stabilire una connessione socket in tunnel verso un servizio di terze parti, utilizzando questo metodo HTTP. Ci\u00f2 permetterebbe al servizio di essere usato come inoltro anonimo di spam, o come proxy web, aggirando le restrizioni di rete. Esso consente inoltre di essere utilizzato per stabilire un tunnel VPN, estendendo quindi la rete perimetrale in modo da includere componenti non attendibili. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = Il metodo CONNECT \u00e8 stato usato per stabilire una connessione socket a [{0}], tramite il server web. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disabilitare metodi insicuri come TRACK, TRACE e CONNECT sul server web e controllare che l'implementazione del servizio sottostante non supporti metodi insicuri. ascanbeta.insecurehttpmethod.trace.exploitable.desc = Il metodo HTTP insicuro [{0}] \u00e8 abilitato per questa risorsa, ed \u00e8 sfruttabile. I metodi TRACK e TRACE possono essere utilizzati da un utente malintenzionato, per accedere ai toek di autorizzazione e ai cookie di sessione di un utente dell''applicazione, anche se il cookie di sessione \u00e8 protetto utilizzando il flag ''HttpOnly''. Perch\u00e8 l''attacco abbia successo, l''utente dell''applicazione deve in genere utilizzare un vecchio browser web, o un browser web che ha una vulnerabilit\u00e0 su Same Origin Policy (Politica di stessa origine, SOP) . @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potenziale overflow di intero. E' cambiato il codice di stato sull'input di una lunga stringa di interi casuali. -ascanbeta.integeroverflow.error2 = Potenziale overflow di intero. E' cambiato il codice di stato sull'input di una lunga stringa di zero. -ascanbeta.integeroverflow.error3 = Potenziale overflow di intero. E' cambiato il codice di stato sull'input di una lunga stringa di uno. -ascanbeta.integeroverflow.error4 = Potenziale overflow di intero. E' cambiato il codice di stato sull'input di una lunga stringa di nove. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Errore di overflow di intero ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Sconosciuto ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = Campo {0}\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie impostato in risposta quando campo [{0}] del cookie \u00e8 impostato su NULL\: [{1}]\nCookie impostato in risposta con valore del cookie (valido) preso in prestito nella richiesta [{1}]\: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = L'URL sul quale il pro ascanbeta.sessionfixation.desc = E' possibile un problema di Session Fixation. Se questo problema si verifica con un URL di login (dove l'utente si autentica sull'applicazione), allora l'URL pu\u00f2 essere dato da un attaccante, insieme a un id di sessione immutato, ad una vittima, per poi assumere l'identit\u00e0 della vittima utilizzando l'id di sessione specificato. Se il problema si verifica con una pagina non di login, l'URL e l'id di sessione immutato possono essere utilizzati solo da un utente malintenzionato per monitorare le azioni di un utente non autenticato. Se la vulnerabilit\u00e0 si verifica su un campo di cookie o un campo di modulo (parametro POST) piuttosto che su un parametro URL (GET), allora alcune altre vulnerabilit\u00e0 possono essere richieste al fine di impostare il campo cookie sul browser della vittima, per consentire che la vulnerabilit\u00e0 sia sfruttabile. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = Campo {0}\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = Nel campo identificatore di sessione {0} [{1}], il valore [{2}] pu\u00f2 essere acceduto utilizzando JavaScript nel browser web -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = L'URL sul quale il problema \u00e8 stato scoperto \u00e8 stata contrassegnata come una pagina di accesso. -ascanbeta.sessionidaccessiblebyjavascript.desc = Un cookie di sessione Id inviato dal server (quando l'URL viene modificato impostando a NULL il campo parametro indicato ) pu\u00f2 essere acceduto tramite JavaScript sul client. In concomitanza con un'altra vulnerabilit\u00e0, questo pu\u00f2 permettere di dirottare la sessione . +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Cookie dell'ID di Sessione accessibile a JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) utilizzare il flag 'httponly' quando si imposta un cookie contenente un id di sessione, per evitare che venga consultato da JavaScript nel browser web. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = Campo {0}\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = identificatore di sessione {0} campo [{1}], valore [{2}] pu\u00f2 essere acceduto fino al [{3}] (poich\u00e9 il cookie \u00e8 stato ricevuto a {4}), a meno che la sessione sia distrutta. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = L'URL sul quale il problema \u00e8 stato scoperto \u00e8 stata contrassegnata come una pagina di accesso. ascanbeta.sessionidexpiry.browserclose = chiudere il browser -ascanbeta.sessionidexpiry.desc = Un cookie di sessione Id inviato dal server (quando l'URL viene modificato impostando a NULL il campo parametro indicato) \u00e8 impostato per essere valido per un tempo eccessivo. Questo pu\u00f2 essere sfruttabile da un attaccante, se l'utente dimentica di effettuare il logout, se la funzionalit\u00e0 di disconnessione non distrugge correttamente la sessione, o se l'id di sessione \u00e8 compromesso da altri mezzi. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Il valore Session ID Expiry Time/Max-Age \u00e8 eccessivo #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) utilizzare le direttive di cookie 'Expire' o 'Max-Age' quando si imposta un cookie contenente un id di sessione, per impedire sia disponibile per periodi prolungati di tempo.\n2) verificare che la funzionalit\u00e0 di disconnessione esista, e che distrugga correttamente la sessione.\n3) usare altre misure preventive per assicurarsi che se un id di sessione \u00e8 compromesso, esso non possa essere sfruttato. ascanbeta.sessionidexpiry.timeexpired = Scaduto ascanbeta.sessionidexpiry.timelessthanonehour = Meno di un'ora @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = Pi\u00f9 di una settimana ascanbeta.sessionidexposedinurl.alert.attack = Campo {0}\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = Il campo {0} di [{1}] contiene un identificatore di sessione esposto [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = L'URL sul quale il problema \u00e8 stato scoperto \u00e8 stata contrassegnata come una pagina di accesso. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = ID sessione esposto #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Utilizzare un'implementazione di gestione della sessione pi\u00f9 sicura, come ad esempio una che utilizzi cookies di sessione, che non sono facilmente condivisi inavvertitamente, e che in genere non compaiono nel file di log del server o nei segnalibri del browser web. ascanbeta.sessionidsentinsecurely.alert.attack = Campo {0}\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = Il campo {0} identificatore di sessione [{1}], il valore [{2}] pu\u00f2 essere inviato tramite un meccanismo insicuro. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = L'URL sul quale il problema \u00e8 stato scoperto \u00e8 stata contrassegnata come una pagina di accesso. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = L'impostazione "sicuro" non \u00e8 stata impostata nel cookie di sessione fornito dal server. -ascanbeta.sessionidsentinsecurely.desc = Un id di sessione pu\u00f2 essere inviato tramite un meccanismo insicuro. Nel caso di un cookie inviato nella richiesta, ci\u00f2 si verifica quando viene usato HTTP anzich\u00e9 HTTPS. Nel caso di un cookie inviato dal server in risposta (quando l'URL viene modificato impostando a NULL il campo parametro indicato ), il flag 'secure' non \u00e8 impostato, permettendo che il cookie sia in seguito inviato tramite HTTP invece che tramite HTTPS. Ci\u00f2 potrebbe consentire ad un intercettatore passivo lungo il percorso di rete di avere pieno accesso alla sessione della vittima. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = ID di sessione trasmesso in modo non sicuro #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) utilizzare l'ultima versione disponibile di SSL/TLS (per HTTPS) su tutte le pagine dove un id di sessione viene comunicato tra il browser e il server web.\n2) non consentire che la comunicazione sia degradata ad un protocollo HTTP non crittografato.\n3) utilizzare il flag 'secure' quando si imposta un cookie contenente un id di sessione, per impedire la sua trasmissione successiva con un meccanismo insicuro.\n4) Inoltrare le richieste HTTP di pagina non sicura alla pagina sicura HTTPS equivalente. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = Il server sta eseguendo una versione della shell Bash che consente agli aggressori remoti di eseguire codice arbitrario +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = Da CVE-2014-6271\: GNU Bash fino alla versione 4.3 le stringhe finali nei processi dopo le definizioni di funzioni nei valori delle variabili d\u00b4ambiente, permette ad aggressori remoti di eseguire codice arbitrario tramite un ambiente appositamente predisposto, come dimostrato dai vettori che coinvolgono la funzionalit\u00e0 ForceCommand in OpenSSH sshd, i moduli mod_cgi e mod_cgid in Apache HTTP Server, script eseguiti da client DHCP non specificati e altre situazioni in cui l\u00b4impostazione dell\u00b4ambiente avviene attraverso un limite di privilegio dall'esecuzione di Bash , meglio conosciuto come "ShellShock." Nota\: la correzione originale di questo problema era errata; CVE-2014-7169 \u00e8 stato assegnato per coprire la vulnerabilit\u00e0 che \u00e8 ancora presente dopo la correzione errata. ascanbeta.shellshock.name = Esecuzione di codice remoto - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Aggiornare Bash sul server all\u00b4ultima versione +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Utilizzando l''attacco, un ritardo di [{0}] millisecondi \u00e8 stata causato e rilevato ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = Il codice sorgente per [{0}] \u00e8 stato trovato a [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Divulgazione di codice sorgente - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Assicurarsi che i file di metadati di SVN non vengono distribuiti sul web server o sul server applicativo +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Alcune versioni PHP, quando configurate per essere eseguite usando CGI, non gestiscono correttamente le stringhe di query con mancanza di un carattere escape "\=", consentendo la divulgazione del codice sorgente PHP e l'esecuzione di codice arbitrario. In questo caso, il contenuto del file PHP \u00e8 stato servito direttamente al browser web. Questa uscita di solito contiene codice PHP, anche se pu\u00f2 anche contenere direttamente HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Rivelazione di codice sorgente - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Modificare il campo [{0}]\: [{1}] e monitorare l''uscita -ascanbeta.usernameenumeration.alert.extrainfo = Il parametro [{0}] [{1}] perde informazioni sull''esistenza o meno di un utente. Le [{5}] differenze in uscita, per il valore di username originale valido [{2}] e il valore username non valido [{3}] sono\: [{4}] -ascanbeta.usernameenumeration.desc = \u00c8 possibile enumerare gli utenti, basati su differenti risposte HTTP quando vengono forniti nomi utente validi e non validi. Questo aumenterebbe notevolmente la probabilit\u00e0 di successo di tecniche di forzatura della password su base di forza bruta contro il sistema. Si noti che falsi positivi possono a volte essere minimizzati aumentando l'opzione 'Forza dell'attacco' in ZAP. Si prega di controllare manualmente il campo 'Altre informazioni' per confermare se questo \u00e8 effettivamente un problema. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Enumerazione utenti possibile ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Non divulgare dettagli se uno username \u00e8 valido o non valido. In particolare, per i tentativi di login fallito, non distinguere tra un utente valido e una password non valida nel messaggio di errore, titolo della pagina, contenuto della pagina, intestazioni HTTP o logica di reindirizzamento. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ja_JP.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ja_JP.properties index e1bb5d2623c..54623b7dbfb 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ja_JP.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ja_JP.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3 -ascanbeta.HTTPParamPoll.sol = \u30e6\u30fc\u30b6\u304c\u5165\u529b\u3057\u305f\u30d1\u30e9\u30e1\u30fc\u30bf\u533a\u5207\u308a\u6587\u5b57\u3092\u9069\u5207\u306b\u30b5\u30cb\u30bf\u30a4\u30ba\u3057\u3066\u4e0b\u3055\u3044\u3002 +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = Web \u30b5\u30fc\u30d0\u30fc\u304b\u3089\u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u30d5\u30a1\u30a4\u30eb\u304c\u9732\u898b\u3057\u3066\u3044\u307e\u3059\u3002 +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = \u30d0\u30c3\u30af\u30a2\u30c3\u30d7 \u30d5\u30a1\u30a4\u30eb\u306e\u9732\u898b ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Web\u30b5\u30fc\u30d0\u3067\u516c\u958b\u3057\u3066\u3044\u308b\u30d5\u30a1\u30a4\u30eb\u3092\u76f4\u63a5\u7de8\u96c6\u3057\u306a\u3044\u3067\u304f\u3060\u3055\u3044\u3002\u307e\u305f\u3001\u96a0\u3057\u30d5\u30a1\u30a4\u30eb\u3092\u542b\u3081\u3001\u4e0d\u8981\u306a\u30d5\u30a1\u30a4\u30eb\u304cWeb\u30b5\u30fc\u30d0\u3067\u516c\u958b\u3055\u308c\u3066\u3044\u306a\u3044\u3053\u3068\u3092\u78ba\u8a8d\u3057\u3066\u304f\u3060\u3055\u3044\u3002 -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Web\u30b5\u30fc\u30d0\u30fc\u306e\u8a2d\u5b9a\u30df\u30b9\u306b\u3088\u3063\u3066\u3001Flash \u307e\u305f\u306f Silverlight \u3092\u7528\u3044\u305f \u30af\u30ed\u30b9\u30b5\u30a4\u30c8\u30ea\u30af\u30a8\u30b9\u30c8\u30d5\u30a9\u30fc\u30b8\u30a7\u30ea\u304c\u53ef\u80fd\u3068\u306a\u3063\u3066\u3044\u308b\u6050\u308c\u304c\u3042\u308a\u307e\u3059\u3002 -ascanbeta.crossdomain.adobe.read.extrainfo = \u5916\u90e8\u306e\u4efb\u610f\u306e\u30c9\u30e1\u30a4\u30f3\u304b\u3089 Web \u30b5\u30fc\u30d0\u304c\u5b58\u5728\u3059\u308b\u30c9\u30e1\u30a4\u30f3\u306b\u5bfe\u3057\u3001Flash/Silverlight \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3092\u4f7f\u7528\u3057\u305f\u60aa\u610f\u3042\u308b\u30c9\u30e1\u30a4\u30f3\u9593\u306e\u30c7\u30fc\u30bf\u8aad\u307f\u8fbc\u307f\u304c\u53ef\u80fd\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002\n\n\u88ab\u5bb3\u8005\u3068\u306a\u308b\u30e6\u30fc\u30b6\u304c\u3053\u306e\u30b5\u30fc\u30d3\u30b9\u306b\u30ed\u30b0\u30a4\u30f3\u3057\u305f\u5834\u5408\u3001\u60aa\u610f\u306e\u3042\u308b\u8aad\u307f\u8fbc\u307f\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u88ab\u5bb3\u8005\u306e\u6a29\u9650\u3092\u4f7f\u7528\u3057\u3066\u51e6\u7406\u3055\u308c\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u3063\u3066\u3001\u88ab\u5bb3\u8005\u306e Web \u30d6\u30e9\u30a6\u30b6\u3092\u4ecb\u3057\u3066\u3001\u4e0d\u6b63\u306a\u5916\u90e8\u306e Web \u30b5\u30a4\u30c8\u306e\u30c7\u30fc\u30bf\u3092\u3001\u3053\u306e\u30b5\u30fc\u30d3\u30b9\u672c\u6765\u306e\u30c7\u30fc\u30bf\u306b\u6df7\u5165\u3055\u305b\u308b\u3068\u3044\u3063\u305f\u4e8b\u304c\u53ef\u80fd\u3068\u306a\u308a\u307e\u3059\u3002\n\n\u3053\u306e\u8106\u5f31\u6027\u306f\u3001\u7279\u306b\u30af\u30c3\u30ad\u30fc \u30d9\u30fc\u30b9\u306e\u30bb\u30c3\u30b7\u30e7\u30f3\u306e\u5b9f\u88c5\u304c\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u5834\u5408\u306b\u554f\u984c\u3068\u306a\u308b\u53ef\u80fd\u6027\u304c\u9ad8\u304f\u306a\u308a\u307e\u3059\u3002 +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = \u30af\u30ed\u30b9 \u30c9\u30e1\u30a4\u30f3\u306e\u8a2d\u5b9a\u30df\u30b9 - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = \u3053\u306e Web \u30b5\u30fc\u30d0\u3078\u306e\u30af\u30ed\u30b9 \u30c9\u30e1\u30a4\u30f3\u306e\u8aad\u307f\u53d6\u308a\u3092\u5236\u9650\u3059\u308b\u305f\u3081\u3001crossdomain.xml \u30d5\u30a1\u30a4\u30eb\u3092\u69cb\u6210\u3057\u3001 \u3092\u7528\u3044\u3066\u8a31\u53ef\u3055\u308c\u3066\u3044\u308b\u30c9\u30e1\u30a4\u30f3\u306e\u30ea\u30b9\u30c8\u3092\u4f5c\u6210\u3057\u3066\u4e0b\u3055\u3044\u3002\u30b5\u30fc\u30d3\u30b9\u304c\u30a2\u30af\u30bb\u30b9\u30b3\u30f3\u30c8\u30ed\u30fc\u30eb\u3084\u500b\u4eba\u60c5\u5831\u3092\u30db\u30b9\u30c8\u3057\u306a\u3044\u5834\u5408\u306b\u306e\u307f\u3001"*"(\u3059\u3079\u3066\u306e\u30c9\u30e1\u30a4\u30f3)\u306e\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\u3059\u308b\u3088\u3046\u306b\u3057\u3066\u4e0b\u3055\u3044\u3002 ascanbeta.crossdomain.adobe.send.extrainfo = \u5916\u90e8\u306e\u4efb\u610f\u306e\u30c9\u30e1\u30a4\u30f3\u304b\u3089 Web \u30b5\u30fc\u30d0\u304c\u5b58\u5728\u3059\u308b\u30c9\u30e1\u30a4\u30f3\u306b\u5bfe\u3057\u3001Flash/Silverlight \u30b3\u30f3\u30dd\u30fc\u30cd\u30f3\u30c8\u3092\u4f7f\u7528\u3057\u305f\u60aa\u610f\u3042\u308b\u30c9\u30e1\u30a4\u30f3\u9593\u306e\u30c7\u30fc\u30bf\u9001\u4fe1(\u5fc5\u305a\u3057\u3082\u8aad\u307f\u8fbc\u307f\u306f\u884c\u308f\u306a\u3044)\u304c\u53ef\u80fd\u3068\u306a\u3063\u3066\u3044\u307e\u3059\u3002\n\n\u88ab\u5bb3\u8005\u3068\u306a\u308b\u30e6\u30fc\u30b6\u304c\u3053\u306e\u30b5\u30fc\u30d3\u30b9\u306b\u30ed\u30b0\u30a4\u30f3\u3057\u305f\u5834\u5408\u3001\u60aa\u610f\u306e\u3042\u308b\u8aad\u307f\u8fbc\u307f\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u88ab\u5bb3\u8005\u306e\u6a29\u9650\u3092\u4f7f\u7528\u3057\u3066\u51e6\u7406\u3055\u308c\u307e\u3059\u3002\u3053\u308c\u306b\u3088\u3063\u3066\u3001\u88ab\u5bb3\u8005\u306e Web \u30d6\u30e9\u30a6\u30b6\u3092\u4ecb\u3057\u3066\u3001\u4e0d\u6b63\u306a\u5916\u90e8\u306e Web \u30b5\u30a4\u30c8\u306e\u30c7\u30fc\u30bf\u3092\u3001\u3053\u306e\u30b5\u30fc\u30d3\u30b9\u672c\u6765\u306e\u30c7\u30fc\u30bf\u306b\u6df7\u5165\u3055\u305b\u308b\u3068\u3044\u3063\u305f\u4e8b\u304c\u53ef\u80fd\u3068\u306a\u308a\u307e\u3059\u3002\u307e\u305f\u3001\u30af\u30ed\u30b9\u30b5\u30a4\u30c8\u30ea\u30af\u30a8\u30b9\u30c8\u30d5\u30a9\u30fc\u30b8\u30a7\u30ea(CSRF)\u306e\u653b\u6483\u306b\u7e4b\u304c\u308b\u6050\u308c\u3082\u3042\u308a\u307e\u3059\u3002\n\n\u3053\u306e\u8106\u5f31\u6027\u306f\u3001\u7279\u306b\u30af\u30c3\u30ad\u30fc \u30d9\u30fc\u30b9\u306e\u30bb\u30c3\u30b7\u30e7\u30f3\u306e\u5b9f\u88c5\u304c\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u5834\u5408\u306b\u554f\u984c\u3068\u306a\u308b\u53ef\u80fd\u6027\u304c\u9ad8\u304f\u306a\u308a\u307e\u3059\u3002 @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = \u4e0d\u660e ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} \u30d5\u30a3\u30fc\u30eb\u30c9\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = \u30bb\u30c3\u30b7\u30e7\u30f3 \u30d5\u30a3\u30af\u30bb\u30fc\u30b7\u30e7\u30f3 ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} \u30d5\u30a3\u30fc\u30eb\u30c9\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} \u30d5\u30a3\u30fc\u30eb\u30c9\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} \u30d5\u30a3\u30fc\u30eb\u30c9\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = \u30bb\u30c3\u30b7\u30e7\u30f3 ID\u306e\u516c\u958b #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} \u30d5\u30a3\u30fc\u30eb\u30c9\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = [{0}] \u306e\u30bd\u30fc\u30b9 \u30b3\u30fc\u30c9\u304c [{1}] \u304b\u3089\u9732\u898b\u3057\u3066\u3044\u307e\u3059\u3002 ascanbeta.sourcecodedisclosure.svnbased.name = \u30bd\u30fc\u30b9\u30b3\u30fc\u30c9\u306e\u9732\u898b - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = SVN \u306e\u30e1\u30bf\u30c7\u30fc\u30bf\u30d5\u30a1\u30a4\u30eb\u304c Web \u30b5\u30fc\u30d0\u30fc\u3084\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u30b5\u30fc\u30d0\u30fc\u306b\u914d\u7f6e\u3055\u308c\u306a\u3044\u3088\u3046\u3001\u78ba\u8a8d\u3092\u3057\u3066\u4e0b\u3055\u3044\u3002 +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ko_KR.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ko_KR.properties index cc4ba26a21e..f56ce6a278a 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ko_KR.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ko_KR.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_mk_MK.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_mk_MK.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_mk_MK.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_mk_MK.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ms_MY.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ms_MY.properties index d819cc9c83d..b71a496d0fd 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ms_MY.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ms_MY.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pencemaran (HPP) serangan terdiri dari suntik dikodekan query string pembatas ke parameter yang ada. Jika aplikasi web tidak benar membersihkan input pengguna, pengguna jahat dapat membahayakan logika aplikasi untuk melakukan salah satu sisi klien atau server-side serangan. Salah satu konsekuensi dari HPP serangan adalah bahwa penyerang dapat berpotensi menimpa yang sudah ada hard-coded HTTP parameter untuk memodifikasi perilaku aplikasi, bypass validasi input pos-pos pemeriksaan, dan akses dan mungkin memanfaatkan variabel-variabel yang dapat langsung mencapai. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Benar membersihkan user input untuk parameter pembatas +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = Cadangan fail telah didedahkan oleh pelayan web +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Pengungkapan ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Tidak mengedit fail dalam situ di web pelayan, dan memastikan bahwa un-perlu fail (termasuk fail tersembunyi) dikeluarkan dari web pelayan. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Mengkonfigurasi crossdomain.xml file untuk menyekat senarai domain yang dibenarkan untuk membuat cross-domain membaca permintaan untuk ini web pelayan, menggunakanKau hanya perlu memberikan akses untuk "*" (semua domain) jika anda yakin bahwa layanan ini tidak menjadi tuan rumah mana-mana akses dikawal, peribadi, atau swasta data. ascanbeta.crossdomain.adobe.send.extrainfo = Pelayan web membenarkan permintaan data lintas domain yang dihantar (tetapi tidak semestinya dibaca) yang berasal dari komponen Flash / Silverlight yang disiarkan dari mana-mana domain pihak ketiga, ke domain ini. Sekiranya pengguna mangsa log masuk ke perkhidmatan ini, permintaan penghantaran berniat jahat diproses menggunakan keistimewaan mangsa, dan boleh mengakibatkan serangan jenis Permintaan Serangan Tapak (CSRF) melalui pelayar web mangsa. Ini terutamanya mungkin menjadi isu jika pelaksanaan sesi berasaskan Cookie sedang digunakan. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Tidak diketahui ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Sesi Fiksasi mungkin menjadi mungkin. Jika masalah ini terjadi dengan URL login (di mana pengguna mengotentikasi diri mereka sendiri untuk aplikasi), maka URL yang dapat diberikan oleh seorang penyerang, selain tetap session id, untuk korban, untuk kemudian mengasumsikan identitas korban menggunakan diberikan session id. Jika terjadi masalah dengan non-halaman login, URL dan tetap session id hanya dapat digunakan oleh penyerang untuk melacak aplikasi yang tidak berkepentingan tindakan pengguna. Jika terjadi kerentanan pada cookie bidang atau bentuk lapangan (POSTING parameter) bukan pada URL (GET) parameter, maka beberapa kerentanan juga mungkin diperlukan dalam rangka untuk mengatur cookie lapangan pada browser korban, untuk memungkinkan kerentanan yang dapat dimanfaatkan. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = Url di mana masalah itu ditemukan ditandai sebagai halaman log masuk. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Penggunaan yang lebih aman sesi implementasi manajemen, seperti salah satu yang menggunakan cookie sesi, yang tidak mudah bersama secara tidak sengaja, dan yang tidak biasanya muncul dalam file log server atau web browser bookmark. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Memastikan bahwa SVN metadata file yang tidak digunakan untuk server web atau server aplikasi +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Tidak membocorkan rincian apakah username yang valid atau tidak valid. Secara khusus, untuk kali gagal login, tidak membedakan antara pengguna yang tidak valid dan password yang valid dalam pesan kesalahan, halaman judul, halaman isi, header HTTP, atau pengalihan logika. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_nb_NO.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_nb_NO.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_nb_NO.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_nb_NO.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_nl_NL.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_nl_NL.properties index fdaf83de688..c8ab9c2aba5 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_nl_NL.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_nl_NL.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) aanvallen bestaan uit het injecteren van gecodeerde query scheidingstekens in andere bestaande parameters. Als een web applicatie de user input onjuist schoonmaakt, dan kan een kwaadwillende gebruiker de logica van de applicatie aantasten om zo client-side en server-side aanvallen uit te voeren. Consequenties van HPP aanvallen zijn dat de aanvaller mogelijk hard-coded HTTP parameters kan overschrijven om zo het gedrag van de applicatie te wijzigen, invoer validatie checkpoints kan omzeilen, en variabelen kan misbruiken die misschien buiten direct bereik liggen. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Maak de user input voor parameter scheidingstekens goed schoon +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = Een backup van het bestand werd geopenbaard door de webserver +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File openbaarmaking ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Wijzig geen bestanden in situ op de webserver, en zorg ervoor dat onbelangrijke bestanden (inclusief verborgen bestanden) zijn verwijderd van de webserver. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Een potenti\u00eble Flash/Silverlight gebaseerde cross-site request forgery is mogelijk vanwege een onjuiste configuratie op de webserver. -ascanbeta.crossdomain.adobe.read.extrainfo = De webserver staat schadelijke cross-domein requests om data te lezen toe afkomstig van Flash/Silverlight componenten van elk willekeurig derde partij domein naar dit domein. Als het slachtoffer is ingelogd op deze service, dan zullen de schadelijke lees requests worden behandeld met de rechten van het slachtoffer. Daardoor kan data van deze service worden aangetast door een niet-geautoriseerde derde partij website via de web browser van het slachtoffer. Dit komt met name voor als een Cookie gebaseerde sessie implementatie wordt gebruikt. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domein Misconfiguratie - Adobe - Lezen ascanbeta.crossdomain.adobe.read.soln = Configureer het crossdomain.xml bestand om de lijst van domein namen die toegestaan zijn om cross-domein read requests te maken naar deze webserver te beperken. Gebruik hiervoor . U moet alleen toegang geven aan "*" (alle domeinnamen) als u er zeker van bent dat deze service geen toegangscontrole-, gepersonaliseerde-, of priv\u00e9-gegevens aanbiedt. ascanbeta.crossdomain.adobe.send.extrainfo = De webserver staat schadelijke cross-domein requests toe afkomstig van Flash/Silverlight componenten van elk willekeurig derde partij domein naar dit domein. Als het slachtoffer is ingelogd op deze service, dan zullen de schadelijke requests worden behandeld met de rechten van het slachtoffer. Dit kan leiden tot Cross Site Request Forgery (CSRF) type aanvallen via de web browser van het slachtoffer. Dit komt met name voor als een Cookie gebaseerde sessie implementatie wordt gebruikt. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = De onveilige HTTP method [{0}] is ingeschakeld op de web server voor deze resource en kan worden misbruikt. Het bleek mogelijk te zijn om een getunnelde socket connectie naar een derde partij service aan te maken met deze HTTP methode. Hiermee kan de service worden gebruikt voor een anonieme spam relay, of als een web proxy om netwerk restricties te omzeilen. Het is ook mogelijk om een getunnelde VPN op te zetten waarmee het netwerk omvang te vergroten om zo onbetrouwbare componenten te omvatten. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = De CONNECT methode werd gebruikt om een socket connectie op te zetten naar [{0}] via de web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Schakel onveilige methodes, zoals TRACK, TRACE, en CONNECT, uit op de web server en zorg ervoor dat de onderliggende service implementatie deze onveilige methodes niet ondersteunt. ascanbeta.insecurehttpmethod.trace.exploitable.desc = De onveilige HTTP method [{0}] is ingeschakeld op de web server voor deze resource en kan worden misbruikt. De TRACK en TRACE methodes kunnen worden gebruikt door een aanvaller om toegang te verschaffen tot authorisatie tokens/sessie cookies van applicatie gebruikers, zelfs als de sessie cookies zijn beschermd met de ''HttpOnly'' vlag. Voor de aanval om succesvol te zijn moet de applicatie gebruiker een oude web browser gebruiken of een web browser die een Same Origin Policy (SOP) bypass kwetsbaarheid heeft. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Onbekend ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} veld\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie ingesteld in response wanneer cookie veld [{0}] is ingesteld op NULL\: [{1}]\nCookie ingesteld in response met geleende (geldige) cookie waarde in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = De url waarop het prob ascanbeta.sessionfixation.desc = Session Fixation kan mogelijk zijn. Als dit probleem optreedt bij een login URL (waar de gebruiker zichzelf verifieert bij de applicatie), dan kan de URL, samen met een vaste sessie id, gegeven worden door een aanvaller aan het slachtoffer om later de identiteit van het slachtoffer over te nemen d.m.v. het gegeven sessie id. Als dit probleem optreedt bij een niet-login pagina, dan kan de URL en vaste sessie id alleen worden gebruikt door de aanvaller om de acties van de niet-geverifieerde gebruiker bij te houden. Als de kwetsbaarheid optreedt bij een cookie veld of een formulier veld (POST parameter) i.p.v. bij een URL (GET) parameter, dan kunnen enkele andere kwetsbaarheden nodig zijn om het cookie veld in te stellen in de browser van het slachtoffer en om de kwetsbaarheid te misbruiken. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} veld\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = sessie id {0} veld [{1}], waarde [{2}] kan toegankelijk zijn voor JavaScript in de web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = De url waarop het probleem werd ontdekt is gemarkeerd als een login pagina. -ascanbeta.sessionidaccessiblebyjavascript.desc = Een sessie id cookie die is verstuurd door de server (wanneer de URL is gewijzigd door de genoemde parameter veld in te stellen op NULL) is toegankelijk voor JavaScript bij de client. In combinatie met een andere kwetsbaarheid kan het mogelijk zijn om de sessie te kapen. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Sessie ID Cookie toegankelijk voor JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Gebruik de 'httponly' vlag bij het instellen van een cookie die een sessie id bevat. Dit voorkomt dat de cookie toegankelijk is voor JavaScript in de web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} veld\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = sessie id {0} veld [{1}], waarde [{2}] kan toegankelijk zijn tot [{3}] (aangezien cookie is ontvangen op {4}), tenzij de sessie is vernietigd. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = De url waarop het probleem werd ontdekt is gemarkeerd als een login pagina. ascanbeta.sessionidexpiry.browserclose = browser sluiten -ascanbeta.sessionidexpiry.desc = Een Sessie Id cookie die is verstuurd door de server (wanneer de URL is gewijzigd door de benoemde parameter veld in te stellen op NULL) is ingesteld om geldig te blijven voor een overdreven lange periode. Dit kan worden misbruikt door een aanvaller als de gebruiker vergeet uit te loggen, als de uitlog functionaliteit de sessie onjuist vernietigd, of als de sessie id is aangetast op een andere manier. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Sessie ID verstrijkingstijd/Max-Age is overmatig #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Gebruik de 'Expire' of 'Max-Age' cookie richtlijnen wanneer een cookie dat een sessie id bevat wordt ingesteld. Zo wordt voorkomen dat de cookie voor een te lange tijd beschikbaar blijft.\n2) Zorg ervoor dat een uitlog functionaliteit bestaat en dat deze de sessie op een juiste manier vernietigd.\n3) Gebruik andere preventieve manieren om er zeker van te zijn dat als een sessie id is aangetast, deze niet kan worden misbruikt. ascanbeta.sessionidexpiry.timeexpired = Verlopen ascanbeta.sessionidexpiry.timelessthanonehour = Minder dan een uur @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = Meer dan een week ascanbeta.sessionidexposedinurl.alert.attack = {0} veld\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} veld [{1}] bevat een blootgestelde sessie identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = De url waarop het probleem werd ontdekt is gemarkeerd als een login pagina. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Blootgestelde Sessie ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Gebruik een veiligere sessie management implementatie, zoals een die gebruikt maakt van sessie cookies. Deze zijn niet gemakkelijk per ongeluk te delen en worden niet weergegeven in server logbestanden of browser bladwijzers. ascanbeta.sessionidsentinsecurely.alert.attack = {0} veld\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = sessie id {0} veld [{1}], waarde [{2}] kan worden verstuurd via een onveilig mechanisme. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = De url waarop het probleem werd ontdekt is gemarkeerd als een login pagina. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = De 'secure' vlag was niet ingesteld voor de sessie cookie die werd geleverd door de server. -ascanbeta.sessionidsentinsecurely.desc = Een sessie id kan worden verstuurd via een onveilig mechanisme. In het geval van een cookie dat wordt verzonden in de request, gebeurt dit wanneer HTTP wordt gebruikt i.p.v. HTTPS. In het geval van een cookie dat wordt verzonden door de server in een response (wanneer de URL is aangepast door de benoemde parameter veld in te stellen op NULL), dan is de 'secure' vlag niet ingesteld. Hierdoor kan de cookie later worden verstuurd via HTTP i.p.v. HTTPS. Hierdoor kan een passieve luistervink op het netwerkpad toegang krijgen tot de sessie van het slachtoffer. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Sessie ID Onveilig Verstuurd #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Gebruik de nieuwst beschikbare versie van SSL/TLS (voor HTTPS) voor alle pagina's waarbij een sessie id wordt uitgewisseld tussen de browser en de web server.\n2) Sta niet toe dat de communicate naar het niet-beveiligde HTTP protocol wordt geforceerd.\n3) Gebruik de 'secure' vlag wanneer een cookie met een sessie id wordt ingesteld. Dit voorkomt een latere overdracht met een onveilig mechanisme.\n4) Stuur niet-beveiligde HTTP pagina requests door naar de veilige HTTPS pagina. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = De server draait een versie van de Bash shell waarmee externe aanvallers willekeurige code kunnen uitvoeren +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = Van CVE-2014-6271\: GNU Bash tot versie 4.3 de laatste reeksen in de processen na de functiedefinities in de waarden van de omgevingsvariabelen, stelt aanvallers op afstand in staat om willekeurige code uit te voeren via een speciaal ontworpen omgeving, zoals aangetoond door de dragers betrekken van de ForceCommand-functionaliteit in OpenSSH sshd-, mod_cgi- en mod_cgid-modules in Apache HTTP Server, scripts uitgevoerd door niet-gespecificeerde DHCP-clients en andere situaties waarin de omgeving wordt bepaald door een privilege-limiet door Bash uit te voeren, beter bekend zoals 'ShellShock'. Opmerking\: de oorspronkelijke oplossing voor dit probleem was onjuist; CVE-2014-7169 is toegewezen om het beveiligingslek te dekken dat na de onjuiste oplossing nog steeds aanwezig is. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash op de server naar de nieuwste versie +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = M.b.v. de aanval is een vertraging van [{0}] milliseconden ge\u00efnduceerd en gedetecteerd ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = De bron code voor [{0}] werd gevonden bij [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Zichtbare Bron Code - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Maak zeker dat de SVN metadata bestanden niet werden gepubliceerd op de web server of applicatie server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Sommige PHP versies, wanneer geconfigureerd om CGI uit te voeren, handelen de query strings niet correct af waneer deze een unescaped "\=" karakter missen, dit maakt bron code zichtbaar, en faciliteert willekeurige code execution. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipuleer [{0}] field\: [{1}] en monitor de uitvoer -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] lekt informatie over het bestaan van een gebruiker. De [{5}] verschillen in uitvoer, voor de geldige gebruikersnaam waarde [{2}], en ongeldige gebruikersnaam waarde [{3}] zijn\: [{4}] -ascanbeta.usernameenumeration.desc = Het kan mogelijk zijn om gebruikersnamen te gissen, gebaseerd op de verschillende HTTP reponse wanneer een geldige of ongeldige gebruikersnaam werd ingevoerd. Dit kan het success van password brute-force aanvallen tegen een systeem gevoelig verhogen. Neem nota dat de 'false positives' soms kunnen teruggedrongen worden door de 'Aanvals Sterkte' Optie in ZAP te verhogen. Gelieve manueel het 'Ander Info' veld te valideren opdat dit een issue is of niet. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pcm_NG.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pcm_NG.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pcm_NG.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pcm_NG.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pl_PL.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pl_PL.properties index d5a0d584b29..4b82a069bcb 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pl_PL.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pl_PL.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Nieznany ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Fiksacja Sesji ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Mniej ni\u017c godzin\u0119 @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = Wi\u0119cej ni\u017c jeden tydzi ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pt_BR.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pt_BR.properties index 52b65762110..2a9ad7f27fe 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pt_BR.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pt_BR.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = Ataques HTTP Parameter Pollution (HPP) consistem em injetar delimitadores de string de consulta codificados em outros par\u00e2metros existentes. Se um aplica\u00e7\u00e3o web n\u00e3o limpar adequadamente a entrada do usu\u00e1rio, um usu\u00e1rio mal-intencionado pode comprometer a l\u00f3gica do aplicativo para executar ataques do lado do cliente ou do lado do servidor. Uma consequ\u00eancia dos ataques HPP \u00e9 que o invasor pode substituir os par\u00e2metros HTTP embutidos em c\u00f3digo existentes para modificar o comportamento de um aplicativo, ignorar os pontos de verifica\u00e7\u00e3o de valida\u00e7\u00e3o de entrada e acessar e possivelmente explorar vari\u00e1veis \u200b\u200bque podem estar fora de alcance direto. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = Polui\u00e7\u00e3o de Par\u00e2metro HTTP -ascanbeta.HTTPParamPoll.sol = Limpe adequadamente a entrada de dados do usu\u00e1rio para delimitadores de par\u00e2metro +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = Um arquivo de backup foi divulgado pelo servidor web +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Divulga\u00e7\u00e3o de Arquivo de Backup ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = N\u00e3o edite arquivos localmente no servidor web e certifique-se de que os arquivos desnecess\u00e1rios (incluindo arquivos ocultos) sejam removidos do servidor. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Solicita\u00e7\u00f5es GET repetidas\: elimine um cookie diferente a cada vez, seguido pela solicita\u00e7\u00e3o normal com todos os cookies para estabilizar a sess\u00e3o, compare as respostas com a linha de base GET original. Isso pode revelar \u00e1reas onde a autentica\u00e7\u00e3o / atributos baseados em cookies n\u00e3o s\u00e3o realmente aplicados. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Detector de Cookie Slack ascanbeta.cookieslack.otherinfo.intro = Cookies que n\u00e3o tem efeitos esperados podem revelar falhas na aplica\u00e7\u00e3o l\u00f3gica. No pior caso, isso pode revelar aonde a autentica\u00e7\u00e3o atrav\u00e9s de token(s) cookie n\u00e3o \u00e9 realmente aplicada.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = A falsifica\u00e7\u00e3o de solicita\u00e7\u00e3o entre sites baseada em Flash/Silverlight pode ser poss\u00edvel, devido a uma configura\u00e7\u00e3o incorreta no servidor web. -ascanbeta.crossdomain.adobe.read.extrainfo = O servidor web permite solicita\u00e7\u00f5es maliciosas de leitura de dados entre dom\u00ednios originadas de componentes Flash/Silverlight servidos de qualquer dom\u00ednio de terceiros para este dom\u00ednio. Se o usu\u00e1rio v\u00edtima estiver conectado a este servi\u00e7o, as solicita\u00e7\u00f5es de leitura maliciosas s\u00e3o processadas usando os privil\u00e9gios da v\u00edtima e podem resultar no comprometimento dos dados deste servi\u00e7o por um site de terceiros n\u00e3o autorizado, atrav\u00e9s do navegador da v\u00edtima. Isso provavelmente ser\u00e1 um problema se uma implementa\u00e7\u00e3o de sess\u00e3o baseada em Cookie estiver em uso. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Configura\u00e7\u00e3o Incorreta Entre Dom\u00ednios - Adobe - Leitura ascanbeta.crossdomain.adobe.read.soln = Configure o arquivo crossdomain.xml para restringir a lista de dom\u00ednios que t\u00eam permiss\u00e3o para fazer solicita\u00e7\u00f5es de leitura entre dom\u00ednios para este servidor web, usando . Voc\u00ea s\u00f3 deve conceder acesso a "*" (todos os dom\u00ednios) se tiver certeza de que este servi\u00e7o n\u00e3o hospeda nenhum dado de acesso controlado, personalizado ou privado. ascanbeta.crossdomain.adobe.send.extrainfo = O servidor web permite o envio de dados maliciosos entre dom\u00ednios (mas n\u00e3o necessariamente leitura) originados de componentes Flash/Silverlight servidos a partir de qualquer dom\u00ednio de terceiros para este dom\u00ednio. Se o usu\u00e1rio v\u00edtima estiver conectado a este servi\u00e7o, as solicita\u00e7\u00f5es de envio mal-intencionadas s\u00e3o processadas usando os privil\u00e9gios da v\u00edtima e podem resultar em ataques do tipo Cross Site Request Forgery (CSRF), por meio do navegador da v\u00edtima. Isso provavelmente ser\u00e1 um problema se uma implementa\u00e7\u00e3o de sess\u00e3o baseada em Cookie estiver em uso. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = O m\u00e9todo HTTP inseguro [{0}] est\u00e1 habilitado para este recurso e pode ser explorado. Foi poss\u00edvel estabelecer uma conex\u00e3o de socket em t\u00fanel para um servi\u00e7o de terceiros, usando este m\u00e9todo HTTP. Isso permitiria que o servi\u00e7o fosse usado como uma retransmiss\u00e3o an\u00f4nima de spam ou como um proxy da web, ignorando as restri\u00e7\u00f5es de rede. Ele tamb\u00e9m permite que seja usado para estabelecer uma VPN em t\u00fanel, estendendo efetivamente o per\u00edmetro da rede para incluir componentes n\u00e3o confi\u00e1veis. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = O m\u00e9todo CONNECT foi usado para estabelecer uma conex\u00e3o de socket com [{0}], atrav\u00e9s do servidor web. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Desative os m\u00e9todos n\u00e3o seguros, como TRACK, TRACE e CONNECT no servidor web, e certifique-se de que a implementa\u00e7\u00e3o do servi\u00e7o subjacente n\u00e3o oferece suporte a m\u00e9todos n\u00e3o seguros. ascanbeta.insecurehttpmethod.trace.exploitable.desc = O m\u00e9todo HTTP inseguro [{0}] est\u00e1 habilitado para este recurso e pode ser explorado. Os m\u00e9todos TRACK e TRACE podem ser usados \u200b\u200bpor um invasor, para obter acesso ao token de autoriza\u00e7\u00e3o/cookie de sess\u00e3o de um usu\u00e1rio do aplicativo, mesmo se o cookie de sess\u00e3o estiver protegido com o sinalizador ''HttpOnly''. Para que o ataque seja bem-sucedido, o usu\u00e1rio do aplicativo geralmente deve estar usando um navegador da Web mais antigo ou um navegador que tenha uma vulnerabilidade de desvio da Same Origin Policy (SOP). @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potencial Estouro de N\u00famero Inteiro. C\u00f3digo de status alterado na entrada de uma longa sequ\u00eancia de inteiros aleat\u00f3rios. -ascanbeta.integeroverflow.error2 = Potencial Estouro de N\u00famero Inteiro. C\u00f3digo de status alterado com a entrada de uma longa sequ\u00eancia de zeros. -ascanbeta.integeroverflow.error3 = Potencial Estouro de N\u00famero Inteiro. C\u00f3digo de status alterado com a entrada de uma longa sequ\u00eancia de numerais um. -ascanbeta.integeroverflow.error4 = Potencial Estouro de N\u00famero Inteiro. C\u00f3digo de status alterado na entrada de uma longa sequ\u00eancia de numerais nove. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Erro de Estouro de N\u00famero Inteiro ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Desconhecido ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} campo\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie definido em resposta quando o campo do cookie [{0}] \u00e9 definido como NULL\: [{1}]\nCookie definido em resposta com valor de cookie emprestado (v\u00e1lido) na solicita\u00e7\u00e3o [{1}]\: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = A url no qual o proble ascanbeta.sessionfixation.desc = Fixa\u00e7\u00e3o da Sess\u00e3o pode ser poss\u00edvel. Se esse problema ocorrer com uma URL de login (onde o usu\u00e1rio se autentica no aplicativo), ent\u00e3o a URL pode ser fornecida por um invasor, junto com um id de sess\u00e3o fixo, para uma v\u00edtima, a fim de posteriormente assumir a identidade da v\u00edtima usando o id de sess\u00e3o fornecido. Se o problema ocorrer com uma p\u00e1gina sem login, o URL e o ID de sess\u00e3o fixo s\u00f3 podem ser usados \u200b\u200bpor um invasor para rastrear as a\u00e7\u00f5es de um usu\u00e1rio n\u00e3o autenticado. Se a vulnerabilidade ocorre em um campo de cookie ou um campo de formul\u00e1rio (par\u00e2metro POST) em vez de em um par\u00e2metro de URL (GET), ent\u00e3o alguma outra vulnerabilidade tamb\u00e9m pode ser necess\u00e1ria para definir o campo de cookie no navegador da v\u00edtima, para permitir a vulnerabilidade a ser explorada. ascanbeta.sessionfixation.name = Fixa\u00e7\u00e3o de Se\u00e7\u00e3o ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} campo\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = identificador de sess\u00e3o {0} campo [{1}], valor [{2}] pode ser acessado usando JavaScript no navegador da web -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = A url no qual o problema foi descoberto foi sinalizada como uma p\u00e1gina de logon. -ascanbeta.sessionidaccessiblebyjavascript.desc = Um cookie de Id de sess\u00e3o enviado pelo servidor (quando a URL \u00e9 modificada pela configura\u00e7\u00e3o do campo de par\u00e2metro nomeado como NULL) pode ser acessado por JavaScript no cliente. Em conjunto com outra vulnerabilidade, isso pode permitir que a sess\u00e3o seja sequestrada. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Cookie de ID de Sess\u00e3o acess\u00edvel a JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use a flag 'httponly' ao definir um cookie contendo um id de sess\u00e3o, para evitar que seja acessado por JavaScript no navegador da web. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} campo\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = identificador de sess\u00e3o {0} campo [{1}], valor [{2}] pode ser acessado at\u00e9 [{3}] (desde que o cookie foi recebido em {4}), a menos que a sess\u00e3o seja destru\u00edda. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = A url no qual o problema foi descoberto foi sinalizada como uma p\u00e1gina de logon. ascanbeta.sessionidexpiry.browserclose = fechar navegador -ascanbeta.sessionidexpiry.desc = Um cookie de Id de sess\u00e3o enviado pelo servidor (quando a URL \u00e9 modificada definindo o campo do par\u00e2metro nomeado como NULL) \u00e9 definido para ser v\u00e1lido por um per\u00edodo de tempo excessivo. Isso pode ser explorado por um invasor se o usu\u00e1rio esquecer de fazer o logout, se a funcionalidade de logout n\u00e3o destruir corretamente a sess\u00e3o ou se a id da sess\u00e3o for comprometida por algum outro meio. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Tempo de Expira\u00e7\u00e3o do ID da Sess\u00e3o/Idade M\u00e1xima Excessiva #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use as diretivas de cookie 'Expire' ou 'Max-Age' ao definir um cookie que cont\u00e9m um id de sess\u00e3o, para evitar que fique dispon\u00edvel por longos per\u00edodos de tempo.\n2) Certifique-se de que a funcionalidade de logout exista e que destrua a sess\u00e3o corretamente.\n3) Use outras medidas preventivas para garantir que, se uma id de sess\u00e3o for comprometida, ela n\u00e3o seja explorada. ascanbeta.sessionidexpiry.timeexpired = Expirado ascanbeta.sessionidexpiry.timelessthanonehour = Menos de uma hora @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = Mais de uma semana ascanbeta.sessionidexposedinurl.alert.attack = {0} campo\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} campo [{1}] cont\u00e9m um identificador de sess\u00e3o exposto [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = A url no qual o problema foi descoberto foi sinalizada como uma p\u00e1gina de logon. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = ID de Sess\u00e3o Exposto #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use uma implementa\u00e7\u00e3o de gerenciamento de sess\u00e3o mais segura, como aquelas que usam cookies de sess\u00e3o, que n\u00e3o s\u00e3o t\u00e3o facilmente compartilhados inadvertidamente e que normalmente n\u00e3o aparecem em arquivos de log do servidor ou marcadores de navegador da web. ascanbeta.sessionidsentinsecurely.alert.attack = {0} campo\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = identificador de sess\u00e3o {0} campo [{1}], valor [{2}] pode ser enviado por meio de um mecanismo n\u00e3o seguro. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = A url no qual o problema foi descoberto foi sinalizada como uma p\u00e1gina de logon. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = A flag 'secure' n\u00e3o foi definida no cookie de sess\u00e3o fornecido pelo servidor. -ascanbeta.sessionidsentinsecurely.desc = Um id de sess\u00e3o pode ser enviado por meio de um mecanismo n\u00e3o seguro. No caso de um cookie enviado na solicita\u00e7\u00e3o, isso ocorre quando HTTP \u00e9 usado em vez de HTTPS. No caso de um cookie enviado pelo servidor em resposta (quando a URL \u00e9 modificada definindo o campo do par\u00e2metro nomeado como NULL), a flag 'secure' n\u00e3o \u00e9 definida, permitindo que o cookie seja enviado posteriormente via HTTP em vez de HTTPS. Isso pode permitir que um interceptador passivo no caminho da rede obtenha acesso total \u00e0 sess\u00e3o da v\u00edtima. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = ID de Sess\u00e3o Transmitido de Maneira Insegura #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use a vers\u00e3o mais recente dispon\u00edvel do SSL/TLS (para HTTPS) para todas as p\u00e1ginas onde um ID de sess\u00e3o \u00e9 comunicado entre o navegador e o servidor web.\n2) N\u00e3o permita que a comunica\u00e7\u00e3o seja for\u00e7ada para o protocolo HTTP n\u00e3o criptografado.\n3) Use a flag 'secure' ao definir um cookie contendo um id de sess\u00e3o, para evitar sua transmiss\u00e3o subsequente por um mecanismo n\u00e3o seguro.\n4) Encaminhe solicita\u00e7\u00f5es de p\u00e1gina HTTP n\u00e3o segura para a p\u00e1gina segura equivalente a HTTPS. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = O servidor est\u00e1 executando uma vers\u00e3o do shell Bash que permite que invasores remotos executem c\u00f3digo arbitr\u00e1rio +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = Da CVE-2014-6271\: GNU Bash atrav\u00e9s do 4.3 processa strings ap\u00f3s defini\u00e7\u00f5es de fun\u00e7\u00e3o nos valores de vari\u00e1veis \u200b\u200bde ambiente, o que permite que atacantes remotos executem c\u00f3digo arbitr\u00e1rio por meio de um ambiente criado, conforme demonstrado por vetores envolvendo o recurso ForceCommand em OpenSSH sshd, os m\u00f3dulos mod_cgi e mod_cgid no Apache HTTP Server, scripts executados por clientes DHCP n\u00e3o especificados e outras situa\u00e7\u00f5es em que a configura\u00e7\u00e3o do ambiente ocorre atrav\u00e9s de um limite de privil\u00e9gio da execu\u00e7\u00e3o Bash, tamb\u00e9m conhecido como "ShellShock". NOTA\: a corre\u00e7\u00e3o original para este problema estava incorreta; A CVE-2014-7169 foi designada para cobrir a vulnerabilidade que ainda est\u00e1 presente ap\u00f3s a corre\u00e7\u00e3o err\u00f4nea. ascanbeta.shellshock.name = Execu\u00e7\u00e3o Remota de C\u00f3digo - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Atualize o Bash no servidor para a vers\u00e3o mais recente +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Usando o ataque, um atraso de [{0}] milissegundos foi induzido e detectado ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = O c\u00f3digo-fonte de [{0}] foi encontrado em [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Divulga\u00e7\u00e3o de C\u00f3digo-Fonte - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Certifique-se de que os arquivos de metadados SVN n\u00e3o sejam implantados no servidor web ou servidor de aplicativos +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Algumas vers\u00f5es do PHP, quando configuradas para serem executadas usando CGI, n\u00e3o manipulam corretamente as strings de consulta que n\u00e3o possuem um caractere "\=" sem escape, permitindo a divulga\u00e7\u00e3o do c\u00f3digo-fonte PHP e a execu\u00e7\u00e3o arbitr\u00e1ria do c\u00f3digo. Neste caso, o conte\u00fado do arquivo PHP foi servido diretamente para o navegador da web. Essa sa\u00edda normalmente conter\u00e1 PHP, embora tamb\u00e9m possa conter HTML direto. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Divulga\u00e7\u00e3o de C\u00f3digo-Fonte - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipule o campo [{0}]\: [{1}] e monitore a sa\u00edda -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] par\u00e2metro [{1}] vaza informa\u00e7\u00f5es sobre a exist\u00eancia de um usu\u00e1rio. As diferen\u00e7as de [{5}] na sa\u00edda, para o valor de nome de usu\u00e1rio original v\u00e1lido [{2}] e valor de nome de usu\u00e1rio inv\u00e1lido [{3}] s\u00e3o\:\n[{4}] -ascanbeta.usernameenumeration.desc = Pode ser poss\u00edvel enumerar nomes de usu\u00e1rios, com base em respostas HTTP diferentes, quando nomes de usu\u00e1rios v\u00e1lidos e inv\u00e1lidos s\u00e3o fornecidos. Isso aumentaria muito a probabilidade de sucesso de ataques de for\u00e7a bruta de senha contra o sistema. Observe que os falsos positivos \u00e0s vezes podem ser minimizados aumentando a op\u00e7\u00e3o 'For\u00e7a de Ataque' no ZAP. Verifique manualmente o campo 'Outras informa\u00e7\u00f5es' para confirmar se isso \u00e9 realmente um problema. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Enumera\u00e7\u00e3o de Nome de Usu\u00e1rio Poss\u00edvel ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = N\u00e3o divulgue detalhes sobre se um nome de usu\u00e1rio \u00e9 v\u00e1lido ou inv\u00e1lido. Em particular, para tentativas de login malsucedidas, n\u00e3o diferencie entre um usu\u00e1rio inv\u00e1lido e uma senha inv\u00e1lida na mensagem de erro, t\u00edtulo da p\u00e1gina, conte\u00fado da p\u00e1gina, cabe\u00e7alhos HTTP ou l\u00f3gica de redirecionamento. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pt_PT.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pt_PT.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pt_PT.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_pt_PT.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ro_RO.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ro_RO.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ro_RO.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ro_RO.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ru_RU.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ru_RU.properties index 6ccff8a23c2..609f3b84695 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ru_RU.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ru_RU.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = \u0410\u0442\u0430\u043a\u0438 HTTP Parameter Pollution (HPP) \u0441\u043e\u0441\u0442\u043e\u044f\u0442 \u0438\u0437 \u0432\u0441\u0442\u0430\u0432\u043a\u0438 \u0437\u0430\u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u0440\u0430\u0437\u0434\u0435\u043b\u0438\u0442\u0435\u043b\u0435\u0439 \u0441\u0442\u0440\u043e\u043a\u0438 \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u0432 \u0434\u0440\u0443\u0433\u0438\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b. \u0415\u0441\u043b\u0438 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u043d\u0435 \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u0435\u0442 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u0434\u0430\u043d\u043d\u044b\u0435 \u0434\u043e\u043b\u0436\u043d\u044b\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c, \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u044c \u043b\u043e\u0433\u0438\u043a\u0443 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u0430\u0442\u0430\u043a \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u043a\u043b\u0438\u0435\u043d\u0442\u0430 \u0438\u043b\u0438 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u0430. \u041e\u0434\u043d\u0438\u043c \u0438\u0437 \u043f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u0439 \u0430\u0442\u0430\u043a HPP \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0442\u043e, \u0447\u0442\u043e \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u043f\u0435\u0440\u0435\u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0435 \u0436\u0435\u0441\u0442\u043a\u043e \u0437\u0430\u0434\u0430\u043d\u043d\u044b\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b HTTP \u0434\u043b\u044f \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u043f\u043e\u0432\u0435\u0434\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f, \u043e\u0431\u0445\u043e\u0434\u0430 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c\u043d\u044b\u0445 \u0442\u043e\u0447\u0435\u043a \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0432\u0432\u043e\u0434\u0430 \u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u0438, \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c \u0432\u043d\u0435 \u043f\u0440\u044f\u043c\u043e\u0439 \u0434\u043e\u0441\u044f\u0433\u0430\u0435\u043c\u043e\u0441\u0442\u0438. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = \u0417\u0430\u0433\u0440\u044f\u0437\u043d\u0435\u043d\u0438\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u0432 HTTP -ascanbeta.HTTPParamPoll.sol = \u041f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u0434\u0435\u0437\u0438\u043d\u0444\u0438\u0446\u0438\u0440\u0443\u0439\u0442\u0435 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u0434\u0430\u043d\u043d\u044b\u0435 \u0434\u043b\u044f \u0440\u0430\u0437\u0434\u0435\u043b\u0438\u0442\u0435\u043b\u0435\u0439 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u0432 +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = \u0424\u0430\u0439\u043b \u0440\u0435\u0437\u0435\u0440\u0432\u043d\u043e\u0439 \u043a\u043e\u043f\u0438\u0438 \u043e\u0431\u0449\u0435\u0434\u043e\u0441\u0442\u0443\u043f\u0435\u043d \u043d\u0430 \u0432\u0435\u0431 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = \u0414\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0441\u0442\u044c \u0444\u0430\u0439\u043b\u0430 \u0440\u0435\u0437\u0435\u0440\u0432\u043d\u043e\u0439 \u043a\u043e\u043f\u0438\u0438 ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = \u041d\u0435 \u0438\u0437\u043c\u0435\u043d\u044f\u0439\u0442\u0435 "\u043d\u0430 \u043b\u0435\u0442\u0443" \u0444\u0430\u0439\u043b\u044b \u043d\u0430 \u0432\u0435\u0431 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u0438 \u0443\u0434\u043e\u0441\u0442\u043e\u0432\u0435\u0440\u044c\u0442\u0435\u0441\u044c \u0447\u0442\u043e \u0432\u0441\u0435 \u043d\u0435\u043d\u0443\u0436\u043d\u044b\u0435 (\u0432\u043a\u043b\u044e\u0447\u0430\u044f \u0441\u043a\u0440\u044b\u0442\u044b\u0435) \u0444\u0430\u0439\u043b\u044b \u0443\u0434\u0430\u043b\u0435\u043d\u044b \u0441 \u0432\u0435\u0431 \u0441\u0435\u0440\u0432\u0435\u0440\u0430. -ascanbeta.cookieslack.affect.response.no = \u042d\u0442\u0438 \u0444\u0430\u0439\u043b\u044b cookie \u041d\u0415 \u043f\u043e\u0432\u043b\u0438\u044f\u043b\u0438 \u043d\u0430 \u043e\u0442\u0432\u0435\u0442\: -ascanbeta.cookieslack.affect.response.yes = \u042d\u0442\u0438 \u0444\u0430\u0439\u043b\u044b cookie \u043f\u043e\u0432\u043b\u0438\u044f\u043b\u0438 \u043d\u0430 \u043e\u0442\u0432\u0435\u0442\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = \u041f\u043e\u0432\u0442\u043e\u0440\u044f\u044e\u0449\u0438\u0435\u0441\u044f \u0437\u0430\u043f\u0440\u043e\u0441\u044b GET\: \u043a\u0430\u0436\u0434\u044b\u0439 \u0440\u0430\u0437 \u043e\u0442\u0431\u0440\u0430\u0441\u044b\u0432\u0430\u0439\u0442\u0435 \u0440\u0430\u0437\u043d\u044b\u0435 \u0444\u0430\u0439\u043b\u044b cookie, \n\u043f\u043e\u0441\u043b\u0435 \u0447\u0435\u0433\u043e \u0441\u043b\u0435\u0434\u0443\u0435\u0442 \u043e\u0431\u044b\u0447\u043d\u044b\u0439 \u0437\u0430\u043f\u0440\u043e\u0441 \u0441\u043e \u0432\u0441\u0435\u043c\u0438 \u0444\u0430\u0439\u043b\u0430\u043c\u0438 cookie \u0434\u043b\u044f \u0441\u0442\u0430\u0431\u0438\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0441\u0435\u0430\u043d\u0441\u0430, \n\u0441\u0440\u0430\u0432\u043d\u0438\u0432\u0430\u0439\u0442\u0435 \u043e\u0442\u0432\u0435\u0442\u044b \u0441 \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u043c \u0431\u0430\u0437\u043e\u0432\u044b\u043c GET. \n\u042d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u0432\u044b\u044f\u0432\u0438\u0442\u044c \u043e\u0431\u043b\u0430\u0441\u0442\u0438, \u0432 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f / \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u044b \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 \u0444\u0430\u0439\u043b\u043e\u0432 cookie \u0444\u0430\u043a\u0442\u0438\u0447\u0435\u0441\u043a\u0438 \u043d\u0435 \u043f\u0440\u0438\u043c\u0435\u043d\u044f\u044e\u0442\u0441\u044f. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = \u0414\u0435\u0442\u0435\u043a\u0442\u043e\u0440 \u041e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u044f Cookie ascanbeta.cookieslack.otherinfo.intro = \u0424\u0430\u0439\u043b\u044b cookie, \u043d\u0435 \u043e\u043a\u0430\u0437\u044b\u0432\u0430\u044e\u0449\u0438\u0435 \u043e\u0436\u0438\u0434\u0430\u0435\u043c\u043e\u0433\u043e \u044d\u0444\u0444\u0435\u043a\u0442\u0430, \u043c\u043e\u0433\u0443\u0442 \u0432\u044b\u044f\u0432\u0438\u0442\u044c \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0438 \u0432 \u043b\u043e\u0433\u0438\u043a\u0435 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f. \n\u0412 \u0445\u0443\u0434\u0448\u0435\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u044d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u043a\u0430\u0437\u0430\u0442\u044c, \n\u0433\u0434\u0435 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043c\u0430\u0440\u043a\u0435\u0440\u043e\u0432 cookie \u0444\u0430\u043a\u0442\u0438\u0447\u0435\u0441\u043a\u0438 \u043d\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f. ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = \u041f\u043e\u0445\u043e\u0436\u0435, \u0447\u0442\u043e \u0443\u0434\u0430\u043b\u0435\u043d\u0438\u0435 \u044d\u0442\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430 cookie \u0441\u0434\u0435\u043b\u0430\u043b\u043e \u0441\u0435\u0430\u043d\u0441 \u043d\u0435\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u043c\: [{0}]\n\u041f\u043e\u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439 \u0437\u0430\u043f\u0440\u043e\u0441 \u0441\u043e \u0432\u0441\u0435\u043c\u0438 \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u043c\u0438 \u0444\u0430\u0439\u043b\u0430\u043c\u0438 cookie \u043f\u043e-\u043f\u0440\u0435\u0436\u043d\u0435\u043c\u0443 \u0438\u043c\u0435\u043b \u0434\u0440\u0443\u0433\u043e\u0439 \u043e\u0442\u0432\u0435\u0442, \n\u0447\u0435\u043c \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u0437\u0430\u043f\u0440\u043e\u0441. -ascanbeta.cookieslack.session.warning = \u041f\u0420\u0418\u041c\u0415\u0427\u0410\u041d\u0418\u0415. \u0418\u0437-\u0437\u0430 \u0441\u0432\u043e\u0435\u0433\u043e \u043d\u0430\u0437\u0432\u0430\u043d\u0438\u044f \u044d\u0442\u043e\u0442 \u0444\u0430\u0439\u043b cookie \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0432\u0430\u0436\u043d\u044b\u043c, \n\u043d\u043e \u0435\u0433\u043e \u0443\u0434\u0430\u043b\u0435\u043d\u0438\u0435, \u043f\u043e\u0445\u043e\u0436\u0435, \u043d\u0435 \u0438\u043c\u0435\u0435\u0442 \u043d\u0438\u043a\u0430\u043a\u043e\u0433\u043e \u044d\u0444\u0444\u0435\u043a\u0442\u0430\: [{0}] +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = \u0421\u043e\u0432\u043c\u0435\u0441\u0442\u043d\u043e\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432 \u043c\u0435\u0436\u0434\u0443 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0430\u043c\u0438 (Cross-Origin Resource Sharing - CORS) \u2014 \u044d\u0442\u043e \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c, \u043e\u0441\u043d\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u043d\u0430 HTTP-\u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0435, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0441\u0435\u0440\u0432\u0435\u0440\u0443 \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0442\u044c \u043b\u044e\u0431\u044b\u0435 \u0434\u0440\u0443\u0433\u0438\u0435 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438 (\u0434\u043e\u043c\u0435\u043d, \u0441\u0445\u0435\u043c\u0443 \u0438\u043b\u0438 \u043f\u043e\u0440\u0442), \u043a\u0440\u043e\u043c\u0435 \u0441\u0432\u043e\u0435\u0433\u043e \u0441\u043e\u0431\u0441\u0442\u0432\u0435\u043d\u043d\u043e\u0433\u043e, \u0438\u0437 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u0434\u043e\u043b\u0436\u0435\u043d \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u0442\u044c \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0443 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432. \u042d\u0442\u043e \u043e\u0441\u043b\u0430\u0431\u043b\u044f\u0435\u0442 \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0443 \u0442\u043e\u0433\u043e \u0436\u0435 \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0436\u0434\u0435\u043d\u0438\u044f (Same-Origin Policy - SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = \u0415\u0441\u043b\u0438 \u0432\u0435\u0431-\u0440\u0435\u ascanbeta.cors.vuln.desc = \u042d\u0442\u0430 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f CORS \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c AJAX-\u0437\u0430\u043f\u0440\u043e\u0441\u044b \u043a \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u043c\u0443 \u0432\u0435\u0431-\u0441\u0430\u0439\u0442\u0443 \u0441 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0439 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b, \u0437\u0430\u0433\u0440\u0443\u0436\u0435\u043d\u043d\u043e\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u043c \u0430\u0433\u0435\u043d\u0442\u043e\u043c \u0436\u0435\u0440\u0442\u0432\u044b.\n\u0427\u0442\u043e\u0431\u044b \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u044b AJAX, \u0441\u0435\u0440\u0432\u0435\u0440 \u0434\u043e\u043b\u0436\u0435\u043d \u0443\u043a\u0430\u0437\u0430\u0442\u044c \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a \u00abAccess-Control-Allow-Credentials\: true\u00bb, \u0430 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a \u00abAccess-Control-Allow-Origin\u00bb \u0434\u043e\u043b\u0436\u0435\u043d \u0438\u043c\u0435\u0442\u044c \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 null \u0438\u043b\u0438 \u0434\u043e\u043c\u0435\u043d \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u0439 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b. \u0414\u0430\u0436\u0435 \u0435\u0441\u043b\u0438 \u044d\u0442\u0430 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f \u043d\u0435 \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u0435\u0442 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u044b AJAX, \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043d\u0435\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u043c\u0443 \u043a\u043e\u043d\u0442\u0435\u043d\u0442\u0443 \u0432\u0441\u0435 \u0440\u0430\u0432\u043d\u043e \u0432\u043e\u0437\u043c\u043e\u0436\u0435\u043d (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u043a \u0432\u0435\u0431-\u0441\u0430\u0439\u0442\u0430\u043c \u0438\u043d\u0442\u0440\u0430\u0441\u0435\u0442\u0438).\n\u0412\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u0430\u044f \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430 \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u043d\u0430\u0434\u043b\u0435\u0436\u0430\u0442\u044c \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u043e\u043c\u0443 \u0432\u0435\u0431-\u0441\u0430\u0439\u0442\u0443, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u043e\u043c\u0443 \u0432\u0435\u0431-\u0441\u0430\u0439\u0442\u0443 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, XSS, \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430 HTTP \u0431\u0435\u0437 TLS, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u0432\u043d\u0435\u0434\u0440\u044f\u0442\u044c \u043a\u043e\u0434 \u0447\u0435\u0440\u0435\u0437 MITM \u0438 \u0442. \u0434.). ascanbeta.cors.vuln.name = \u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f CORS -ascanbeta.crossdomain.adobe.desc = \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u0430 \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0430\u044f \u043f\u043e\u0434\u0434\u0435\u043b\u043a\u0430 Flash/Silverlight \u0437\u0430\u043f\u0440\u043e\u0441\u0430 (CSRF), \u0432\u0435\u0440\u043e\u044f\u0442\u043d\u043e \u0438\u0437-\u0437\u0430 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 \u0432\u0435\u0431 \u0441\u0435\u0440\u0432\u0435\u0440\u0430. -ascanbeta.crossdomain.adobe.read.extrainfo = \u0412\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u0435\u0442 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0435 \u043c\u0435\u0436\u0434\u043e\u043c\u0435\u043d\u043d\u044b\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u043d\u0430 \u0447\u0442\u0435\u043d\u0438\u0435 \u0434\u0430\u043d\u043d\u044b\u0445, \u0438\u0441\u0445\u043e\u0434\u044f\u0449\u0438\u0435 \u043e\u0442 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u043e\u0432 Flash / Silverlight, \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u0435\u043c\u044b\u0445 \u0438\u0437 \u043b\u044e\u0431\u043e\u0433\u043e \u0441\u0442\u043e\u0440\u043e\u043d\u043d\u0435\u0433\u043e \u0434\u043e\u043c\u0435\u043d\u0430, \u0432 \u044d\u0442\u043e\u0442 \u0434\u043e\u043c\u0435\u043d.\n\n\n\u0415\u0441\u043b\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c-\u0436\u0435\u0440\u0442\u0432\u0430 \u0432\u043e\u0448\u0435\u043b \u0432 \u044d\u0442\u0443 \u0441\u043b\u0443\u0436\u0431\u0443, \u0437\u043b\u043e\u043d\u0430\u043c\u0435\u0440\u0435\u043d\u043d\u044b\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u0447\u0442\u0435\u043d\u0438\u044f \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u044e\u0442\u0441\u044f \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 \u0436\u0435\u0440\u0442\u0432\u044b \u0438 \u043c\u043e\u0433\u0443\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u0442\u043e\u043c\u0443, \u0447\u0442\u043e \u0434\u0430\u043d\u043d\u044b\u0435 \u0438\u0437 \u044d\u0442\u043e\u0439 \u0441\u043b\u0443\u0436\u0431\u044b \u0431\u0443\u0434\u0443\u0442 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u044b \u043d\u0435\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u0441\u0442\u043e\u0440\u043e\u043d\u043d\u0438\u043c \u0432\u0435\u0431-\u0441\u0430\u0439\u0442\u043e\u043c \u0447\u0435\u0440\u0435\u0437 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u0436\u0435\u0440\u0442\u0432\u044b.\n\n\u042d\u0442\u043e \u043e\u0441\u043e\u0431\u0435\u043d\u043d\u043e \u0432\u0435\u0440\u043e\u044f\u0442\u043d\u043e, \u0435\u0441\u043b\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f \u0441\u0435\u0430\u043d\u0441\u0430 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 \u0444\u0430\u0439\u043b\u043e\u0432 cookie. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = \u041c\u0435\u0436\u0434\u043e\u043c\u0435\u043d\u043d\u0430\u044f \u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u041a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = \u0412 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u043c \u0444\u0430\u0439\u043b\u0435 crossdomain.xml \u043d\u0443\u0436\u043d\u043e \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0438\u0442\u044c \u0441\u043f\u0438\u0441\u043e\u043a \u0434\u043e\u043c\u0435\u043d\u043e\u0432 \u043a\u043e\u0442\u043e\u0440\u044b\u043c \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u044b \u043a\u0440\u043e\u0441\u0441 \u0434\u043e\u043c\u0435\u043d\u043d\u044b\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u043d\u0430 \u0447\u0442\u0435\u043d\u0438\u0435 \u043a \u044d\u0442\u043e\u043c\u0443 \u0432\u0435\u0431 \u0441\u0435\u0440\u0432\u0435\u0440\u0443, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f . \u0412\u044b \u043c\u043e\u0436\u0435\u0442\u0435 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f "*" (\u043a\u043e \u0432\u0441\u0435\u043c \u0434\u043e\u043c\u0435\u043d\u0430\u043c), \u043d\u043e \u0442\u043e\u043b\u044c\u043a\u043e \u0432 \u0442\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435, \u0435\u0441\u043b\u0438 \u0432\u044b \u0443\u0432\u0435\u0440\u0435\u043d\u044b, \u0447\u0442\u043e \u0441\u0435\u0440\u0432\u0438\u0441 \u043d\u0435 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 \u0434\u043e\u0441\u0442\u0443\u043f \u0432 \u043f\u0435\u0440\u0441\u043e\u043d\u0430\u043b\u044c\u043d\u044b\u043c \u0438\u043b\u0438 \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c \u0438\u043b\u0438 \u0438\u0445 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044e \u0438\u043c\u0438. ascanbeta.crossdomain.adobe.send.extrainfo = \u0412\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u0435\u0442 \u0432\u0440\u0435\u0434\u043e\u043d\u043e\u0441\u043d\u044b\u0435 \u043c\u0435\u0436\u0434\u043e\u043c\u0435\u043d\u043d\u044b\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u043d\u0430 \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0443 \u0434\u0430\u043d\u043d\u044b\u0445 (\u043d\u043e \u043d\u0435 \u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u043e \u043d\u0430 \u0447\u0442\u0435\u043d\u0438\u0435), \u0438\u0441\u0445\u043e\u0434\u044f\u0449\u0438\u0435 \u043e\u0442 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u043e\u0432 Flash / Silverlight, \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u0435\u043c\u044b\u0445 \u0438\u0437 \u043b\u044e\u0431\u043e\u0433\u043e \u0441\u0442\u043e\u0440\u043e\u043d\u043d\u0435\u0433\u043e \u0434\u043e\u043c\u0435\u043d\u0430, \u0432 \u044d\u0442\u043e\u0442 \u0434\u043e\u043c\u0435\u043d. \u0415\u0441\u043b\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c-\u0436\u0435\u0440\u0442\u0432\u0430 \u0432\u043e\u0448\u0435\u043b \u0432 \u044d\u0442\u0443 \u0441\u043b\u0443\u0436\u0431\u0443, \u0437\u043b\u043e\u043d\u0430\u043c\u0435\u0440\u0435\u043d\u043d\u044b\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u044e\u0442\u0441\u044f \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 \u0436\u0435\u0440\u0442\u0432\u044b \u0438 \u043c\u043e\u0433\u0443\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u0430\u0442\u0430\u043a\u0430\u043c \u0442\u0438\u043f\u0430 \u043f\u043e\u0434\u0434\u0435\u043b\u043a\u0438 \u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u044b\u0445 \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432 (CSRF) \u0447\u0435\u0440\u0435\u0437 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u0436\u0435\u0440\u0442\u0432\u044b. \u042d\u0442\u043e \u043e\u0441\u043e\u0431\u0435\u043d\u043d\u043e \u0432\u0435\u0440\u043e\u044f\u0442\u043d\u043e, \u0435\u0441\u043b\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f \u0441\u0435\u0430\u043d\u0441\u0430 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 \u0444\u0430\u0439\u043b\u043e\u0432 cookie. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = \u041f\u0435\u0440\u0435\u043d\ ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = \u041d\u0430\u0441\u0442\u0440\u043e\u0439\u0442\u0435 \u0441\u0432\u043e\u0439 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 \u0438\u043b\u0438 \u0441\u0435\u0440\u0432\u0435\u0440 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 \u0434\u043b\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f SSL (HTTPS). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - \u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 \u043f\u0440\u043e\u043a\u0441\u0438 ascanbeta.httpoxy.otherinfo = \u0418\u0441\u0445\u043e\u0434\u044f\u0449\u0435\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0435 {0} \u0431\u044b\u043b\u043e \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u043e \u0447\u0435\u0440\u0435\u0437 \u0445\u043e\u0441\u0442 \u0438 \u043f\u043e\u0440\u0442, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 ZAP \u0432\u0432\u043e\u0434\u0438\u0442 \u0432 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a HTTP \u043f\u0440\u043e\u043a\u0441\u0438. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = \u0440\u0430\u0441\u0448\u0438\u0440\u0435\u043d\u0438\u0435 \u0441\u0435\u0442\u0438 \u043e\u0442\u043a\u043b\u044e\u0447\u0435\u043d\u043e ascanbeta.httpoxy.soln = \u041b\u0443\u0447\u0448\u0435\u0435 \u043d\u0435\u043c\u0435\u0434\u043b\u0435\u043d\u043d\u043e\u0435 \u0440\u0435\u0448\u0435\u043d\u0438\u0435 - \u0437\u0430\u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0438 \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432 \u043f\u0440\u043e\u043a\u0441\u0438 \n(block Proxy request headers) \u043a\u0430\u043a \u043c\u043e\u0436\u043d\u043e \u0440\u0430\u043d\u044c\u0448\u0435, \u043d\u043e \u0434\u043e \u0442\u043e\u0433\u043e, \u043a\u0430\u043a \u043e\u043d\u0438 \u043f\u043e\u043f\u0430\u0434\u0443\u0442 \u0432 \u0432\u0430\u0448\u0435 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435. -ascanbeta.httpsashttp.desc = \u041a\u043e\u043d\u0442\u0435\u043d\u0442, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0438\u0437\u043d\u0430\u0447\u0430\u043b\u044c\u043d\u043e \u0431\u044b\u043b \u0434\u043e\u0441\u0442\u0443\u043f\u0435\u043d \u0447\u0435\u0440\u0435\u0437 HTTPS (\u0442. \u0435. \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f SSL / TLS), \u0442\u0430\u043a\u0436\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0435\u043d \u0447\u0435\u0440\u0435\u0437 HTTP (\u0431\u0435\u0437 \u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u044f). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = \u041a\u043e\u043d\u0442\u0435\u043d\u0442 HTTPS, \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0439 \u0447\u0435\u0440\u0435\u0437 HTTP ascanbeta.httpsashttp.otherinfo = ZAP \u043f\u043e\u043f\u044b\u0442\u0430\u043b\u0441\u044f \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0438\u0442\u044c\u0441\u044f \u0447\u0435\u0440\u0435\u0437\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = \u0423\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0432\u0430\u0448 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440, \u0441\u0435\u0440\u0432\u0435\u0440 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439, \u0431\u0430\u043b\u0430\u043d\u0441\u0438\u0440\u043e\u0432\u0449\u0438\u043a \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0438 \u0438 \u0442. \u0434. \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043d\u044b \u0434\u043b\u044f \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u044f \u0442\u0430\u043a\u043e\u0433\u043e \u043a\u043e\u043d\u0442\u0435\u043d\u0442\u0430 \u0442\u043e\u043b\u044c\u043a\u043e \u0447\u0435\u0440\u0435\u0437 HTTPS. \n\u0420\u0430\u0441\u0441\u043c\u043e\u0442\u0440\u0438\u0442\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0441\u0442\u0440\u043e\u0433\u043e\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0442\u0440\u0430\u043d\u0441\u043f\u043e\u0440\u0442\u0430 HTTP. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = \u041d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439 HTTP-\u043c\u0435\u0442\u043e\u0434 [{0}] \u0432\u043a\u043b\u044e\u0447\u0435\u043d \u0434\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0440\u0435\u0441\u0443\u0440\u0441\u0430 \u0438 \u0435\u0433\u043e \u043c\u043e\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c.\n\u0411\u044b\u043b\u043e \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u043e, \u0447\u0442\u043e \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u044d\u0442\u043e\u0433\u043e \u043c\u0435\u0442\u043e\u0434\u0430 HTTP \u043c\u043e\u0436\u043d\u043e \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0435 \u0447\u0435\u0440\u0435\u0437 \u0442\u0443\u043d\u043d\u0435\u043b\u0438\u0440\u0443\u0435\u043c\u044b\u0439 \u0441\u043e\u043a\u0435\u0442 \u0441\u043e \u0441\u0442\u043e\u0440\u043e\u043d\u043d\u0435\u0439 \u0441\u043b\u0443\u0436\u0431\u043e\u0439.\n\n\u042d\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0441\u043b\u0443\u0436\u0431\u0443 \u043a\u0430\u043a \u0430\u043d\u043e\u043d\u0438\u043c\u043d\u044b\u0439 \u0440\u0435\u0442\u0440\u0430\u043d\u0441\u043b\u044f\u0442\u043e\u0440 \u0441\u043f\u0430\u043c\u0430 \u0438\u043b\u0438 \u043a\u0430\u043a \u0432\u0435\u0431-\u043f\u0440\u043e\u043a\u0441\u0438, \u043c\u0438\u043d\u0443\u044f \u0441\u0435\u0442\u0435\u0432\u044b\u0435 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f.\n\n\u042d\u0442\u043e \u0442\u0430\u043a\u0436\u0435 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0435\u0433\u043e \u0434\u043b\u044f \u0441\u043e\u0437\u0434\u0430\u043d\u0438\u044f \u0442\u0443\u043d\u043d\u0435\u043b\u044c\u043d\u043e\u0439 VPN, \u044d\u0444\u0444\u0435\u043a\u0442\u0438\u0432\u043d\u043e \u0440\u0430\u0441\u0448\u0438\u0440\u044f\u044f \u043f\u0435\u0440\u0438\u043c\u0435\u0442\u0440 \u0441\u0435\u0442\u0438 \u0437\u0430 \u0441\u0447\u0435\u0442 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f \u043d\u0435\u043d\u0430\u0434\u0435\u0436\u043d\u044b\u0445 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u043e\u0432. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = \u041c\u0435\u0442\u043e\u0434 CONNECT \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043b\u0441\u044f \u0434\u043b\u044f \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0441\u043e\u043a\u0435\u0442\u043d\u043e\u0433\u043e \u043f\u043e\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f \u043a [{0}] \u0447\u0435\u0440\u0435\u0437 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 ascanbeta.insecurehttpmethod.delete.exploitable.desc = \u042d\u0442\u043e\u0442 \u043c\u0435\u0442\u043e\u0434 \u0447\u0430\u0449\u0435 \u0432\u0441\u0435\u0433\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0432 \u0441\u043b\u0443\u0436\u0431\u0430\u0445 REST, \u043e\u043d \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0434\u043b\u044f \u0443\u0434\u0430\u043b\u0435\u043d\u0438\u044f \u0440\u0435\u0441\u0443\u0440\u0441\u0430. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = \u0421\u043c\u043e\ ascanbeta.insecurehttpmethod.patch.exploitable.desc = \u042d\u0442\u043e\u0442 \u043c\u0435\u0442\u043e\u0434 \u0441\u0435\u0439\u0447\u0430\u0441 \u0447\u0430\u0449\u0435 \u0432\u0441\u0435\u0433\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0432 \u0441\u043b\u0443\u0436\u0431\u0430\u0445 REST, \nPATCH \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0434\u043b\u044f ** \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f ** (modify ) \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0435\u0439. \n\u0417\u0430\u043f\u0440\u043e\u0441 PATCH \u0434\u043e\u043b\u0436\u0435\u043d \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442\u044c \u0442\u043e\u043b\u044c\u043a\u043e \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u0440\u0435\u0441\u0443\u0440\u0441\u0430, \u0430 \u043d\u0435 \u0432\u0435\u0441\u044c \u0440\u0435\u0441\u0443\u0440\u0441. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = \u043a\u043e\u0434 \u043e\u0442\u0432\u0435\u0442\u0430 {0} \u0434\u043b\u044f \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0433\u043e HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = \u041e\u0442\u043a\u043b\u044e\u0447\u0438\u0442\u0435 \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0435 \u043c\u0435\u0442\u043e\u0434\u044b, \u0442\u0430\u043a\u0438\u0435 \u043a\u0430\u043a TRACK, TRACE \u0438 CONNECT, \u043d\u0430 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u0438 \u0443\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0431\u0430\u0437\u043e\u0432\u0430\u044f \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044f \u0441\u043b\u0443\u0436\u0431\u044b \u043d\u0435 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0435\u0442 \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0435 \u043c\u0435\u0442\u043e\u0434\u044b. ascanbeta.insecurehttpmethod.trace.exploitable.desc = \u041d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439 HTTP-\u043c\u0435\u0442\u043e\u0434 [{0}] \u0432\u043a\u043b\u044e\u0447\u0435\u043d \u0434\u043b\u044f \u044d\u0442\u043e\u0433\u043e \u0440\u0435\u0441\u0443\u0440\u0441\u0430 \u0438 \u0435\u0433\u043e \u043c\u043e\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c.\n\n\u041c\u0435\u0442\u043e\u0434\u044b TRACK \u0438 TRACE \u043c\u043e\u0433\u0443\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u043e\u043c \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0442\u043e\u043a\u0435\u043d\u0443 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 / cookie \u0441\u0435\u0430\u043d\u0441\u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f, \u0434\u0430\u0436\u0435 \u0435\u0441\u043b\u0438 \u0444\u0430\u0439\u043b cookie \u0441\u0435\u0430\u043d\u0441\u0430 \u0437\u0430\u0449\u0438\u0449\u0435\u043d \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0444\u043b\u0430\u0433\u0430 HttpOnly.\n\n\n\u0427\u0442\u043e\u0431\u044b \u0430\u0442\u0430\u043a\u0430 \u0431\u044b\u043b\u0430 \u0443\u0441\u043f\u0435\u0448\u043d\u043e\u0439, \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f, \u043a\u0430\u043a \u043f\u0440\u0430\u0432\u0438\u043b\u043e, \u0434\u043e\u043b\u0436\u0435\u043d \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0441\u0442\u0430\u0440\u044b\u0439 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u0438\u043b\u0438 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c\u044e \u043e\u0431\u0445\u043e\u0434\u0430 \u0442\u043e\u0439 \u0436\u0435 \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438 \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0436\u0434\u0435\u043d\u0438\u044f \nSame Origin Policy (SOP). @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = \u042d\u0442\u043e\u0442 ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = \u0421\u043c\u043e\u0442\u0440\u0438 \u043e\u0431\u0441\u0443\u0436\u0434\u0435\u043d\u0438\u0435 stackexchange\:\nhttps\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = \u0423\u0441\u043b\u043e\u0432\u0438\u0435 \u0446\u0435\u043b\u043e\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u0432\u043e\u0437\u043d\u0438\u043a\u0430\u0435\u0442, \u043a\u043e\u0433\u0434\u0430 \u0446\u0435\u043b\u043e\u0435 \u0447\u0438\u0441\u043b\u043e, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u043e\u0435 \u0432 \u0441\u043a\u043e\u043c\u043f\u0438\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0435, \u0432\u044b\u0445\u043e\u0434\u0438\u0442 \u0437\u0430 \u043f\u0440\u0435\u0434\u0435\u043b\u044b \u0434\u0438\u0430\u043f\u0430\u0437\u043e\u043d\u0430 \u0438 \u043d\u0435 \u0431\u044b\u043b\u043e \u0434\u043e\u043b\u0436\u043d\u044b\u043c \u043e\u0431\u0440\u0430\u0437\u043e\u043c \u043f\u0440\u043e\u0432\u0435\u0440\u0435\u043d\u043e \u0438\u0437 \u0432\u0445\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u043e\u0442\u043e\u043a\u0430. -ascanbeta.integeroverflow.error1 = \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0435 \u0446\u0435\u043b\u043e\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u043e\u0435 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 (Integer Overflow). \n\u041a\u043e\u0434 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u044f \u0438\u0437\u043c\u0435\u043d\u0438\u043b\u0441\u044f \u043f\u0440\u0438 \u0432\u0432\u043e\u0434\u0435 \u0434\u043b\u0438\u043d\u043d\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0438 \u0441\u043b\u0443\u0447\u0430\u0439\u043d\u044b\u0445 \u0446\u0435\u043b\u044b\u0445 \u0447\u0438\u0441\u0435\u043b. -ascanbeta.integeroverflow.error2 = \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0435 \u0446\u0435\u043b\u043e\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u043e\u0435 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435. \u041a\u043e\u0434 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u044f \u0438\u0437\u043c\u0435\u043d\u0438\u043b\u0441\u044f \u043f\u0440\u0438 \u0432\u0432\u043e\u0434\u0435 \u0434\u043b\u0438\u043d\u043d\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0438 \u043d\u0443\u043b\u0435\u0439. -ascanbeta.integeroverflow.error3 = \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0435 \u0446\u0435\u043b\u043e\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u043e\u0435 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435. \n\u041a\u043e\u0434 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u044f \u0438\u0437\u043c\u0435\u043d\u0438\u043b\u0441\u044f \u043f\u0440\u0438 \u0432\u0432\u043e\u0434\u0435 \u0434\u043b\u0438\u043d\u043d\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0438 \u0435\u0434\u0438\u043d\u0438\u0446. -ascanbeta.integeroverflow.error4 = \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0435 \u0446\u0435\u043b\u043e\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u043e\u0435 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435. \u041a\u043e\u0434 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u044f \u0438\u0437\u043c\u0435\u043d\u0438\u043b\u0441\u044f \u043f\u0440\u0438 \u0432\u0432\u043e\u0434\u0435 \u0434\u043b\u0438\u043d\u043d\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0438 \u0434\u0435\u0432\u044f\u0442\u043e\u043a. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = \u0426\u0435\u043b\u043e\u0447\u0438\u0441\u043b\u0435\u043d\u043d\u0430\u044f \u041e\u0448\u0438\u0431\u043a\u0430 \u041f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = \u0412\u043d\u0435\u043f\u043e\u043b\u043e\u0441\u043d\u ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS \u043c\u0435\u0442\u043e\u0434\u044b \u0441 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u043e\u043c Max-Forwards.\nTRACK \u043c\u0435\u0442\u043e\u0434. -ascanbeta.proxydisclosure.desc = \u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u044b \u0438\u043b\u0438 \u0441\u043d\u044f\u0442\u044b \u043e\u0442\u043f\u0435\u0447\u0430\u0442\u043a\u0438 \u043f\u0430\u043b\u044c\u0446\u0435\u0432 \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u0432\: {0}. \u042d\u0442\u0430 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043f\u043e\u043c\u043e\u0433\u0430\u0435\u0442 \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u043c\u0443 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c\n - \u0421\u043f\u0438\u0441\u043e\u043a \u0446\u0435\u043b\u0435\u0439 \u0434\u043b\u044f \u0430\u0442\u0430\u043a\u0438 \u043d\u0430 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435.\n - \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043d\u0430 \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445, \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u044e\u0449\u0438\u0445 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435.\n - \u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u0438\u043b\u0438 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u0435 \u043a\u0430\u043a\u0438\u0445-\u043b\u0438\u0431\u043e \u043f\u0440\u043e\u043a\u0441\u0438-\u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u043e\u0432, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043c\u043e\u0433\u0443\u0442 \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435, \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0449\u0435\u043d\u0438\u0435 \u0438\u043b\u0438 \u0441\u043c\u044f\u0433\u0447\u0435\u043d\u0438\u0435 \u0430\u0442\u0430\u043a \u043d\u0430 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = \u0411\u044b\u043b\u0438 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u044b \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0435 \u00ab\u0442\u0438\u0445\u0438\u0435\u00bb (silent) \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u044b. \n\u0418\u0437-\u0437\u0430 \u0438\u0445 \u043f\u043e\u0432\u0435\u0434\u0435\u043d\u0438\u044f \u043d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e, \u0432 \u043a\u0430\u043a\u043e\u0439 \u0442\u043e\u0447\u043a\u0435 \u0441\u0435\u0442\u0435\u0432\u043e\u0439 \u0442\u043e\u043f\u043e\u043b\u043e\u0433\u0438\u0438 \u043d\u0430\u0445\u043e\u0434\u044f\u0442\u0441\u044f \u044d\u0442\u0438 \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u044b\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = \u041c\u0435\u0442\u043e\u0434 TRACE \u0432\u043a\u043b\u044e\u0447\u0435\u043d \u043d\u0430 \u043e\u0434\u043d\u043e\u043c \u0438\u043b\u0438 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u0438\u0445 \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445 \u0438\u043b\u0438 \u043d\u0430 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u043c \u0441\u0435\u0440\u0432\u0435\u0440\u0435. \n\u042d\u0442\u043e\u0442 \u043c\u0435\u0442\u043e\u0434 \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0432\u0430\u0435\u0442 \u0443\u0442\u0435\u0447\u043a\u0443 \u0432\u0441\u0435\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u043e\u0439 \u0438\u0437 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430, \u0438 \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c \u043e\u0431\u0440\u0430\u0442\u043d\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u043e\u043c\u0443 \u0430\u0433\u0435\u043d\u0442\u0443. \n\u042d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u0441\u043f\u043e\u0441\u043e\u0431\u0441\u0442\u0432\u043e\u0432\u0430\u0442\u044c \u0430\u0442\u0430\u043a\u0430\u043c \u00ab\u041c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u0435 \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u043d\u0438\u0435\u00bb('Cross Site Tracing'). +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = \u041d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = \u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0439 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 / \u0441\u0435\u0440\u0432\u0435\u0440 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = \u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043f\u043e \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u043e\u0441\u0442\u0438 ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = \u041e\u0442\u043a\u043b\u044e\u0447\u0438\u0442\u0435 \u043c\u0435\u0442\u043e\u0434 TRACE \u043d\u0430 \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445, \u0430 \u0442\u0430\u043a\u0436\u0435 \u043d\u0430 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u043c \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0435 / \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439.\n\u041e\u0442\u043a\u043b\u044e\u0447\u0438\u0442\u0435 \u043c\u0435\u0442\u043e\u0434 OPTIONS \u043d\u0430 \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445, \u0430 \u0442\u0430\u043a\u0436\u0435 \u043d\u0430 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u043c \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0435 / \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439, \u0435\u0441\u043b\u0438 \u043e\u043d \u043d\u0435 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0434\u043b\u044f \u0434\u0440\u0443\u0433\u0438\u0445 \u0446\u0435\u043b\u0435\u0439, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440 CORS (\u0441\u043e\u0432\u043c\u0435\u0441\u0442\u043d\u043e\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432 \u043c\u0435\u0436\u0434\u0443 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0430\u043c\u0438).\n\u0421\u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0438\u0440\u0443\u0439\u0442\u0435 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u044b \u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u044b \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u0435\u043c\u044b\u0445 \u0441\u0442\u0440\u0430\u043d\u0438\u0446 \u043e\u0448\u0438\u0431\u043e\u043a, \u0447\u0442\u043e\u0431\u044b \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0442\u0438\u0442\u044c \u0443\u0442\u0435\u0447\u043a\u0443 \u0441\u0442\u0440\u0430\u043d\u0438\u0446 \u043e\u0448\u0438\u0431\u043e\u043a \u043a\u043e\u043d\u043a\u0440\u0435\u0442\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 \u0441 \u00ab\u043e\u0442\u043f\u0435\u0447\u0430\u0442\u043a\u0430\u043c\u0438 \u043f\u0430\u043b\u044c\u0446\u0435\u0432\u00bb( 'fingerprintable' ) \n\u0434\u043b\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0432 \u0441\u043b\u0443\u0447\u0430\u0435 \u043e\u0448\u0438\u0431\u043e\u043a HTTP, \u0442\u0430\u043a\u0438\u0445 \u043a\u0430\u043a \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u00abTRACK\u00bb \u043d\u0435\u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0445 \u0441\u0442\u0440\u0430\u043d\u0438\u0446.\n\u041d\u0430\u0441\u0442\u0440\u043e\u0439\u0442\u0435 \u0432\u0441\u0435 \u043f\u0440\u043e\u043a\u0441\u0438, \u0441\u0435\u0440\u0432\u0435\u0440\u044b \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 \u0438 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u044b, \u0447\u0442\u043e\u0431\u044b \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0442\u0438\u0442\u044c \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0438\u0438 \u0438 \u0432\u0435\u0440\u0441\u0438\u0438 \u0432 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430\u0445 HTTP-\u043e\u0442\u0432\u0435\u0442\u043e\u0432 \u00abServer\u00bb \u0438 \u00abX-Powered-By\u00bb. ascanbeta.relativepathconfusion.desc = \u0412\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043d \u0434\u043b\u044f \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u044f \u043e\u0442\u0432\u0435\u0442\u043e\u0432 \u043d\u0430 \u043d\u0435\u043e\u0434\u043d\u043e\u0437\u043d\u0430\u0447\u043d\u044b\u0435 URL-\u0430\u0434\u0440\u0435\u0441\u0430 \u0441\u043f\u043e\u0441\u043e\u0431\u043e\u043c, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u043f\u0443\u0442\u0430\u043d\u0438\u0446\u0435 \u0432 \u043e\u0442\u043d\u043e\u0448\u0435\u043d\u0438\u0438 \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0433\u043e \u00ab\u043e\u0442\u043d\u043e\u0441\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u0443\u0442\u0438\u00bb \u0434\u043b\u044f URL-\u0430\u0434\u0440\u0435\u0441\u0430. \n\u0420\u0435\u0441\u0443\u0440\u0441\u044b (CSS, \u0438\u0437\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u0438\u044f \u0438 \u0442. \u0434.) \u0422\u0430\u043a\u0436\u0435 \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u044e\u0442\u0441\u044f \u0432 \u043e\u0442\u0432\u0435\u0442\u0435 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043e\u0442\u043d\u043e\u0441\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0445, \u0430 \u043d\u0435 \u0430\u0431\u0441\u043e\u043b\u044e\u0442\u043d\u044b\u0445 URL-\u0430\u0434\u0440\u0435\u0441\u043e\u0432. \n\u041f\u0440\u0438 \u0430\u0442\u0430\u043a\u0435, \u0435\u0441\u043b\u0438 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u0440\u0430\u0437\u0440\u0435\u0448\u0438\u043c\u043e \u0430\u043d\u0430\u043b\u0438\u0437\u0438\u0440\u0443\u0435\u0442 \u043e\u0442\u0432\u0435\u0442 \u00ab\u043f\u0435\u0440\u0435\u043a\u0440\u0435\u0441\u0442\u043d\u043e\u0435 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435\u00bb (cross-content) \n\u0438\u043b\u0438 \u0435\u0433\u043e \u043c\u043e\u0436\u043d\u043e \u043e\u0431\u043c\u0430\u043d\u0443\u0442\u044c, \u0440\u0430\u0437\u0440\u0435\u0448\u0438\u0432 \u0440\u0430\u0437\u043e\u0431\u0440\u0430\u0442\u044c \u043e\u0442\u043a\u043b\u0438\u043a \u00ab\u043f\u0435\u0440\u0435\u043a\u0440\u0435\u0441\u0442\u043d\u043e\u0433\u043e \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e\u00bb (cross-content), \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0442\u0430\u043a\u0438\u0435 \u043c\u0435\u0442\u043e\u0434\u044b, \u043a\u0430\u043a \u0444\u0440\u0435\u0439\u043c\u0438\u043d\u0433, \u0442\u043e\u0433\u0434\u0430 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u043e\u0431\u043c\u0430\u043d\u0443\u0442. \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0446\u0438\u044f HTML \u043a\u0430\u043a CSS (\u0438\u043b\u0438 \u0434\u0440\u0443\u0433\u0438\u0445 \u0442\u0438\u043f\u043e\u0432 \u043a\u043e\u043d\u0442\u0435\u043d\u0442\u0430), \u0447\u0442\u043e \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u0442 \u043a \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 XSS. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = \u0423\u043a\u0430\u0437\u0430\u043d \u0442\u0438\u043f \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e "{0}". \u0415\u0441\u043b\u0438 \u0432 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442\u0441\u044f \u0441\u0442\u0440\u043e\u0433\u0438\u0435 \u043f\u0440\u0430\u0432\u0438\u043b\u0430 \u0441\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0447\u0435\u0441\u043a\u043e\u0433\u043e \u0430\u043d\u0430\u043b\u0438\u0437\u0430, \u044d\u0442\u043e \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0442\u0438\u0442 \u0443\u0441\u043f\u0435\u0448\u043d\u044b\u0435 \u043f\u0435\u0440\u0435\u043a\u0440\u0435\u0441\u0442\u043d\u044b\u0435 \u0430\u0442\u0430\u043a\u0438. \u0420\u0435\u0436\u0438\u043c Quirks \u0432 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0435 \u043e\u0442\u043a\u043b\u044e\u0447\u0438\u0442 \u0441\u0442\u0440\u043e\u0433\u0438\u0439 \u0430\u043d\u0430\u043b\u0438\u0437. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = \u0417\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a X-Frame-Options \u043d\u0435 \u0431\u044b\u043b \u0443\u043a\u0430\u0437\u0430\u043d, \u043f\n\u043e\u044d\u0442\u043e\u043c\u0443 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0443 \u043c\u043e\u0436\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u0432\u043e \u0444\u0440\u0435\u0439\u043c\u0435, \n\u0438 \u044d\u0442\u043e \u043c\u043e\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0434\u043b\u044f \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f \u0440\u0435\u0436\u0438\u043c\u0430 Quirks, \n\u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0435\u0433\u043e \u043e\u0431\u043e\u0439\u0442\u0438 \u0443\u043a\u0430\u0437\u0430\u043d\u043d\u044b\u0439 \u0442\u0438\u043f \u043a\u043e\u043d\u0442\u0435\u043d\u0442\u0430. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = \u0412 \u0442\u0435\u0433\u0435 HTML \u0443\u043a\u0430\u0437\u0430\u043d\u043e \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0442\u0435\u0433\u043e\u0432 \u0434\u043b\u044f \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u044f \u043c\u0435\u0441\u0442\u043e\u043f\u043e\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u043e\u0442\u043d\u043e\u0441\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0445 URL-\u0430\u0434\u0440\u0435\u0441\u043e\u0432, \u0447\u0442\u043e \u043d\u0435\u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u043e. ascanbeta.relativepathconfusion.extrainfo.nobasetag = \u0422\u0435\u0433 \u043d\u0435 \u0431\u044b\u043b \u0443\u043a\u0430\u0437\u0430\u043d \u0432 \u0442\u0435\u0433\u0435 HTML \u0434\u043b\u044f \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u044f \u043c\u0435\u0441\u0442\u043e\u043f\u043e\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u043e\u0442\u043d\u043e\u0441\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0445 URL-\u0430\u0434\u0440\u0435\u0441\u043e\u0432. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = \u0422\u0438\u043f \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e (Content Type) \u043d\u0435 \u0443\u043a\u0430\u0437\u0430\u043d, \n\u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u0440\u0435\u0436\u0438\u043c Quirks \u043d\u0435 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0434\u043b\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u0432 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0435. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = \u0420\u0435\u0436\u0438\u043c Quirks \u044f\u0432\u043d\u043e \u0432\u043a\u043b\u044e\u0447\u0435\u043d \u0447\u0435\u0440\u0435\u0437 \u00bb \u0432 HTTP-\u043e\u0442\u0432\u0435\u0442\u0435 \u043e\u0434\u043d\u043e\u0437\u043d\u0430\u0447\u043d\u043e \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442 \u0431\u0430\u0437\u043e\u0432\u044b\u0439 URL-\u0430\u0434\u0440\u0435\u0441 \u0434\u043b\u044f \u0432\u0441\u0435\u0445 \u043e\u0442\u043d\u043e\u0441\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0445 URL-\u0430\u0434\u0440\u0435\u0441\u043e\u0432 \u0432 \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u0435.\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a HTTP-\u043e\u0442\u0432\u0435\u0442\u0430 Content-Type, \u0447\u0442\u043e\u0431\u044b \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u0431\u044b\u043b\u043e \u0441\u043b\u043e\u0436\u043d\u0435\u0435 \u0437\u0430\u0441\u0442\u0430\u0432\u0438\u0442\u044c \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u043d\u0435\u0432\u0435\u0440\u043d\u043e \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0442\u0438\u043f \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e \u043e\u0442\u0432\u0435\u0442\u0430.\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a HTTP-\u043e\u0442\u0432\u0435\u0442\u0430 \u00abX-Content-Type-Options\: nosniff\u00bb, \u0447\u0442\u043e\u0431\u044b \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u043d\u0435 \u00ab\u043e\u0431\u043d\u044e\u0445\u0438\u0432\u0430\u043b\u00bb \u0442\u0438\u043f \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e \u043e\u0442\u0432\u0435\u0442\u0430.\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u0441\u043e\u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0439 DOCTYPE, \u0442\u0430\u043a\u043e\u0439 \u043a\u0430\u043a \u00ab<\! Doctype html>\u00bb, \u0447\u0442\u043e\u0431\u044b \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0442\u0438\u0442\u044c \u043e\u0442\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u0438\u0435 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b \u0432 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0435 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u00abQuirks Mode\u00bb, \u043f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u044d\u0442\u043e \u043f\u0440\u0438\u0432\u043e\u0434\u0438\u0442 \u043a \u0442\u043e\u043c\u0443, \u0447\u0442\u043e \u0442\u0438\u043f \u043a\u043e\u043d\u0442\u0435\u043d\u0442\u0430 \u0438\u0433\u043d\u043e\u0440\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u043c.\n\n\u0423\u043a\u0430\u0436\u0438\u0442\u0435 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a HTTP-\u043e\u0442\u0432\u0435\u0442\u0430 \u00abX-Frame-Options\u00bb, \u0447\u0442\u043e\u0431\u044b \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0442\u0438\u0442\u044c \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0435 \u0440\u0435\u0436\u0438\u043c\u0430 Quirks Mode \u0432 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0435 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u0444\u0440\u0435\u0439\u043c\u0438\u043d\u0433\u043e\u0432\u044b\u0445 \u0430\u0442\u0430\u043a. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} \u043f\u043e\u043b\u0435\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = \u0424\u0430\u0439\u043b cookie \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u0432 \u043e\u0442\u0432\u0435\u0442, \u043a\u043e\u0433\u0434\u0430 \u043f\u043e\u043b\u0435 cookie [{0}] \u0438\u043c\u0435\u0435\u0442 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 NULL\: [{1}]\nCookie \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d \u0432 \u043e\u0442\u0432\u0435\u0442 \u0441 \u0437\u0430\u0438\u043c\u0441\u0442\u0432\u043e\u0432\u0430\u043d\u043d\u044b\u043c (\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u043c) \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435\u043c cookie \u0432 \u0437\u0430\u043f\u0440\u043e\u0441\u0435 [{1}]\: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = URL-\u0430\u0434\u0440 ascanbeta.sessionfixation.desc = \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u0430 \u0444\u0438\u043a\u0441\u0430\u0446\u0438\u044f \u0441\u0435\u0430\u043d\u0441\u0430 (Session Fixation). \n\u0415\u0441\u043b\u0438 \u044d\u0442\u0430 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0432\u043e\u0437\u043d\u0438\u043a\u0430\u0435\u0442 \u0441 URL-\u0430\u0434\u0440\u0435\u0441\u043e\u043c \u0432\u0445\u043e\u0434\u0430 (\u0433\u0434\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u0443\u0435\u0442\u0441\u044f \u0432 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0438), \u0442\u043e\u0433\u0434\u0430 URL-\u0430\u0434\u0440\u0435\u0441 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u0435\u043d \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u043e\u043c \u0432\u043c\u0435\u0441\u0442\u0435 \u0441 \u0444\u0438\u043a\u0441\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u043c \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u043e\u043c \u0441\u0435\u0430\u043d\u0441\u0430 \u0436\u0435\u0440\u0442\u0432\u0435, \u0447\u0442\u043e\u0431\u044b \u043f\u043e\u0437\u0436\u0435 \u043f\u0440\u0435\u0434\u043f\u043e\u043b\u043e\u0436\u0438\u0442\u044c \u043b\u0438\u0447\u043d\u043e\u0441\u0442\u044c \u0436\u0435\u0440\u0442\u0432\u044b. \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0434\u0430\u043d\u043d\u044b\u0439 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430. \u0415\u0441\u043b\u0438 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0432\u043e\u0437\u043d\u0438\u043a\u0430\u0435\u0442 \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 \u0431\u0435\u0437 \u0432\u0445\u043e\u0434\u0430, URL-\u0430\u0434\u0440\u0435\u0441 \u0438 \u0444\u0438\u043a\u0441\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430 \u043c\u043e\u0436\u0435\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u043e\u043c \u0442\u043e\u043b\u044c\u043a\u043e \u0434\u043b\u044f \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u043d\u0438\u044f \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0439 \u043d\u0435\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f. \n\u0415\u0441\u043b\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432\u043e\u0437\u043d\u0438\u043a\u0430\u0435\u0442 \u0432 \u043f\u043e\u043b\u0435 cookie \u0438\u043b\u0438 \u043f\u043e\u043b\u0435 \u0444\u043e\u0440\u043c\u044b (\u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 POST), \u0430 \u043d\u0435 \u0432 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0435 URL (GET), \u0442\u043e\u0433\u0434\u0430 \u0442\u0430\u043a\u0436\u0435 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0442\u0440\u0435\u0431\u043e\u0432\u0430\u0442\u044c\u0441\u044f \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0434\u0440\u0443\u0433\u0430\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u0447\u0442\u043e\u0431\u044b \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u043e\u043b\u0435 cookie \u0432 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0435 \u0436\u0435\u0440\u0442\u0432\u044b, \u0447\u0442\u043e\u0431\u044b \u0440\u0430\u0437\u0440\u0435\u0448\u0438\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c. \u0431\u044b\u0442\u044c \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0438\u0440\u0443\u0435\u043c\u044b\u043c. ascanbeta.sessionfixation.name = \u0424\u0438\u043a\u0441\u0430\u0446\u0438\u044f \u0441\u0435\u0430\u043d\u0441\u0430 ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} \u043f\u043e\u043b\u0435\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430 {0} \u043f\u043e\u043b\u0435 [{1}], \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 [{2}] \u043c\u043e\u0436\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e JavaScript \u0432 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0435 -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = URL-\u0430\u0434\u0440\u0435\u0441, \u043d\u0430 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u0431\u044b\u043b\u0430 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430, \u0431\u044b\u043b \u043f\u043e\u043c\u0435\u0447\u0435\u043d \u043a\u0430\u043a \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430 \u0432\u0445\u043e\u0434\u0430 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0443. -ascanbeta.sessionidaccessiblebyjavascript.desc = \u0424\u0430\u0439\u043b cookie \u0441 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u043e\u043c \u0441\u0435\u0430\u043d\u0441\u0430 (Session Id cookie), \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0439 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c \n(\u043a\u043e\u0433\u0434\u0430 URL-\u0430\u0434\u0440\u0435\u0441 \u0438\u0437\u043c\u0435\u043d\u0435\u043d \u043f\u0443\u0442\u0435\u043c \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0438 \u043f\u043e\u043b\u044f \u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 (parameter field ) \u0432 NULL), \n\u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f\u0435\u043d JavaScript \u043d\u0430 \u043a\u043b\u0438\u0435\u043d\u0442\u0435.\n\n\u0412 \u0441\u043e\u0447\u0435\u0442\u0430\u043d\u0438\u0438 \u0441 \u0434\u0440\u0443\u0433\u043e\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c\u044e \u044d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u0437\u0430\u0445\u0432\u0430\u0442\u0438\u0442\u044c \u0441\u0435\u0430\u043d\u0441 ( hijacked ). +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Cookie \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u0430 \u0441\u0435\u0430\u043d\u0441\u0430 (Session ID), \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0439 \u0434\u043b\u044f JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u0444\u043b\u0430\u0433 httponly \u043f\u0440\u0438 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0435 \u0444\u0430\u0439\u043b\u0430 cookie, \n\u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0435\u0433\u043e \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430, \n\u0447\u0442\u043e\u0431\u044b \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0442\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043d\u0435\u043c\u0443 JavaScript \u0432 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0435. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} \u043f\u043e\u043b\u0435\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430 {0} \u043f\u043e\u043b\u0435 [{1}], \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 [{2}] \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e \u0434\u043e [{3}]\n (\u043f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u0444\u0430\u0439\u043b cookie \u0431\u044b\u043b \u043f\u043e\u043b\u0443\u0447\u0435\u043d \u0432 {4}), \n\u0435\u0441\u043b\u0438 \u0441\u0435\u0430\u043d\u0441 \u043d\u0435 \u0431\u0443\u0434\u0435\u0442 \u0443\u043d\u0438\u0447\u0442\u043e\u0436\u0435\u043d. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = URL-\u0430\u0434\u0440\u0435\u0441, \u043d\u0430 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u0431\u044b\u043b\u0430 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430, \u0431\u044b\u043b \u043f\u043e\u043c\u0435\u0447\u0435\u043d \u043a\u0430\u043a \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430 \u0432\u0445\u043e\u0434\u0430 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0443. ascanbeta.sessionidexpiry.browserclose = \u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u0437\u0430\u043a\u0440\u044b\u0442\u044c -ascanbeta.sessionidexpiry.desc = \u041a\u0443\u043a\u0438-\u0444\u0430\u0439\u043b \u0441 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u043e\u043c \u0441\u0435\u0430\u043d\u0441\u0430 (Session Id cookie), \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0439 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c \n(\u043a\u043e\u0433\u0434\u0430 URL-\u0430\u0434\u0440\u0435\u0441 \u0438\u0437\u043c\u0435\u043d\u0435\u043d \u043f\u0443\u0442\u0435\u043c \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0438 \u043f\u043e\u043b\u044f \u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 \u043d\u0430 NULL), \n\u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u043a\u0430\u043a \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 \u0432 \u0442\u0435\u0447\u0435\u043d\u0438\u0435 \u0434\u043b\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u0435\u0440\u0438\u043e\u0434\u0430 \u0432\u0440\u0435\u043c\u0435\u043d\u0438.\n\n\u042d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u043e \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u043e\u043c, \n\u0435\u0441\u043b\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0437\u0430\u0431\u0443\u0434\u0435\u0442 \u0432\u044b\u0439\u0442\u0438 \u0438\u0437 \u0441\u0438\u0441\u0442\u0435\u043c\u044b, \n\u0435\u0441\u043b\u0438 \u0444\u0443\u043d\u043a\u0446\u0438\u044f \u0432\u044b\u0445\u043e\u0434\u0430 \u043d\u0435 \u043f\u0440\u0438\u0432\u0435\u0434\u0435\u0442 \u043a \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u043c\u0443 \u0443\u043d\u0438\u0447\u0442\u043e\u0436\u0435\u043d\u0438\u044e \u0441\u0435\u0430\u043d\u0441\u0430 \n\u0438\u043b\u0438 \u0435\u0441\u043b\u0438 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430 \u0431\u0443\u0434\u0435\u0442 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u043d \u043a\u0430\u043a\u0438\u043c-\u043b\u0438\u0431\u043e \u0434\u0440\u0443\u0433\u0438\u043c \u0441\u043f\u043e\u0441\u043e\u0431\u043e\u043c. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = \u0421\u0440\u043e\u043a \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u0430 \u0441\u0435\u0430\u043d\u0441\u0430 / \u043c\u0430\u043a\u0441\u0438\u043c\u0430\u043b\u044c\u043d\u044b\u0439 \u0432\u043e\u0437\u0440\u0430\u0441\u0442 \u0441\u043b\u0438\u0448\u043a\u043e\u043c \u0432\u0435\u043b\u0438\u043a #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u044b cookie 'Expire' \u0438\u043b\u0438 'Max-Age' \u043f\u0440\u0438 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0435 cookie, \n\u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0435\u0433\u043e \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430, \n\u0447\u0442\u043e\u0431\u044b \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0442\u0438\u0442\u044c \u0435\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0441\u0442\u044c \u0432 \u0442\u0435\u0447\u0435\u043d\u0438\u0435 \u0434\u043b\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0445 \u043f\u0435\u0440\u0438\u043e\u0434\u043e\u0432 \u0432\u0440\u0435\u043c\u0435\u043d\u0438.\n\n2) \u0423\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0444\u0443\u043d\u043a\u0446\u0438\u044f \u0432\u044b\u0445\u043e\u0434\u0430 \u0438\u0437 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0438 \u0447\u0442\u043e \u043e\u043d\u0430 \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u0440\u0430\u0437\u0440\u0443\u0448\u0430\u0435\u0442 \u0441\u0435\u0430\u043d\u0441.\n\n3) \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u0434\u0440\u0443\u0433\u0438\u0435 \u043f\u0440\u0435\u0432\u0435\u043d\u0442\u0438\u0432\u043d\u044b\u0435 \u043c\u0435\u0440\u044b, \u0447\u0442\u043e\u0431\u044b \u0433\u0430\u0440\u0430\u043d\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c, \u0447\u0442\u043e, \u0435\u0441\u043b\u0438 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u043d, \u043e\u043d \u043d\u0435 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d. ascanbeta.sessionidexpiry.timeexpired = \u0418\u0441\u0442\u0435\u043a\u0448\u0438\u0439 ascanbeta.sessionidexpiry.timelessthanonehour = \u041c\u0435\u043d\u0435\u0435 \u043e\u0434\u043d\u043e\u0433\u043e \u0447\u0430\u0441\u0430 @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = \u0411\u043e\u043b\u0435\u0435 \ ascanbeta.sessionidexposedinurl.alert.attack = {0} \u043f\u043e\u043b\u0435\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} \u043f\u043e\u043b\u0435 [{1}] \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u0439 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430 [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = URL-\u0430\u0434\u0440\u0435\u0441, \u043d\u0430 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u0431\u044b\u043b\u0430 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430, \u0431\u044b\u043b \u043f\u043e\u043c\u0435\u0447\u0435\u043d \u043a\u0430\u043a \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430 \u0432\u0445\u043e\u0434\u0430 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0443. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = \u041e\u0442\u043a\u0440\u044b\u0442\u044b\u0439 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430 #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u0431\u043e\u043b\u0435\u0435 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u0443\u044e \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u044e \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0441\u0435\u0430\u043d\u0441\u043e\u043c, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0449\u0443\u044e \u0444\u0430\u0439\u043b\u044b cookie \u0441\u0435\u0430\u043d\u0441\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043d\u0435 \u0442\u0430\u043a \u043b\u0435\u0433\u043a\u043e \u043f\u0435\u0440\u0435\u0434\u0430\u0442\u044c \u043d\u0435\u043f\u0440\u0435\u0434\u043d\u0430\u043c\u0435\u0440\u0435\u043d\u043d\u043e \u0438 \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043e\u0431\u044b\u0447\u043d\u043e \u043d\u0435 \u043e\u0442\u043e\u0431\u0440\u0430\u0436\u0430\u044e\u0442\u0441\u044f \u0432 \u0444\u0430\u0439\u043b\u0430\u0445 \u0436\u0443\u0440\u043d\u0430\u043b\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0438\u043b\u0438 \u0437\u0430\u043a\u043b\u0430\u0434\u043a\u0430\u0445 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430. ascanbeta.sessionidsentinsecurely.alert.attack = {0} \u043f\u043e\u043b\u0435\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430 {0} \u043f\u043e\u043b\u0435 [{1}], \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 [{2}] \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043e \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = URL-\u0430\u0434\u0440\u0435\u0441, \u043d\u0430 \u043a\u043e\u0442\u043e\u0440\u043e\u043c \u0431\u044b\u043b\u0430 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430, \u0431\u044b\u043b \u043f\u043e\u043c\u0435\u0447\u0435\u043d \u043a\u0430\u043a \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430 \u0432\u0445\u043e\u0434\u0430 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0443. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = \u0414\u043b\u044f \u0444\u0430\u0439\u043b\u0430 cookie \u0441\u0435\u0430\u043d\u0441\u0430, \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c, \u043d\u0435 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d \u0444\u043b\u0430\u0433 \u00ab\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439\u00bb (secure). -ascanbeta.sessionidsentinsecurely.desc = \u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u0435\u043d \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c. \n\u0412 \u0441\u043b\u0443\u0447\u0430\u0435 \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u0444\u0430\u0439\u043b\u0430 cookie \u0432 \u0437\u0430\u043f\u0440\u043e\u0441\u0435 \u044d\u0442\u043e \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0434\u0438\u0442 \u043f\u0440\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0438 HTTP, \u0430 \u043d\u0435 HTTPS. \n\u0412 \u0441\u043b\u0443\u0447\u0430\u0435 \u0444\u0430\u0439\u043b\u0430 cookie, \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u043e\u0433\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c \u0432 \u043e\u0442\u0432\u0435\u0442 \n(\u043a\u043e\u0433\u0434\u0430 URL-\u0430\u0434\u0440\u0435\u0441 \u0438\u0437\u043c\u0435\u043d\u0435\u043d \u043f\u0443\u0442\u0435\u043c \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0438 \u043f\u043e\u043b\u044f \u0443\u043a\u0430\u0437\u0430\u043d\u043d\u043e\u0433\u043e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 \u0432 NULL), \n\u0444\u043b\u0430\u0433 'secure' \u043d\u0435 \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442\u0441\u044f, \u0447\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c cookie \u043f\u043e\u0437\u0436\u0435 \u0447\u0435\u0440\u0435\u0437 HTTP, \u0430 \u043d\u0435 \u0447\u0435\u0440\u0435\u0437 HTTPS. \n\u042d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043f\u0430\u0441\u0441\u0438\u0432\u043d\u043e\u043c\u0443 \u043f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u0447\u0438\u043a\u0443 \u0441\u0435\u0442\u0435\u0432\u043e\u0433\u043e \u043f\u0443\u0442\u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043f\u043e\u043b\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0441\u0435\u0430\u043d\u0441\u0443 \u0436\u0435\u0440\u0442\u0432\u044b. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = \u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430 (ID) \u043f\u0435\u0440\u0435\u0434\u0430\u043d \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u044e\u044e \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0443\u044e \u0432\u0435\u0440\u0441\u0438\u044e SSL / TLS (\u0434\u043b\u044f HTTPS) \u0434\u043b\u044f \u0432\u0441\u0435\u0445 \u0441\u0442\u0440\u0430\u043d\u0438\u0446, \n\u043d\u0430 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430 \u043f\u0435\u0440\u0435\u0434\u0430\u0435\u0442\u0441\u044f \u043c\u0435\u0436\u0434\u0443 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u043c \u0438 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c.\n2) \u041d\u0435 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0439\u0442\u0435 \u043f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u043f\u0435\u0440\u0435\u043a\u043b\u044e\u0447\u0430\u0442\u044c\u0441\u044f \u043d\u0430 \u043d\u0435\u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b HTTP.\n3) \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u0444\u043b\u0430\u0433 \u00ab\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439\u00bb ('secure') \u043f\u0440\u0438 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0435 \u0444\u0430\u0439\u043b\u0430 cookie, \n\u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0435\u0433\u043e \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0430, \n\u0447\u0442\u043e\u0431\u044b \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0442\u0438\u0442\u044c \u0435\u0433\u043e \u043f\u043e\u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0443\u044e \u043f\u0435\u0440\u0435\u0434\u0430\u0447\u0443 \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u043c \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u043e\u043c.\n4) \u041f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u044f\u0439\u0442\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u043d\u0435\u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u043e\u0439 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b HTTP \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0443, \n\u044d\u043a\u0432\u0438\u0432\u0430\u043b\u0435\u043d\u0442\u043d\u0443\u044e \u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u043e\u043c\u0443 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0443 HTTPS. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = \u041d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u0432\u0435\u0440\u0441\u0438\u044f \u043e\u0431\u043e\u043b\u043e\u0447\u043a\u0438 Bash, \n\u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434. +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = \u0418\u0437 CVE-2014-6271\: GNU Bash \u0447\u0435\u0440\u0435\u0437 4.3 \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u0435\u0442 \u043a\u043e\u043d\u0435\u0447\u043d\u044b\u0435 \u0441\u0442\u0440\u043e\u043a\u0438 \u043f\u043e\u0441\u043b\u0435 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0439 \u0444\u0443\u043d\u043a\u0446\u0438\u0439 \u0432 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f\u0445 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445 \u0441\u0440\u0435\u0434\u044b,\n\u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u0447\u0435\u0440\u0435\u0437 \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u0443\u044e \u0441\u0440\u0435\u0434\u0443,\n\u043a\u0430\u043a \u043f\u043e\u043a\u0430\u0437\u0430\u043d\u043e \u0432\u0435\u043a\u0442\u043e\u0440\u0430\u043c\u0438, \u0432\u043a\u043b\u044e\u0447\u0430\u044e\u0449\u0438\u043c\u0438 \u0444\u0443\u043d\u043a\u0446\u0438\u044e ForceCommand \u0432 OpenSSH sshd,\n\u043c\u043e\u0434\u0443\u043b\u0438 mod_cgi \u0438 mod_cgid \u043d\u0430 HTTP-\u0441\u0435\u0440\u0432\u0435\u0440\u0435 Apache, \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0438, \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u043c\u044b\u0435 \u043d\u0435\u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u044b\u043c\u0438 DHCP-\u043a\u043b\u0438\u0435\u043d\u0442\u0430\u043c\u0438,\n\u0438 \u0434\u0440\u0443\u0433\u0438\u0435 \u0441\u0438\u0442\u0443\u0430\u0446\u0438\u0438, \n\u0432 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430 \u0441\u0440\u0435\u0434\u044b \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0434\u0438\u0442 \u0447\u0435\u0440\u0435\u0437 \u0433\u0440\u0430\u043d\u0438\u0446\u0443 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0439 \u0438\u0437 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f Bash,\n\u043e\u043d \u0436\u0435 ShellShock. \n\n\u041f\u0420\u0418\u041c\u0415\u0427\u0410\u041d\u0418\u0415\: \n\u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0435 \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u044d\u0442\u043e\u0439 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u044b \u0431\u044b\u043b\u043e \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u044b\u043c; \nCVE-2014-7169 \u0431\u044b\u043b\u0430 \u043d\u0430\u0437\u043d\u0430\u0447\u0435\u043d\u0430 \u0434\u043b\u044f \u0437\u0430\u0449\u0438\u0442\u044b \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438, \n\u043a\u043e\u0442\u043e\u0440\u0430\u044f \u0432\u0441\u0435 \u0435\u0449\u0435 \u043f\u0440\u0438\u0441\u0443\u0442\u0441\u0442\u0432\u0443\u0435\u0442 \u043f\u043e\u0441\u043b\u0435 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0433\u043e \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f. ascanbeta.shellshock.name = \u0423\u0434\u0430\u043b\u0435\u043d\u043d\u043e\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u043a\u043e\u0434\u0430 - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = \u041e\u0431\u043d\u043e\u0432\u0438\u0442\u0435 Bash \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u0434\u043e \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438 +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = \u0421 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0430\u0442\u0430\u043a\u0438 \u0431\u044b\u043b\u0430 \u0432\u044b\u0437\u0432\u0430\u043d\u0430 \u0438 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u0437\u0430\u0434\u0435\u0440\u0436\u043a\u0430 \u0432 [{0}] \u043c\u0438\u043b\u043b\u0438\u0441\u0435\u043a\u0443\u043d\u0434\u044b. ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = \u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u0434 \u0434\u043b\u044f [{0}] \u0431\u044b\u043b \u0438\u0437\u0432\u043b\u0435\u0447\u0435\u043d \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = \u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430 - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = \u0423\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0444\u0430\u0439\u043b\u044b \u043c\u0435\u0442\u0430\u0434\u0430\u043d\u043d\u044b\u0445 Git \u043d\u0435 \u0440\u0430\u0437\u0432\u0435\u0440\u043d\u0443\u0442\u044b \u043d\u0430 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u0438\u043b\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439. +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = \u0412\u044b\u0432\u043e\u0434 \u0434\u043b\u044f \u0438\u043c\u0435\u043d\u0438 \u0444\u0430\u0439\u043b\u0430 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430 [{0}] \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0435\u043d\u043d\u043e \u043e\u0442\u043b\u0438\u0447\u0430\u0435\u0442\u0441\u044f \u043e\u0442 \u0432\u044b\u0432\u043e\u0434\u0430 \u0441\u043b\u0443\u0447\u0430\u0439\u043d\u043e\u0433\u043e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 [{1}] \u043d\u0430 [{2}%] \u043f\u043e \u0441\u0440\u0430\u0432\u043d\u0435\u043d\u0438\u044e \u0441 \u043f\u043e\u0440\u043e\u0433\u043e\u0432\u044b\u043c \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435\u043c [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = \u041e\u0442\u043a\u0440\u044b\u0442\u044b\u0439 \u0438\u0441\u043a\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u0434 - \u0414\u043e\u0431\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0444\u0430\u0439\u043b\u0430 ascanbeta.sourcecodedisclosure.svnbased.extrainfo = \u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u0434 \u0434\u043b\u044f [{0}] \u0431\u044b\u043b \u043d\u0430\u0439\u0434\u0435\u043d [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = \u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430 - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = \u0423\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0444\u0430\u0439\u043b\u044b \u043c\u0435\u0442\u0430\u0434\u0430\u043d\u043d\u044b\u0445 SVN \u043d\u0435 \u0440\u0430\u0437\u0432\u0435\u0440\u043d\u0443\u0442\u044b \u043d\u0430 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u0438\u043b\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439. +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = \u041d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0432\u0435\u0440\u0441\u0438\u0438 PHP, \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043d\u043d\u044b\u0435 \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c CGI, \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u044e\u0442 \u0441\u0442\u0440\u043e\u043a\u0438 \u0437\u0430\u043f\u0440\u043e\u0441\u0430, \u0432 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0443\u0435\u0442 \u043d\u0435\u044d\u043a\u0440\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0441\u0438\u043c\u0432\u043e\u043b \u00ab\=\u00bb, \u0447\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0440\u0430\u0441\u043a\u0440\u044b\u0432\u0430\u0442\u044c \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u0434 PHP \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434. \u0412 \u044d\u0442\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u0444\u0430\u0439\u043b\u0430 PHP \u043f\u0435\u0440\u0435\u0434\u0430\u0432\u0430\u043b\u043e\u0441\u044c \u043d\u0435\u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0435\u043d\u043d\u043e \u0432 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440. \u042d\u0442\u043e\u0442 \u0432\u044b\u0432\u043e\u0434 \u043e\u0431\u044b\u0447\u043d\u043e \u0431\u0443\u0434\u0435\u0442 \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442\u044c PHP, \u0445\u043e\u0442\u044f \u043e\u043d \u0442\u0430\u043a\u0436\u0435 \u043c\u043e\u0436\u0435\u0442 \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442\u044c \u043f\u0440\u043e\u0441\u0442\u043e\u0439 HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = \u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430 - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = \u0423\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 [{0}]\: \u043f\u043e\u043b\u0435[{1}] \u0438 \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u043d\u0438\u0435 \u0432\u044b\u0432\u043e\u0434\u0430 -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 [{1}] \u0434\u0430\u0435\u0442 \u0443\u0442\u0435\u0447\u043a\u0443 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043e \u0442\u043e\u043c, \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u043b\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c. \n\u0420\u0430\u0437\u043b\u0438\u0447\u0438\u044f [{5}] \u0432 \u0432\u044b\u0432\u043e\u0434\u0435 \u0434\u043b\u044f \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0433\u043e \u0438\u0441\u0445\u043e\u0434\u043d\u043e\u0433\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f \u0438\u043c\u0435\u043d\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f [{2}]\n \u0438 \u043d\u0435\u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u043e\u0433\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f \u0438\u043c\u0435\u043d\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f [{3}]\:\n[{4}] -ascanbeta.usernameenumeration.desc = \u041c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e \u043f\u0435\u0440\u0435\u0447\u0438\u0441\u043b\u0438\u0442\u044c \u0438\u043c\u0435\u043d\u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u0445 HTTP-\u043e\u0442\u0432\u0435\u0442\u043e\u0432, \n\u043a\u043e\u0433\u0434\u0430 \u0443\u043a\u0430\u0437\u0430\u043d\u044b \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0438 \u043d\u0435\u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u044b\u0435 \u0438\u043c\u0435\u043d\u0430 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439. \n\u042d\u0442\u043e \u0437\u043d\u0430\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u0443\u0432\u0435\u043b\u0438\u0447\u0438\u043b\u043e \u0431\u044b \u0432\u0435\u0440\u043e\u044f\u0442\u043d\u043e\u0441\u0442\u044c \u0443\u0441\u043f\u0435\u0445\u0430 \u0430\u0442\u0430\u043a \u043d\u0430 \u0441\u0438\u0441\u0442\u0435\u043c\u0443 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043f\u043e\u0434\u0431\u043e\u0440\u0430 \u043f\u0430\u0440\u043e\u043b\u044f. \n\u041e\u0431\u0440\u0430\u0442\u0438\u0442\u0435 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435, \u0447\u0442\u043e \u043a\u043e\u043b\u0438\u0447\u0435\u0441\u0442\u0432\u043e \u043b\u043e\u0436\u043d\u044b\u0445 \u0441\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u043d\u0438\u0439 \u0438\u043d\u043e\u0433\u0434\u0430 \u043c\u043e\u0436\u043d\u043e \u043c\u0438\u043d\u0438\u043c\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u0442\u044c, \u0443\u0432\u0435\u043b\u0438\u0447\u0438\u0432 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 \u00ab\u0421\u0438\u043b\u0430 \u0430\u0442\u0430\u043a\u0438\u00bb ('Attack Strength') \u0432 ZAP. \n\u041f\u043e\u0436\u0430\u043b\u0443\u0439\u0441\u0442\u0430, \u043f\u0440\u043e\u0432\u0435\u0440\u044c\u0442\u0435 \u0432\u0440\u0443\u0447\u043d\u0443\u044e \u043f\u043e\u043b\u0435 \u00ab\u0414\u0440\u0443\u0433\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f\u00bb ('Other Info' ), \n\u0447\u0442\u043e\u0431\u044b \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0434\u0438\u0442\u044c, \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u043e \u043b\u0438 \u044d\u0442\u043e \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = \u0412\u043e\u0437\u043c\u043e\u0436\u043d\u043e \u043f\u0435\u0440\u0435\u0447\u0438\u0441\u043b\u0435\u043d\u0438\u0435 \u0438\u043c\u0435\u043d \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = \u041d\u0435 \u0440\u0430\u0437\u0433\u043b\u0430\u0448\u0430\u0439\u0442\u0435 \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0441\u0442\u0438 \u0442\u043e\u0433\u043e, \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u043b\u0438 \u0438\u043c\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u043c \u0438\u043b\u0438 \u043d\u0435\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u043c. \n\u0412 \u0447\u0430\u0441\u0442\u043d\u043e\u0441\u0442\u0438, \u0432 \u0441\u043b\u0443\u0447\u0430\u0435 \u043d\u0435\u0443\u0434\u0430\u0447\u043d\u044b\u0445 \u043f\u043e\u043f\u044b\u0442\u043e\u043a \u0432\u0445\u043e\u0434\u0430 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0443 \u043d\u0435 \u0434\u0435\u043b\u0430\u0439\u0442\u0435 \u0440\u0430\u0437\u043b\u0438\u0447\u0438\u0439 \u043c\u0435\u0436\u0434\u0443 \u043d\u0435\u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u044b\u043c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u0438 \u043d\u0435\u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u044b\u043c \u043f\u0430\u0440\u043e\u043b\u0435\u043c \u0432 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0438 \u043e\u0431 \u043e\u0448\u0438\u0431\u043a\u0435, \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0435 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b, \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u043c \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b, \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430\u0445 HTTP \u0438\u043b\u0438 \u043b\u043e\u0433\u0438\u043a\u0435 \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_si_LK.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_si_LK.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_si_LK.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_si_LK.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sk_SK.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sk_SK.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sk_SK.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sk_SK.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sl_SI.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sl_SI.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sl_SI.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sl_SI.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sq_AL.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sq_AL.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sq_AL.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sq_AL.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sr_CS.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sr_CS.properties index b6c450c26ff..ec226169689 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sr_CS.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sr_CS.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Nepoznat ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sr_SP.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sr_SP.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sr_SP.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_sr_SP.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_tr_TR.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_tr_TR.properties index abe13b40623..ca7040532ee 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_tr_TR.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_tr_TR.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parametre Kirlili\u011fi (HES) sald\u0131r\u0131lar\u0131 mevcut di\u011fer parametrelere kodlanm\u0131\u015f sorgu dizesi s\u0131n\u0131rlay\u0131c\u0131 enjekte olu\u015fmaktad\u0131r. Bir web uygulama d\u00fczg\u00fcn kullan\u0131c\u0131 giri\u015fi sanitize etmezse, k\u00f6t\u00fc niyetli bir kullan\u0131c\u0131n\u0131n istemci taraf\u0131 veya sunucu taraf\u0131 ya sald\u0131r\u0131lar\u0131 ger\u00e7ekle\u015ftirmek i\u00e7in uygulama mant\u0131\u011f\u0131 bozabilir. HES sald\u0131r\u0131lar\u0131n bir sonucu potansiyel mevcut sabit kodlanm\u0131\u015f HTTP parametreleri ge\u00e7ersiz k\u0131labilirsiniz sald\u0131rgan\u0131n bir uygulama, bypass giri\u015f do\u011frulama kontrol noktalar\u0131 ve eri\u015fim davran\u0131\u015f\u0131n\u0131 de\u011fi\u015ftirmek ve muhtemelen do\u011frudan ula\u015famayaca\u011f\u0131 olabilir de\u011fi\u015fkenleri yararlanmaya olmas\u0131d\u0131r. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parametre Kirlili\u011fi -ascanbeta.HTTPParamPoll.sol = D\u00fczg\u00fcn parametre s\u0131n\u0131rlay\u0131c\u0131 i\u00e7in kullan\u0131c\u0131 giri\u015fi sterilize +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = Dosyan\u0131n bir yedek web sunucusu taraf\u0131ndan if\u015fa edildi +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Yedekleme Dosya Bilgilendirme ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = In-situ web sunucusundaki dosyalar\u0131 d\u00fczenlemek ve (gizli dosyalar dahil) o un-gerekli dosyalar\u0131 web sunucusundan kald\u0131r\u0131l\u0131r sa\u011flamak etmeyin. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Fla\u015f / Silverlight tabanl\u0131 \u00e7apraz site istek sahtecili\u011fi nedeniyle web sunucusunda bir yanl\u0131\u015f yap\u0131land\u0131rma, m\u00fcmk\u00fcn olabilir. -ascanbeta.crossdomain.adobe.read.extrainfo = web sunucusu k\u00f6t\u00fc niyetli etki alanlar\u0131 aras\u0131 veri Fla\u015f / Silverlight bile\u015fenlerinden kaynaklanan istekleri bu etki, herhangi bir \u00fc\u00e7\u00fcnc\u00fc taraf etki alan\u0131ndan sunulan okuma izni verir. Kurban kullan\u0131c\u0131 bu hizmete oturum a\u00e7t\u0131ysa, k\u00f6t\u00fc niyetli okuma istekleri ma\u011fdurun ayr\u0131cal\u0131klar\u0131n\u0131 kullan\u0131larak i\u015flenir ve kurban\u0131n web taray\u0131c\u0131s\u0131 \u00fczerinden, yetkisiz bir \u00fc\u00e7\u00fcnc\u00fc taraf web sitesi taraf\u0131ndan ele ge\u00e7irilmesini, bu hizmetten verilere neden olabilir. Bu \u00c7erez tabanl\u0131 oturum uygulama kullan\u0131mda ise bir sorun olabilir \u00f6zellikle muhtemeldir. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = \u00c7apraz-Domain yanl\u0131\u015f yap\u0131land\u0131r\u0131lmas\u0131 - Adobe - Oku ascanbeta.crossdomain.adobe.read.soln = Kullanarak, bu web sunucusuna etki alanlar\u0131 aras\u0131 okuma isteklerini yapmak i\u00e7in izin alanlar\u0131n listesini s\u0131n\u0131rlamak i\u00e7in crossdomain.xml dosyas\u0131 yap\u0131land\u0131rma . Sadece "*" Bu hizmet herhangi bir eri\u015fim kontroll\u00fc, ki\u015fiselle\u015ftirilmi\u015f veya \u00f6zel verilerinizi ev sahipli\u011fi etmedi\u011fini eminseniz (t\u00fcm alanlar) eri\u015fim izni gerekir. ascanbeta.crossdomain.adobe.send.extrainfo = web sunucusu (ama mutlaka okuyam\u0131yor) k\u00f6t\u00fc niyetli etki alanlar\u0131 aras\u0131 veri g\u00f6nderme izin / Silverlight bile\u015fenler bu etki, herhangi bir \u00fc\u00e7\u00fcnc\u00fc taraf etki alan\u0131ndan hizmet Flash'tan men\u015feli ister. Kurban kullan\u0131c\u0131 bu hizmete oturum a\u00e7t\u0131ysa, k\u00f6t\u00fc niyetli g\u00f6nderme istekleri ma\u011fdurun ayr\u0131cal\u0131klar\u0131n\u0131 kullan\u0131larak i\u015flenir ve kurban\u0131n web taray\u0131c\u0131s\u0131 \u00fczerinden, sald\u0131r\u0131lar\u0131 yaz\u0131n Cross Site Request Forgery (CSRF) neden olabilir. Bu \u00c7erez tabanl\u0131 oturum uygulama kullan\u0131mda ise bir sorun olabilir \u00f6zellikle muhtemeldir. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = g\u00fcvensiz HTTP y\u00f6ntemi [ {0} ] Bu kaynak i\u00e7in etkin ve exploit oldu\u011funu. Bu HTTP y\u00f6ntemini kullanarak, bir \u00fc\u00e7\u00fcnc\u00fc taraf hizmetine t\u00fcnelli soket ba\u011flant\u0131s\u0131 kurmak m\u00fcmk\u00fcn oldu\u011fu bulunmu\u015ftur. Bu hizmet anonim Spam r\u00f6lesi olarak kullan\u0131lmas\u0131na izin veya web proxy olarak, a\u011f k\u0131s\u0131tlamalar\u0131 atlayarak olacakt\u0131r. Ayr\u0131ca, etkin bir \u015fekilde g\u00fcvenilir olmayan bile\u015fenleri i\u00e7in a\u011f \u00e7evre uzanan bir t\u00fcnel VPN kurmak i\u00e7in kullan\u0131lmas\u0131na olanak verir. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = CONNECT y\u00f6ntemi [bir soket ba\u011flant\u0131s\u0131 kurmak i\u00e7in kullan\u0131lan {0} ], \u00fczerinden web sunucusuna. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = B\u00f6yle TRACK, TRACE gibi g\u00fcvensiz y\u00f6ntemleri devre d\u0131\u015f\u0131 b\u0131rak\u0131n ve web sunucusu \u00fczerinde CONNECT ve altta yatan servis uygulamas\u0131 g\u00fcvensiz y\u00f6ntemleri desteklemedi\u011fi emin olun. ascanbeta.insecurehttpmethod.trace.exploitable.desc = g\u00fcvensiz HTTP y\u00f6ntemi [ {0} ] Bu kaynak i\u00e7in etkin ve exploit oldu\u011funu. TRACK ve TRACE y\u00f6ntemleri oturum \u00e7erezi ''HttpOnly'' bayra\u011f\u0131n\u0131 kullanarak korunmaktad\u0131r bile, bir uygulama kullan\u0131c\u0131 yetkilendirme belirteci / oturum \u00e7erezi eri\u015fmek i\u00e7in, bir sald\u0131rgan taraf\u0131ndan kullan\u0131l\u0131yor olabilir. Sald\u0131r\u0131n\u0131n ba\u015far\u0131l\u0131 olmas\u0131 i\u00e7in, uygulama kullan\u0131c\u0131 genellikle eski web taray\u0131c\u0131s\u0131 veya bir Same Origin Policy (SOP) bypass a\u00e7\u0131\u011f\u0131 olan bir web taray\u0131c\u0131s\u0131 kullan\u0131yor olmal\u0131s\u0131n\u0131z. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potansiyel Tamsay\u0131 Ta\u015fmas\u0131. Durum kodu, rastgele tamsay\u0131lardan olu\u015fan uzun bir dizinin girdisiyle de\u011fi\u015fti. -ascanbeta.integeroverflow.error2 = Potansiyel Tamsay\u0131 Ta\u015fmas\u0131. Durum kodu, s\u0131f\u0131rlardan olu\u015fan uzun bir dizinin girdisiyle de\u011fi\u015fti. -ascanbeta.integeroverflow.error3 = Potansiyel Tamsay\u0131 Ta\u015fmas\u0131. Durum kodu, birlerden olu\u015fan uzun bir dizinin girdisiyle de\u011fi\u015fti. -ascanbeta.integeroverflow.error4 = Potansiyel Tamsay\u0131 Ta\u015fmas\u0131. Durum kodu, dokuzlardan olu\u015fan uzun bir dizinin girdisiyle de\u011fi\u015fti. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Tamsay\u0131 Ta\u015fma Hatas\u0131 ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Bilinmeyen ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} alan\u0131\: [ {1} ] ascanbeta.sessionfixation.alert.cookie.extrainfo = \u00c7erez alan [zaman \u00c7erez yan\u0131t set {0} ] NULL olarak ayarlan\u0131r\: [ {1} istekte \u00f6d\u00fcn\u00e7 (ge\u00e7erli) \u00e7erez de\u011feri ile yan\u0131t] Cookie seti [ {1} ]\: [ {2} ] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = Sorun ke\u015ffedildi ascanbeta.sessionfixation.desc = Oturum Fixation m\u00fcmk\u00fcn olabilir. Bu sorun (kullan\u0131c\u0131 uygulamas\u0131 kendilerini do\u011frular oldu\u011fu) bir giri\u015f URL olu\u015fursa, o zaman URL sonra ma\u011fdurun kimli\u011fini varsaymak i\u00e7in bir kurban, sabit bir oturum kimli\u011fi ile birlikte, bir sald\u0131rgan taraf\u0131ndan verilebilir Verilen oturum kimli\u011fi kullanarak. Sorun olmayan bir oturum a\u00e7ma sayfas\u0131 ile olu\u015fursa, URL ve sabit oturum kimli\u011fi sadece do\u011frulanmam\u0131\u015f kullan\u0131c\u0131n\u0131n eylemlerini izlemek i\u00e7in bir sald\u0131rgan taraf\u0131ndan kullan\u0131l\u0131yor olabilir. G\u00fcvenlik a\u00e7\u0131\u011f\u0131 yerine URL (GET) parametresine bir \u00e7erez alan\u0131 veya bir form alan\u0131n\u0131n (POST parametresi) olu\u015fursa, o zaman ba\u015fka bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 da a\u00e7\u0131\u011f\u0131 izin, kurban\u0131n taray\u0131c\u0131s\u0131nda \u00e7erez alan\u0131n\u0131 ayarlamak i\u00e7in gerekli olabilir istismar edilecek. ascanbeta.sessionfixation.name = Oturum Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} alan\u0131\: [ {1} ] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = oturum tan\u0131mlay\u0131c\u0131s\u0131 {0} alan\u0131 [ {1} ], de\u011fer [ {2} ] taray\u0131c\u0131n\u0131zda JavaScript kullan\u0131larak ula\u015f\u0131labilir -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = Sorun ke\u015ffedildi hangi url bir oturum a\u00e7ma sayfas\u0131 olarak i\u015faretlendi. -ascanbeta.sessionidaccessiblebyjavascript.desc = (URL NULL adl\u0131 parametre alan ayarlayarak de\u011fi\u015ftirilmi\u015f) sunucu taraf\u0131ndan g\u00f6nderilen bir oturum kimli\u011fi tan\u0131mlama istemci \u00fczerinde JavaScript ile ula\u015f\u0131labilir. Ba\u015fka bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 ile birlikte, bu oturumun ka\u00e7\u0131r\u0131ld\u0131 izin verebilir. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = JavaScript i\u00e7in Eri\u015filebilir Session ID \u00c7erez #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = Web taray\u0131c\u0131s\u0131nda JavaScript taraf\u0131ndan eri\u015filen engellemek i\u00e7in, bir oturum kimli\u011fi i\u00e7eren bir \u00e7erez ayarlarken 1) 'sadece_http' bayra\u011f\u0131n\u0131 kullan\u0131n. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} alan\u0131\: [ {1} ] ascanbeta.sessionidexpiry.alert.extrainfo = oturum tan\u0131mlay\u0131c\u0131s\u0131 {0} alan\u0131 [ {1} ], de\u011fer [ {2} ] kadar ula\u015f\u0131labilir [ {3} ] (cookie al\u0131nan beri {4} ), oturum tahrip edilmi\u015ftir. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = Sorun ke\u015ffedildi hangi url bir oturum a\u00e7ma sayfas\u0131 olarak i\u015faretlendi. ascanbeta.sessionidexpiry.browserclose = taray\u0131c\u0131 yak\u0131n -ascanbeta.sessionidexpiry.desc = (URL NULL adl\u0131 parametre alan ayarlayarak de\u011fi\u015ftirilmi\u015f) sunucu taraf\u0131ndan g\u00f6nderilen bir oturum kimli\u011fi \u00e7erez zaman a\u015f\u0131r\u0131 bir s\u00fcre i\u00e7in ge\u00e7erli olacak \u015fekilde ayarlan\u0131r. Bu kullan\u0131c\u0131 unutuyor oturumu e\u011fer \u00e7\u0131k\u0131\u015f i\u015flevselli\u011fi do\u011fru oturumu yok etmez ise, bir sald\u0131rgan taraf\u0131ndan s\u00f6m\u00fcr\u00fclebilir olabilir veya oturum kimli\u011fi ba\u015fka yollarla tehlikeye e\u011fer. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Vade S\u00fcresi / Max-Ya\u015f A\u015f\u0131r\u0131 oldu\u011fu #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) kullan\u0131n\u0131z uzun s\u00fcre kullan\u0131labilir olmaktan \u00f6nlemek i\u00e7in, bir oturum kimli\u011fi i\u00e7eren bir \u00e7erez ayarlarken ya da 'Max-Ya\u015f' \u00e7erez direktifleri 'Ge\u00e7erlilik'. 2) Bu \u00e7\u0131k\u0131\u015f i\u015flevselli\u011fi var emin olun ve do\u011fru oturumu yok etti\u011fini. 3) Bir oturum kimli\u011fi tehlikeye ise, bu istismar olmayabilir sa\u011flamak i\u00e7in di\u011fer \u00f6nlemleri kullan\u0131n. ascanbeta.sessionidexpiry.timeexpired = S\u00fcresi Doldu ascanbeta.sessionidexpiry.timelessthanonehour = Az bir saat @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = Birden fazla hafta ascanbeta.sessionidexposedinurl.alert.attack = {0} alan\u0131\: [ {1} ] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} alan\u0131 [ {1} ] bir a\u00e7\u0131k oturum tan\u0131mlay\u0131c\u0131s\u0131 i\u00e7erir [ {2} ] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = Sorun ke\u015ffedildi hangi url bir oturum a\u00e7ma sayfas\u0131 olarak i\u015faretlendi. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = , Daha g\u00fcvenli bir oturum y\u00f6netimi uygulamas\u0131 kullan\u0131n gibi kolayca tipik sunucu g\u00fcnl\u00fck dosyalar\u0131 veya web taray\u0131c\u0131 yer imlerine g\u00f6r\u00fcnm\u00fcyor yanl\u0131\u015fl\u0131kla payla\u015f\u0131lan ve olmayan oturum \u00e7erezleri kullan\u0131r biri olarak. ascanbeta.sessionidsentinsecurely.alert.attack = {0} alan\u0131\: [ {1} ] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = oturum tan\u0131mlay\u0131c\u0131s\u0131 {0} alan\u0131 [ {1} ], de\u011fer [ {2} ] g\u00fcvensiz mekanizma yoluyla g\u00f6nderilebilir. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = Sorun ke\u015ffedildi hangi url bir oturum a\u00e7ma sayfas\u0131 olarak i\u015faretlendi. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = 'G\u00fcvenli' bayrak sunucusu taraf\u0131ndan sa\u011flanan oturum \u00e7erezi ayarlan\u0131r de\u011fildi. -ascanbeta.sessionidsentinsecurely.desc = Bir oturum kimli\u011fi g\u00fcvensiz mekanizma yoluyla g\u00f6nderilebilir. HTTP HTTPS yerine kullan\u0131ld\u0131\u011f\u0131 zaman, istekte bir tan\u0131mlama durumunda, bu meydana gelir. (URL NULL adl\u0131 parametre alan ayarlayarak de\u011fi\u015ftirilmi\u015f) yan\u0131t olarak sunucu taraf\u0131ndan g\u00f6nderilen bir cookie, bayra\u011f\u0131 ayarl\u0131 de\u011fil 'g\u00fcvenli' \u00e7erez izin durumunda HTTP \u00fczerinden yerine HTTPS \u00fczerinden daha sonra g\u00f6nderilmek \u00fczere . Bu a\u011f, yolda pasif kulak misafiri kurban\u0131n oturumuna tam eri\u015fim sa\u011flamas\u0131na olanak verebilir. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Oturum Kimli\u011fi G\u00fcvensiz Bula\u015fan #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) bir oturum kimli\u011fi taray\u0131c\u0131s\u0131 ve web sunucusu aras\u0131nda iletilen t\u00fcm sayfalar i\u00e7in () HTTPS i\u00e7in SSL / TLS son kullan\u0131labilir s\u00fcr\u00fcm\u00fcn\u00fc kullan\u0131n. 2) haberle\u015fme \u015fifresiz HTTP protokol\u00fc a\u015fa\u011f\u0131 zorla izin vermeyin. Bir oturum kimli\u011fi i\u00e7eren bir \u00e7erez ayarlarken 3) g\u00fcvensiz mekanizma ile onun sonraki ge\u00e7i\u015fini \u00f6nlemek i\u00e7in, 'g\u00fcvenli' bayra\u011f\u0131n\u0131 kullan\u0131n. 4) g\u00fcvenli HTTPS e\u015fde\u011fer sayfaya \u0130leri g\u00fcvenli olmayan HTTP sayfas\u0131 istekleri. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = Sunucu uzak sald\u0131rganlar\u0131n rasgele kod y\u00fcr\u00fctmesine olanak Bash kabu\u011funun bir s\u00fcr\u00fcm\u00fcn\u00fc \u00e7al\u0131\u015ft\u0131ran +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = CVE-2014-6271 Nereden\: OpenSSH sshd de ForceCommand \u00f6zelli\u011fini i\u00e7eren vekt\u00f6rler taraf\u0131ndan g\u00f6sterildi\u011fi gibi uzak sald\u0131rganlar\u0131n, bir haz\u0131rlanm\u0131\u015f bir ortamda yoluyla iste\u011fe ba\u011fl\u0131 kod \u00e7al\u0131\u015ft\u0131rmas\u0131na olanak ortam de\u011fi\u015fkenlerinin de\u011ferlerine fonksiyon tan\u0131mlar\u0131 sonra dizeleri firar GNU Bash ile 4.3 s\u00fcre\u00e7leri, \u00e7evreyi ayar\u0131 Bash y\u00fcr\u00fctme, aka bir ayr\u0131cal\u0131k s\u0131n\u0131r\u0131 boyunca meydana geldi\u011fi mod_cgi ve Apache HTTP Server mod_cgid mod\u00fcl\u00fc mod\u00fclleri, tan\u0131mlanmam\u0131\u015f DHCP istemcileri taraf\u0131ndan y\u00fcr\u00fct\u00fclen komut dosyalar\u0131 ve di\u011fer durumlarda "ShellShock." NOT\: Bu sorunla ilgili d\u00fczeltme, \u00f6zg\u00fcn yanl\u0131\u015f; CVE-2014-7169 hala yanl\u0131\u015f d\u00fczeltme sonras\u0131nda mevcut g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 kar\u015f\u0131lamak i\u00e7in atanm\u0131\u015ft\u0131r. ascanbeta.shellshock.name = Uzaktan Kod Y\u00fcr\u00fctme - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = En son s\u00fcr\u00fcm\u00fcne sunucuda Bash g\u00fcncelleyin +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Sald\u0131r\u0131, [bir gecikme kullanarak {0} ] milisaniye uyar\u0131lm\u0131\u015f ve tespit edildi ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = kaynak kodu [ {0} ] bulunmu\u015ftur [ {1} ] ascanbeta.sourcecodedisclosure.svnbased.name = Kaynak Kod A\u00e7\u0131klama - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = SVN meta dosyalar\u0131 web sunucusu veya uygulama sunucusu da\u011f\u0131t\u0131lm\u0131\u015f oldu\u011fundan emin olun +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = CGI kullanarak \u00e7al\u0131\u015fmak \u00fczere yap\u0131land\u0131r\u0131lm\u0131\u015f Baz\u0131 PHP s\u00fcr\u00fcmleri, do\u011fru PHP kaynak kodu a\u00e7\u0131klama ve keyfi kod y\u00fcr\u00fct\u00fclmesine olanak bir \u00e7\u0131kmam\u0131\u015f "\=" karakteri yoksun sorgu dizeleri dokunmay\u0131n. Bu durumda, PHP dosyas\u0131n\u0131n i\u00e7eri\u011fi web taray\u0131c\u0131s\u0131 do\u011frudan ikram edildi. O da d\u00fcz HTML i\u00e7erebilir ancak bu \u00e7\u0131k\u0131\u015f, genellikle, PHP i\u00e7erecektir. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Kaynak Kodu Bilgilendirme - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = I\u015fleyin [ {0} ] alan\: [ {1} ] ve monit\u00f6r \u00e7\u0131k\u0131\u015f\u0131 -ascanbeta.usernameenumeration.alert.extrainfo = [ {0} ] parametresi [ {1} ], bir kullan\u0131c\u0131 olup olmad\u0131\u011f\u0131n\u0131 hakk\u0131nda bilgi s\u0131zd\u0131r\u0131yor. [ {5} ] ge\u00e7erli orijinal ad\u0131 de\u011feri \u00e7\u0131k\u0131\u015f\u0131 farkl\u0131l\u0131klar, [ {2} ], ve ge\u00e7ersiz kullan\u0131c\u0131 ad\u0131 de\u011feri [ {3} ] \u015funlard\u0131r\: [ {4} ] -ascanbeta.usernameenumeration.desc = Bu ge\u00e7erli ve ge\u00e7ersiz adlar\u0131 verilmektedir HTTP yan\u0131tlar\u0131 farkl\u0131 dayal\u0131 adlar\u0131n\u0131 saymak m\u00fcmk\u00fcn olabilir. Bu b\u00fcy\u00fck \u00f6l\u00e7\u00fcde sisteme kar\u015f\u0131 \u015fifre zorlamas\u0131 sald\u0131r\u0131lar\u0131n ba\u015far\u0131 olas\u0131l\u0131\u011f\u0131n\u0131 art\u0131racakt\u0131r. Yanl\u0131\u015f pozitif bazen ZAP 'Sald\u0131r\u0131 G\u00fcc\u00fc' Se\u00e7ene\u011fi art\u0131rarak minimize edilebilir unutmay\u0131n. El bu asl\u0131nda bir sorun olup olmad\u0131\u011f\u0131n\u0131 teyit etmek i\u00e7in 'Di\u011fer Bilgiler' alan\u0131n\u0131 kontrol edin. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Olas\u0131 Ad\u0131 numaraland\u0131rma ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Bir kullan\u0131c\u0131 ad\u0131 ge\u00e7erli veya ge\u00e7ersiz olup olmad\u0131\u011f\u0131 ayr\u0131nt\u0131lar\u0131n\u0131 if\u015fa etmeyin. \u00d6zellikle, ba\u015far\u0131s\u0131z oturum a\u00e7ma giri\u015fimleri i\u00e7in, ge\u00e7ersiz bir kullan\u0131c\u0131 ve hata iletisinde ge\u00e7ersiz \u015fifre, sayfa ba\u015fl\u0131\u011f\u0131, sayfa i\u00e7eri\u011fi, HTTP ba\u015fl\u0131klar\u0131 veya y\u00f6nlendirme mant\u0131\u011f\u0131 aras\u0131nda ayr\u0131m yoktur. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_uk_UA.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_uk_UA.properties index 88a477f0464..c1db4de0c93 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_uk_UA.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_uk_UA.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = \u0410\u0442\u0430\u043a\u0438, \u0441\u043f\u0440\u044f\u043c\u043e\u0432\u0430\u043d\u0456 \u043d\u0430 \u0437\u0430\u0431\u0440\u0443\u0434\u043d\u0435\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0443 HTTP (HPP-\u0430\u0442\u0430\u043a\u0438), \u043f\u043e\u043b\u044f\u0433\u0430\u044e\u0442\u044c \u0443 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u0456 \u0437\u0430\u043a\u043e\u0434\u043e\u0432\u0430\u043d\u0438\u0445 \u0440\u043e\u0437\u0434\u0456\u043b\u044c\u043d\u0438\u043a\u0456\u0432 \u0440\u044f\u0434\u043a\u0430 \u0437\u0430\u043f\u0438\u0442\u0443 \u0432 \u0456\u043d\u0448\u0456 \u043d\u0430\u044f\u0432\u043d\u0456 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438. \u042f\u043a\u0449\u043e \u0432\u0435\u0431\u0434\u043e\u0434\u0430\u0442\u043e\u043a \u043d\u0435 \u0432\u0438\u043a\u043e\u043d\u0443\u0454 \u043d\u0430\u043b\u0435\u0436\u043d\u0443 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0443 \u0431\u0435\u0437\u043f\u0435\u043a\u0438 \u0434\u0430\u043d\u0438\u0445, \u0449\u043e \u0432\u0432\u043e\u0434\u044f\u0442\u044c\u0441\u044f \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u043c, \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a \u043c\u043e\u0436\u0435 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0443\u0432\u0430\u0442\u0438 \u043b\u043e\u0433\u0456\u043a\u0443 \u0440\u043e\u0431\u043e\u0442\u0438 \u0434\u043e\u0434\u0430\u0442\u043a\u0443 \u0456 \u0437\u0434\u0456\u0439\u0441\u043d\u0438\u0442\u0438 \u0430\u0442\u0430\u043a\u0443 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0456 \u043a\u043b\u0456\u0454\u043d\u0442\u0430 \u0430\u0431\u043e \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0456 \u0441\u0435\u0440\u0432\u0435\u0440\u0430. \u041e\u0434\u0438\u043d \u0437 \u043d\u0430\u0441\u043b\u0456\u0434\u043a\u0456\u0432 HPP-\u0430\u0442\u0430\u043a\u0438 \u2014 \u043c\u043e\u0436\u043b\u0438\u0432\u0456\u0441\u0442\u044c \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u0430 \u0456\u0433\u043d\u043e\u0440\u0443\u0432\u0430\u0442\u0438 \u043d\u0430\u044f\u0432\u043d\u0456, \u0436\u043e\u0440\u0441\u0442\u043a\u043e-\u0437\u0430\u043a\u043e\u0434\u043e\u0432\u0430\u043d\u0456 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438 HTTP, \u0449\u043e\u0431 \u0437\u043c\u0456\u043d\u0438\u0442\u0438 \u0445\u0430\u0440\u0430\u043a\u0442\u0435\u0440 \u0440\u043e\u0431\u043e\u0442\u0438 \u0434\u043e\u0434\u0430\u0442\u043a\u0443, \u043e\u0431\u0456\u0439\u0442\u0438 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c\u043d\u0456 \u0442\u043e\u0447\u043a\u0438 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0438 \u0432\u0445\u0456\u0434\u043d\u0438\u0445 \u0434\u0430\u043d\u0438\u0445, \u0430 \u0442\u0430\u043a\u043e\u0436 \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u0434\u043e\u0441\u0442\u0443\u043f \u0456, \u043c\u043e\u0436\u043b\u0438\u0432\u043e, \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u0437\u043c\u0456\u043d\u043d\u0438\u0445, \u044f\u043a\u0456 \u043c\u043e\u0436\u0443\u0442\u044c \u0431\u0443\u0442\u0438 \u043d\u0435 \u0432 \u043c\u0435\u0436\u0430\u0445 \u0432\u0456\u043b\u044c\u043d\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0443. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = \u0417\u0430\u0431\u0440\u0443\u0434\u043d\u0435\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0443 HTTP -ascanbeta.HTTPParamPoll.sol = \u0412\u0438\u043a\u043e\u043d\u0443\u0439\u0442\u0435 \u043d\u0430\u043b\u0435\u0436\u043d\u0443 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0443 \u0434\u0430\u043d\u0438\u0445, \u0449\u043e \u0432\u0432\u043e\u0434\u044f\u0442\u044c\u0441\u044f \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u043c, \u0434\u043b\u044f \u0440\u043e\u0437\u0434\u0456\u043b\u044e\u0432\u0430\u0447\u0456\u0432 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0456\u0432 +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = \u0412\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440 \u0440\u043e\u0437\u043a\u0440\u0438\u0432 \u0440\u0435\u0437\u0435\u0440\u0432\u043d\u0443 \u043a\u043e\u043f\u0456\u044e \u0444\u0430\u0439\u043b\u0443 +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = \u0420\u043e\u0437\u043a\u0440\u0438\u0442\u0442\u044f \u0440\u0435\u0437\u0435\u0440\u0432\u043d\u043e\u0457 \u043a\u043e\u043f\u0456\u0457 \u0444\u0430\u0439\u043b\u0443 ascanbeta.backupfiledisclosure.otherinfo = \u0420\u0435\u0437\u0435\u0440\u0432\u043d\u0430 \u043a\u043e\u043f\u0456\u044f \u0444\u0430\u0439\u043b\u0443 [{0}] \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0430 \u0432 [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = \u041d\u0435 \u0440\u0435\u0434\u0430\u0433\u0443\u0439\u0442\u0435 \u0444\u0430\u0439\u043b\u0438 \u0431\u0435\u0437\u043f\u043e\u0441\u0435\u0440\u0435\u0434\u043d\u044c\u043e \u043d\u0430 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0456 \u0442\u0430 \u043f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u043d\u0435\u0432\u0430\u0436\u043b\u0438\u0432\u0456 \u0444\u0430\u0439\u043b\u0438 (\u0443 \u0442\u043e\u043c\u0443 \u0447\u0438\u0441\u043b\u0456 \u043f\u0440\u0438\u0445\u043e\u0432\u0430\u043d\u0456) \u0432\u0438\u0434\u0430\u043b\u044f\u044e\u0442\u044c\u0441\u044f \u0437 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0430. -ascanbeta.cookieslack.affect.response.no = \u0426\u0456 \u0444\u0430\u0439\u043b\u0438 cookie \u041d\u0415 \u0432\u043f\u043b\u0438\u043d\u0443\u043b\u0438 \u043d\u0430 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c\: -ascanbeta.cookieslack.affect.response.yes = \u0426\u0456 \u0444\u0430\u0439\u043b\u0438 cookie \u0432\u043f\u043b\u0438\u043d\u0443\u043b\u0438 \u043d\u0430 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = \u041f\u043e\u0432\u0442\u043e\u0440\u043d\u0456 \u0437\u0430\u043f\u0438\u0442\u0438 GET\: \u0449\u043e\u0440\u0430\u0437\u0443 \u0441\u043a\u0438\u0434\u0430\u0439\u0442\u0435 \u0440\u0456\u0437\u043d\u0456 \u0444\u0430\u0439\u043b\u0438 cookie, \u043f\u0456\u0441\u043b\u044f \u0447\u043e\u0433\u043e \u0432\u0438\u043a\u043e\u043d\u0443\u0439\u0442\u0435 \u0437\u0432\u0438\u0447\u0430\u0439\u043d\u0438\u0439 \u0437\u0430\u043f\u0438\u0442 \u0437 \u0443\u0441\u0456\u043c\u0430 \u0444\u0430\u0439\u043b\u0430\u043c\u0438 cookie, \u0449\u043e\u0431 \u0441\u0442\u0430\u0431\u0456\u043b\u0456\u0437\u0443\u0432\u0430\u0442\u0438 \u0441\u0435\u0441\u0456\u044e, \u0456 \u043f\u043e\u0440\u0456\u0432\u043d\u044e\u0439\u0442\u0435 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 \u0437 \u043f\u043e\u0447\u0430\u0442\u043a\u043e\u0432\u0438\u043c GET. \u0426\u0435 \u043c\u043e\u0436\u0435 \u043f\u043e\u043a\u0430\u0437\u0430\u0442\u0438 \u0434\u0456\u043b\u044f\u043d\u043a\u0438, \u0434\u0435 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u044f \u0447\u0438 \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u0438, \u044f\u043a\u0456 \u0431\u0430\u0437\u0443\u044e\u0442\u044c\u0441\u044f \u043d\u0430 \u0444\u0430\u0439\u043b\u0430\u0445 cookie, \u043d\u0430\u0441\u043f\u0440\u0430\u0432\u0434\u0456 \u043d\u0435 \u0437\u0430\u0441\u0442\u043e\u0441\u043e\u0432\u0443\u044e\u0442\u044c\u0441\u044f. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = \u0414\u0435\u0442\u0435\u043a\u0442\u043e\u0440 \u0441\u043b\u0430\u0431\u0438\u0445 \u0444\u0430\u0439\u043b\u0456\u0432 cookie ascanbeta.cookieslack.otherinfo.intro = \u0424\u0430\u0439\u043b\u0438 cookie, \u044f\u043a\u0456 \u043d\u0435 \u043c\u0430\u044e\u0442\u044c \u043e\u0447\u0456\u043a\u0443\u0432\u0430\u043d\u043e\u0433\u043e \u0435\u0444\u0435\u043a\u0442\u0443, \u043c\u043e\u0436\u0443\u0442\u044c \u0432\u0438\u044f\u0432\u0438\u0442\u0438 \u043d\u0435\u0434\u043e\u043b\u0456\u043a\u0438 \u0432 \u043b\u043e\u0433\u0456\u0446\u0456 \u0440\u043e\u0431\u043e\u0442\u0438 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0438. \u0423 \u043d\u0430\u0439\u0433\u0456\u0440\u0448\u043e\u043c\u0443 \u0432\u0438\u043f\u0430\u0434\u043a\u0443, \u0446\u0435 \u043c\u043e\u0436\u0435 \u0432\u0438\u044f\u0432\u0438\u0442\u0438, \u0434\u0435 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u044f \u0447\u0435\u0440\u0435\u0437 \u043c\u0430\u0440\u043a\u0435\u0440\u0438 \u0444\u0430\u0439\u043b\u0456\u0432 cookie \u0444\u0430\u043a\u0442\u0438\u0447\u043d\u043e \u043d\u0435 \u0432\u0438\u043a\u043e\u043d\u0443\u0454\u0442\u044c\u0441\u044f. ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = \u0421\u043a\u0438\u0434\u0430\u043d\u043d\u044f \u0446\u044c\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0443 cookie \u0437\u0440\u043e\u0431\u0438\u043b\u043e \u0441\u0435\u0430\u043d\u0441 \u043d\u0435\u0434\u0456\u0439\u0441\u043d\u0438\u043c\: [{0}] \u041f\u043e\u0432\u0442\u043e\u0440\u043d\u0438\u0439 \u0437\u0430\u043f\u0438\u0442 \u0437 \u0443\u0441\u0456\u043c\u0430 \u043e\u0440\u0438\u0433\u0456\u043d\u0430\u043b\u044c\u043d\u0438\u043c\u0438 \u0444\u0430\u0439\u043b\u0430\u043c\u0438 cookie \u0432\u0441\u0435 \u043e\u0434\u043d\u043e \u043e\u0442\u0440\u0438\u043c\u0430\u0432 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c, \u044f\u043a\u0430 \u0432\u0456\u0434\u0440\u0456\u0437\u043d\u044f\u043b\u0430\u0441\u044f \u0432\u0456\u0434 \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u0433\u043e \u0437\u0430\u043f\u0438\u0442\u0443. -ascanbeta.cookieslack.session.warning = \u041f\u0420\u0418\u041c\u0406\u0422\u041a\u0410\: \u0427\u0435\u0440\u0435\u0437 \u0439\u043e\u0433\u043e \u0456\u043c''\u044f \u0446\u0435\u0439 \u0444\u0430\u0439\u043b cookie \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0432\u0430\u0436\u043b\u0438\u0432\u0438\u043c, \u0430\u043b\u0435 \u0439\u043e\u0433\u043e \u0432\u0438\u043b\u0443\u0447\u0435\u043d\u043d\u044f \u043d\u0435 \u043c\u0430\u0454 \u0435\u0444\u0435\u043a\u0442\u0443\: [{0}] +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = \u0421\u043f\u0456\u043b\u044c\u043d\u0435 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f \u0440\u0435\u0441\u0443\u0440\u0441\u0456\u0432 \u0437 \u0440\u0456\u0437\u043d\u0438\u0445 \u0434\u0436\u0435\u0440\u0435\u043b (CORS) \u2014 \u0446\u0435 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 HTTP-\u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0456\u0432, \u044f\u043a\u0438\u0439 \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0441\u0435\u0440\u0432\u0435\u0440\u0443 \u0432\u043a\u0430\u0437\u0443\u0432\u0430\u0442\u0438 \u0431\u0443\u0434\u044c-\u044f\u043a\u0435 \u0456\u043d\u0448\u0435 \u043f\u043e\u0445\u043e\u0434\u0436\u0435\u043d\u043d\u044f (\u0434\u043e\u043c\u0435\u043d, \u0441\u0445\u0435\u043c\u0443 \u0447\u0438 \u043f\u043e\u0440\u0442), \u0430 \u043d\u0435 \u0432\u043b\u0430\u0441\u043d\u0435, \u0437 \u044f\u043a\u043e\u0433\u043e \u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u043f\u043e\u0432\u0438\u043d\u0435\u043d \u0434\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u0438 \u0437\u0430\u0432\u0430\u043d\u0442\u0430\u0436\u0435\u043d\u043d\u044f \u0440\u0435\u0441\u0443\u0440\u0441\u0456\u0432. \u0426\u0435 \u043f\u043e\u0441\u043b\u0430\u0431\u043b\u044e\u0454 \u043f\u043e\u043b\u0456\u0442\u0438\u043a\u0443 \u0442\u043e\u0433\u043e \u0436 \u043f\u043e\u0445\u043e\u0434\u0436\u0435\u043d\u043d\u044f (SOP). ascanbeta.cors.info.name = \u0417\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a CORS @@ -26,8 +26,8 @@ ascanbeta.cors.soln = \u042f\u043a\u0449\u043e \u0432\u0435\u0431\u0440\u0435\u0 ascanbeta.cors.vuln.desc = \u0422\u0430\u043a\u0430 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u044f CORS \u043c\u043e\u0436\u0435 \u0434\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u0438 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u0443 \u0432\u0438\u043a\u043e\u043d\u0443\u0432\u0430\u0442\u0438 AJAX-\u0437\u0430\u043f\u0438\u0442\u0438 \u0434\u043e \u0432\u0440\u0430\u0437\u043b\u0438\u0432\u043e\u0433\u043e \u0432\u0435\u0431\u0441\u0430\u0439\u0442\u0443 \u0437\u0456 \u0448\u043a\u0456\u0434\u043b\u0438\u0432\u043e\u0457 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438, \u0437\u0430\u0432\u0430\u043d\u0442\u0430\u0436\u0435\u043d\u043e\u0457 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0446\u044c\u043a\u0438\u043c \u0430\u0433\u0435\u043d\u0442\u043e\u043c \u0436\u0435\u0440\u0442\u0432\u0438. \u0414\u043b\u044f \u0432\u0438\u043a\u043e\u043d\u0430\u043d\u043d\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u043e\u0432\u0430\u043d\u0438\u0445 AJAX-\u0437\u0430\u043f\u0438\u0442\u0456\u0432 \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0456 \u043f\u043e\u0432\u0438\u043d\u0435\u043d \u0431\u0443\u0442\u0438 \u0432\u043a\u0430\u0437\u0430\u043d\u0438\u0439 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a "Access-Control-Allow-Credentials\: true", \u0430 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a "Access-Control-Allow-Origin" \u043f\u043e\u0432\u0438\u043d\u0435\u043d \u043c\u0430\u0442\u0438 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f null \u0430\u0431\u043e \u0434\u043e\u043c\u0435\u043d \u0448\u043a\u0456\u0434\u043b\u0438\u0432\u043e\u0457 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438. \u041d\u0430\u0432\u0456\u0442\u044c \u044f\u043a\u0449\u043e \u0446\u044f \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u044f \u043d\u0435 \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u043e\u0432\u0430\u043d\u0456 AJAX-\u0437\u0430\u043f\u0438\u0442\u0438, \u043d\u0435\u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u043e\u0432\u0430\u043d\u0438\u0439 \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0438\u0439 \u0432\u043c\u0456\u0441\u0442 \u0432\u0441\u0435 \u043e\u0434\u043d\u043e \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0438\u043c (\u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, \u0432\u0435\u0431\u0441\u0430\u0439\u0442\u0438 \u0456\u043d\u0442\u0440\u0430\u043c\u0435\u0440\u0435\u0436\u0456). \u0428\u043a\u0456\u0434\u043b\u0438\u0432\u0430 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0430 \u043c\u043e\u0436\u0435 \u043d\u0430\u043b\u0435\u0436\u0430\u0442\u0438 \u044f\u043a \u0448\u043a\u0456\u0434\u043b\u0438\u0432\u043e\u043c\u0443 \u0432\u0435\u0431\u0441\u0430\u0439\u0442\u0443, \u0442\u0430\u043a \u0456 \u0434\u043e\u0432\u0456\u0440\u0435\u043d\u043e\u043c\u0443 \u0432\u0435\u0431\u0441\u0430\u0439\u0442\u0443 \u0437 \u043d\u0435\u0434\u043e\u043b\u0456\u043a\u0430\u043c\u0438 (\u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, XSS, \u043f\u0456\u0434\u0442\u0440\u0438\u043c\u043a\u0430 HTTP \u0431\u0435\u0437 TLS, \u0449\u043e \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0432\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0443\u0432\u0430\u0442\u0438 \u043a\u043e\u0434 \u0447\u0435\u0440\u0435\u0437 MITM \u0442\u043e\u0449\u043e). ascanbeta.cors.vuln.name = \u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u044f CORS -ascanbeta.crossdomain.adobe.desc = \u041c\u0456\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0430 \u043f\u0456\u0434\u0440\u043e\u0431\u043a\u0430 \u0437\u0430\u043f\u0438\u0442\u0443 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 Flash/Silverlight \u043c\u043e\u0436\u043b\u0438\u0432\u0430 \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0443 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u044e \u043d\u0430 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0456. -ascanbeta.crossdomain.adobe.read.extrainfo = \u0412\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440 \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043c \u043c\u0456\u0436\u0434\u043e\u043c\u0435\u043d\u043d\u0438\u043c \u0437\u0430\u043f\u0438\u0442\u0430\u043c \u043d\u0430 \u0447\u0438\u0442\u0430\u043d\u043d\u044f \u0434\u0430\u043d\u0438\u0445, \u0449\u043e \u043f\u043e\u0445\u043e\u0434\u044f\u0442\u044c \u0432\u0456\u0434 Flash/Silverlight \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0456\u0432, \u044f\u043a\u0456 \u043e\u0431\u0441\u043b\u0443\u0433\u043e\u0432\u0443\u044e\u0442\u044c\u0441\u044f \u0437 \u0431\u0443\u0434\u044c-\u044f\u043a\u043e\u0433\u043e \u0441\u0442\u043e\u0440\u043e\u043d\u043d\u044c\u043e\u0433\u043e \u0434\u043e\u043c\u0435\u043d\u0443, \u0434\u043e \u0446\u044c\u043e\u0433\u043e \u0434\u043e\u043c\u0435\u043d\u0443. \u042f\u043a\u0449\u043e \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447-\u0436\u0435\u0440\u0442\u0432\u0430 \u0443\u0432\u0456\u0439\u0448\u043e\u0432 \u0434\u043e \u0446\u044c\u043e\u0433\u043e \u0441\u0435\u0440\u0432\u0456\u0441\u0443, \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0456 \u0437\u0430\u043f\u0438\u0442\u0438 \u043d\u0430 \u0447\u0438\u0442\u0430\u043d\u043d\u044f \u043e\u0431\u0440\u043e\u0431\u043b\u044f\u044e\u0442\u044c\u0441\u044f \u0437 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f\u043c \u043f\u0440\u0438\u0432\u0456\u043b\u0435\u0457\u0432 \u0436\u0435\u0440\u0442\u0432\u0438, \u0449\u043e \u043c\u043e\u0436\u0435 \u043f\u0440\u0438\u0437\u0432\u0435\u0441\u0442\u0438 \u0434\u043e \u0442\u043e\u0433\u043e, \u0449\u043e \u0434\u0430\u043d\u0456 \u0437 \u0446\u044c\u043e\u0433\u043e \u0441\u0435\u0440\u0432\u0456\u0441\u0443 \u0431\u0443\u0434\u0443\u0442\u044c \u0443\u0440\u0430\u0436\u0435\u043d\u0456 \u043d\u0435\u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d\u0438\u043c \u0441\u0442\u043e\u0440\u043e\u043d\u043d\u0456\u043c \u0432\u0435\u0431\u0441\u0430\u0439\u0442\u043e\u043c \u0447\u0435\u0440\u0435\u0437 \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u0436\u0435\u0440\u0442\u0432\u0438. \u0426\u0435 \u043e\u0441\u043e\u0431\u043b\u0438\u0432\u043e \u0439\u043c\u043e\u0432\u0456\u0440\u043d\u043e, \u044f\u043a\u0449\u043e \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f \u0432\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f \u0441\u0435\u0430\u043d\u0441\u0443 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 \u0444\u0430\u0439\u043b\u0456\u0432 cookie. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = \u041c\u0456\u0436\u0434\u043e\u043c\u0435\u043d\u043d\u0430 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u044f - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = \u041d\u0430\u043b\u0430\u0448\u0442\u0443\u0439\u0442\u0435 \u0444\u0430\u0439\u043b crossdomain.xml, \u0449\u043e\u0431 \u043e\u0431\u043c\u0435\u0436\u0438\u0442\u0438 \u0441\u043f\u0438\u0441\u043e\u043a \u0434\u043e\u043c\u0435\u043d\u0456\u0432, \u044f\u043a\u0438\u043c \u0434\u043e\u0437\u0432\u043e\u043b\u0435\u043d\u043e \u0440\u043e\u0431\u0438\u0442\u0438 \u043c\u0456\u0436\u0434\u043e\u043c\u0435\u043d\u043d\u0456 \u0437\u0430\u043f\u0438\u0442\u0438 \u043d\u0430 \u0447\u0438\u0442\u0430\u043d\u043d\u044f \u0434\u043e \u0446\u044c\u043e\u0433\u043e \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u044e\u0447\u0438 . \u0412\u0430\u043c \u0432\u0430\u0440\u0442\u043e \u043d\u0430\u0434\u0430\u0432\u0430\u0442\u0438 \u0434\u043e\u0441\u0442\u0443\u043f "*" (\u0432\u0441\u0456\u043c \u0434\u043e\u043c\u0435\u043d\u0430\u043c), \u044f\u043a\u0449\u043e \u0432\u0438 \u0432\u043f\u0435\u0432\u043d\u0435\u043d\u0456, \u0449\u043e \u0446\u044f \u0441\u043b\u0443\u0436\u0431\u0430 \u043d\u0435 \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u0436\u043e\u0434\u043d\u0438\u0445 \u0434\u0430\u043d\u0438\u0445 \u0437 \u043e\u0431\u043c\u0435\u0436\u0435\u043d\u0438\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c, \u043f\u0435\u0440\u0441\u043e\u043d\u0430\u043b\u0456\u0437\u043e\u0432\u0430\u043d\u0438\u0445 \u0430\u0431\u043e \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u0438\u0445 \u0434\u0430\u043d\u0438\u0445. ascanbeta.crossdomain.adobe.send.extrainfo = \u0412\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440 \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u0430\u043c \u043d\u0430\u0434\u0441\u0438\u043b\u0430\u0442\u0438 (\u0430\u043b\u0435 \u043d\u0435 \u043e\u0431\u043e\u0432'\u044f\u0437\u043a\u043e\u0432\u043e \u0447\u0438\u0442\u0430\u0442\u0438) \u043d\u0430 \u0446\u0435\u0439 \u0434\u043e\u043c\u0435\u043d \u0437\u0430\u043f\u0438\u0442\u0438, \u0449\u043e \u043f\u043e\u0445\u043e\u0434\u044f\u0442\u044c \u0432\u0456\u0434 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0456\u0432 Flash/Silverlight, \u044f\u043a\u0456 \u043e\u0431\u0441\u043b\u0443\u0433\u043e\u0432\u0443\u044e\u0442\u044c\u0441\u044f \u0437 \u0431\u0443\u0434\u044c-\u044f\u043a\u043e\u0433\u043e \u0441\u0442\u043e\u0440\u043e\u043d\u043d\u044c\u043e\u0433\u043e \u0434\u043e\u043c\u0435\u043d\u0443. \u042f\u043a\u0449\u043e \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447-\u0436\u0435\u0440\u0442\u0432\u0430 \u0437\u0430\u0440\u0435\u0454\u0441\u0442\u0440\u043e\u0432\u0430\u043d\u0438\u0439 \u0432 \u0446\u044c\u043e\u043c\u0443 \u0441\u0435\u0440\u0432\u0456\u0441\u0456, \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0456 \u0437\u0430\u043f\u0438\u0442\u0438 \u043d\u0430 \u0432\u0456\u0434\u043f\u0440\u0430\u0432\u043a\u0443 \u043e\u0431\u0440\u043e\u0431\u043b\u044f\u044e\u0442\u044c\u0441\u044f \u0437 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f\u043c \u043f\u0440\u0438\u0432\u0456\u043b\u0435\u0457\u0432 \u0436\u0435\u0440\u0442\u0432\u0438 \u0456 \u043c\u043e\u0436\u0443\u0442\u044c \u043f\u0440\u0438\u0437\u0432\u0435\u0441\u0442\u0438 \u0434\u043e \u0430\u0442\u0430\u043a\u0438 \u0442\u0438\u043f\u0443 Cross Site Request Forgery (CSRF) \u0447\u0435\u0440\u0435\u0437 \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u0436\u0435\u0440\u0442\u0432\u0438. \u0426\u0435 \u043e\u0441\u043e\u0431\u043b\u0438\u0432\u043e \u0439\u043c\u043e\u0432\u0456\u0440\u043d\u043e, \u044f\u043a\u0449\u043e \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f \u0440\u0435\u0430\u043b\u0456\u0437\u0430\u0446\u0456\u044f \u0441\u0435\u0430\u043d\u0441\u0443 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 \u0444\u0430\u0439\u043b\u0456\u0432 cookie. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = \u041d\u0435 \u0432\u0434\u0430 ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = \u041d\u0430\u043b\u0430\u0448\u0442\u0443\u0439\u0442\u0435 \u0432\u0430\u0448 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440 \u0430\u0431\u043e \u0441\u0435\u0440\u0432\u0435\u0440 \u0437\u0430\u0441\u0442\u043e\u0441\u0443\u043d\u043a\u0456\u0432 \u043d\u0430 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f SSL (https). -ascanbeta.httpoxy.desc = \u0421\u0435\u0440\u0432\u0435\u0440 \u0456\u043d\u0456\u0446\u0456\u044e\u0432\u0430\u0432 \u043f\u0440\u043e\u043a\u0441\u0456-\u0437\u0430\u043f\u0438\u0442 \u0447\u0435\u0440\u0435\u0437 \u043f\u0440\u043e\u043a\u0441\u0456, \u0432\u043a\u0430\u0437\u0430\u043d\u0438\u0439 \u0443 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0443 HTTP Proxy \u0437\u0430\u043f\u0438\u0442\u0443.Httpoxy \u0437\u0430\u0437\u0432\u0438\u0447\u0430\u0439 \u0432\u043f\u043b\u0438\u0432\u0430\u0454 \u043d\u0430 \u043a\u043e\u0434, \u0449\u043e \u043f\u0440\u0430\u0446\u044e\u0454 \u0432 CGI \u0430\u0431\u043e CGI-\u043f\u043e\u0434\u0456\u0431\u043d\u0438\u0445 \u0441\u0435\u0440\u0435\u0434\u043e\u0432\u0438\u0449\u0430\u0445.\n\u0426\u0435 \u043c\u043e\u0436\u0435 \u0434\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u0438 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u0430\u043c\:\n* \u041a\u0435\u0440\u0443\u0432\u0430\u0442\u0438 \u0432\u0438\u0445\u0456\u0434\u043d\u0438\u043c\u0438 HTTP-\u0437\u0430\u043f\u0438\u0442\u0430\u043c\u0438, \u0432\u0438\u043a\u043e\u043d\u0430\u043d\u0438\u043c\u0438 \u0432\u0435\u0431\u0434\u043e\u0434\u0430\u0442\u043a\u043e\u043c\n* \u0421\u043f\u0440\u044f\u043c\u0443\u0432\u0430\u0442\u0438 \u0441\u0435\u0440\u0432\u0435\u0440 \u043d\u0430 \u0432\u0456\u0434\u043a\u0440\u0438\u0442\u0442\u044f \u0432\u0438\u0445\u0456\u0434\u043d\u0438\u0445 \u0437'\u0454\u0434\u043d\u0430\u043d\u044c \u043d\u0430 \u043e\u0431\u0440\u0430\u043d\u0443 \u043d\u0438\u043c\u0438 \u0430\u0434\u0440\u0435\u0441\u0443 \u0456 \u043f\u043e\u0440\u0442 \u0430\u0431\u043e\n* \u0417\u0430\u0431\u043b\u043e\u043a\u0443\u0432\u0430\u0442\u0438 \u0440\u0435\u0441\u0443\u0440\u0441\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u0437\u043c\u0443\u0441\u0438\u0432\u0448\u0438 \u0432\u0440\u0430\u0437\u043b\u0438\u0432\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u0435 \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0435\u043d\u043d\u044f \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438 \u0448\u043a\u0456\u0434\u043b\u0438\u0432\u0438\u0439 \u043f\u0440\u043e\u043a\u0441\u0456-\u0441\u0435\u0440\u0432\u0435\u0440 +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - \u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0435 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 \u043f\u0440\u043e\u043a\u0441\u0456-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 ascanbeta.httpoxy.otherinfo = \u0412\u0438\u0445\u0456\u0434\u043d\u0435 \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044f \u0434\u043e {0} \u0431\u0443\u043b\u043e \u0441\u043a\u0435\u0440\u043e\u0432\u0430\u043d\u0435 \u0447\u0435\u0440\u0435\u0437 \u0445\u043e\u0441\u0442 \u0442\u0430 \u043f\u043e\u0440\u0442, \u044f\u043a\u0456 ZAP \u0432\u0441\u0442\u0430\u0432\u0438\u0432 \u0443 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a HTTP-\u043f\u0440\u043e\u043a\u0441\u0456. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = \u043c\u0435\u0440\u0435\u0436\u0435\u0432\u0435 \u0440\u043e\u0437\u0448\u0438\u0440\u0435\u043d\u043d\u044f \u0432\u0438\u043c\u043a\u043d\u0435\u043d\u043e ascanbeta.httpoxy.soln = \u041d\u0430\u0439\u043a\u0440\u0430\u0449\u0438\u043c \u043d\u0435\u0433\u0430\u0439\u043d\u0438\u043c \u0440\u0456\u0448\u0435\u043d\u043d\u044f\u043c \u0454 \u0431\u043b\u043e\u043a\u0443\u0432\u0430\u043d\u043d\u044f \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0456\u0432 \u043f\u0440\u043e\u043a\u0441\u0456-\u0437\u0430\u043f\u0438\u0442\u0456\u0432 \u044f\u043a\u043e\u043c\u043e\u0433\u0430 \u0440\u0430\u043d\u0456\u0448\u0435, \u0434\u043e \u0442\u043e\u0433\u043e, \u044f\u043a \u0432\u043e\u043d\u0438 \u043f\u043e\u0442\u0440\u0430\u043f\u043b\u044f\u0442\u044c \u0434\u043e \u0432\u0430\u0448\u043e\u0433\u043e \u0434\u043e\u0434\u0430\u0442\u043a\u0443. -ascanbeta.httpsashttp.desc = \u0412\u043c\u0456\u0441\u0442, \u0434\u043e \u044f\u043a\u043e\u0433\u043e \u0441\u043f\u043e\u0447\u0430\u0442\u043a\u0443 \u0431\u0443\u0432 \u0434\u043e\u0441\u0442\u0443\u043f \u0447\u0435\u0440\u0435\u0437 HTTPS (\u0442\u043e\u0431\u0442\u043e \u0437 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f\u043c \u0448\u0438\u0444\u0440\u0443\u0432\u0430\u043d\u043d\u044f SSL/TLS), \u0442\u0430\u043a\u043e\u0436 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0438\u0439 \u0447\u0435\u0440\u0435\u0437 HTTP (\u0431\u0435\u0437 \u0448\u0438\u0444\u0440\u0443\u0432\u0430\u043d\u043d\u044f). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS-\u0432\u043c\u0456\u0441\u0442 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0438\u0439 \u0447\u0435\u0440\u0435\u0437 HTTP ascanbeta.httpsashttp.otherinfo = \u0421\u043f\u0440\u043e\u0431\u0430 \u043f\u0456\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u044f ZAP \u0447\u0435\u0440\u0435\u0437\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0432\u0430\u0448\u0456 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440, \u0441\u0435\u0440\u0432\u0435\u0440 \u0434\u043e\u0434\u0430\u0442\u043a\u0443, \u0431\u0430\u043b\u0430\u043d\u0441\u0443\u0432\u0430\u043d\u043d\u044f \u043d\u0430\u0432\u0430\u043d\u0442\u0430\u0436\u0435\u043d\u043d\u044f \u0456 \u0442.\u043f. \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u0456 \u043d\u0430 \u043e\u0431\u0441\u043b\u0443\u0433\u043e\u0432\u0443\u0432\u0430\u043d\u043d\u044f \u0442\u0430\u043a\u043e\u0433\u043e \u043a\u043e\u043d\u0442\u0435\u043d\u0442\u0443 \u043b\u0438\u0448\u0435 \u0447\u0435\u0440\u0435\u0437 HTTPS. \u0420\u043e\u0437\u0433\u043b\u044f\u043d\u044c\u0442\u0435 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044f HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = \u041c\u0435\u0442\u043e\u0434 \u043d\u0435\u0431\u0435\u0437\u043f\u0435\u0447\u043d\u043e\u0433\u043e HTTP [{0}] \u0443\u0432\u0456\u043c\u043a\u043d\u0435\u043d\u043e \u0434\u043b\u044f \u0446\u044c\u043e\u0433\u043e \u0440\u0435\u0441\u0443\u0440\u0441\u0443 \u0442\u0430 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043e. \u0412\u0438\u044f\u0432\u0438\u043b\u043e\u0441\u044f, \u0449\u043e \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0446\u044c\u043e\u0433\u043e HTTP-\u043c\u0435\u0442\u043e\u0434\u0443 \u043c\u043e\u0436\u043d\u0430 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u0438 \u0442\u0443\u043d\u0435\u043b\u044c\u043e\u0432\u0430\u043d\u0435 \u0437''\u0454\u0434\u043d\u0430\u043d\u043d\u044f \u0437\u0456 \u0441\u0442\u043e\u0440\u043e\u043d\u043d\u0456\u043c \u0441\u0435\u0440\u0432\u0456\u0441\u043e\u043c. \u0426\u0435 \u0434\u043e\u0437\u0432\u043e\u043b\u0438\u043b\u043e \u0431 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438 \u0441\u0435\u0440\u0432\u0456\u0441 \u044f\u043a \u0430\u043d\u043e\u043d\u0456\u043c\u043d\u0438\u0439 \u0440\u0435\u0442\u0440\u0430\u043d\u0441\u043b\u044f\u0442\u043e\u0440 \u0441\u043f\u0430\u043c\u0443 \u0430\u0431\u043e \u044f\u043a \u0432\u0435\u0431\u043f\u0440\u043e\u043a\u0441\u0456, \u043e\u0431\u0456\u0439\u0448\u043e\u0432\u0448\u0438 \u043e\u0431\u043c\u0435\u0436\u0435\u043d\u043d\u044f \u043c\u0435\u0440\u0435\u0436\u0456. \u0426\u0435 \u0442\u0430\u043a\u043e\u0436 \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438 \u0439\u043e\u0433\u043e, \u0449\u043e\u0431 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u0438 \u0442\u0443\u043d\u0435\u043b\u044c\u043e\u0432\u0430\u043d\u0438\u0439 VPN, \u0435\u0444\u0435\u043a\u0442\u0438\u0432\u043d\u043e \u0440\u043e\u0437\u0448\u0438\u0440\u0438\u0432\u0448\u0438 \u043f\u0435\u0440\u0438\u043c\u0435\u0442\u0440 \u043c\u0435\u0440\u0435\u0436\u0456, \u0432\u043a\u043b\u044e\u0447\u0438\u0432\u0448\u0438 \u043d\u0435\u043d\u0430\u0434\u0456\u0439\u043d\u0456 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0438. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = \u041c\u0435\u0442\u043e\u0434 CONNECT \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043e, \u0449\u043e\u0431 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u0438 \u0441\u043e\u043a\u0435\u0442\u043d\u0435 \u043f\u0456\u0434\u043a\u043b\u044e\u0447\u0435\u043d\u043d\u044f \u0434\u043e [{0}], \u0447\u0435\u0440\u0435\u0437 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440. ascanbeta.insecurehttpmethod.delete.exploitable.desc = \u0426\u0435\u0439 \u043c\u0435\u0442\u043e\u0434 \u043d\u0430\u0439\u0447\u0430\u0441\u0442\u0456\u0448\u0435 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f \u0432 \u0441\u0435\u0440\u0432\u0456\u0441\u0430\u0445 REST. \u0412\u0456\u043d \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f, \u0449\u043e\u0431 \u0432\u0438\u0434\u0430\u043b\u0438\u0442\u0438 \u0440\u0435\u0441\u0443\u0440\u0441. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = \u041f\u0435\u0440\u0435\u0433\u043b\u044f\u043d\u044c\u0442\u0435 \u043e\u0431\u0433\u043e\u0432\u043e\u0440\u0435\u043d\u043d\u044f \u0449\u043e\u0434\u043e stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, \u0449\u043e\u0431 \u0437\u0440\u043e\u0437\u0443\u043c\u0456\u0442\u0438 \u043e\u043f\u0435\u0440\u0430\u0446\u0456\u0457 REST, \u0434\u0438\u0432.\: https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = \u041f\u0435\u0440\ ascanbeta.insecurehttpmethod.patch.exploitable.desc = \u0426\u0435\u0439 \u043c\u0435\u0442\u043e\u0434 \u043d\u0430\u0439\u0447\u0430\u0441\u0442\u0456\u0448\u0435 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f \u0432 \u0441\u0435\u0440\u0432\u0456\u0441\u0430\u0445 REST, PATCH \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f, \u0449\u043e\u0431 **\u0437\u043c\u0456\u043d\u0438\u0442\u0438** \u043c\u043e\u0436\u043b\u0438\u0432\u043e\u0441\u0442\u0456. \u0417\u0430\u043f\u0438\u0442 PATCH \u043c\u0430\u0454 \u043b\u0438\u0448\u0435 \u043c\u0456\u0441\u0442\u0438\u0442\u0438 \u0437\u043c\u0456\u043d\u0438 \u0440\u0435\u0441\u0443\u0440\u0441\u0443, \u0430 \u043d\u0435 \u0432\u0435\u0441\u044c \u0440\u0435\u0441\u0443\u0440\u0441. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = \u041f\u0435\u0440\u0435\u0433\u043b\u044f\u043d\u044c\u0442\u0435 \u043e\u0431\u0433\u043e\u0432\u043e\u0440\u0435\u043d\u043d\u044f \u0449\u043e\u0434\u043e stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, \u0449\u043e\u0431 \u0437\u0440\u043e\u0437\u0443\u043c\u0456\u0442\u0438 \u043e\u043f\u0435\u0440\u0430\u0446\u0456\u0457 REST, \u0434\u0438\u0432.\: https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = \u043a\u043e\u0434 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 {0} \u0434\u043e \u043f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u043e \u043d\u0435\u0431\u0435\u0437\u043f\u0435\u0447\u043d\u043e\u0433\u043e HTTP \u041c\u0415\u0422\u041e\u0414\u0423 -ascanbeta.insecurehttpmethod.put.exploitable.desc = \u0426\u0435\u0439 \u043c\u0435\u0442\u043e\u0434 \u0441\u043f\u043e\u0447\u0430\u0442\u043a\u0443 \u043f\u0440\u0438\u0437\u043d\u0430\u0447\u0430\u0432\u0441\u044f \u0434\u043b\u044f \u043e\u043f\u0435\u0440\u0430\u0446\u0456\u0439 \u0437 \u043a\u0435\u0440\u0443\u0432\u0430\u043d\u043d\u044f\u043c \u0444\u0430\u0439\u043b\u0430\u043c\u0438. \u0417\u0430\u0440\u0430\u0437 \u0432\u043e\u043d\u0430 \u043d\u0430\u0439\u0447\u0430\u0441\u0442\u0456\u0448\u0435 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f \u0432 REST-\u0441\u0435\u0440\u0432\u0456\u0441\u0430\u0445, PUT \u043d\u0430\u0439\u0447\u0430\u0441\u0442\u0456\u0448\u0435 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f \u0434\u043b\u044f **\u043e\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044f** \u043c\u043e\u0436\u043b\u0438\u0432\u043e\u0441\u0442\u0435\u0439, PUT \u0434\u043e \u0432\u0456\u0434\u043e\u043c\u043e\u0433\u043e URI \u0440\u0435\u0441\u0443\u0440\u0441\u0443 \u0437 \u0442\u0456\u043b\u043e\u043c \u0437\u0430\u043f\u0438\u0442\u0443, \u0449\u043e \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u043d\u0435\u0449\u043e\u0434\u0430\u0432\u043d\u043e \u043e\u043d\u043e\u0432\u043b\u0435\u043d\u0435 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u043d\u044f \u043e\u0440\u0438\u0433\u0456\u043d\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u0440\u0435\u0441\u0443\u0440\u0441\u0443.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = \u041f\u0435\u0440\u0435\u0433\u043b\u044f\u043d\u044c\u0442\u0435 \u043e\u0431\u0433\u043e\u0432\u043e\u0440\u0435\u043d\u043d\u044f \u0449\u043e\u0434\u043e stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, \u0449\u043e\u0431 \u0437\u0440\u043e\u0437\u0443\u043c\u0456\u0442\u0438 \u043e\u043f\u0435\u0440\u0430\u0446\u0456\u0457 REST, \u0434\u0438\u0432.\: https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = \u0412\u0438\u043c\u043a\u043d\u0456\u0442\u044c \u043d\u0435\u0431\u0435\u0437\u043f\u0435\u0447\u043d\u0456 \u043c\u0435\u0442\u043e\u0434\u0438 TRACK, TRACE, \u0442\u0430 CONNECT \u043d\u0430 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0456 \u0442\u0430 \u043f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0440\u0435\u0430\u043b\u0456\u0437\u0430\u0446\u0456\u044f \u0431\u0430\u0437\u043e\u0432\u043e\u0433\u043e \u0441\u0435\u0440\u0432\u0456\u0441\u0443 \u043d\u0435 \u043f\u0456\u0434\u0442\u0440\u0438\u043c\u0443\u0454 \u043d\u0435\u0431\u0435\u0437\u043f\u0435\u0447\u043d\u0456 \u043c\u0435\u0442\u043e\u0434\u0438. ascanbeta.insecurehttpmethod.trace.exploitable.desc = \u0414\u043b\u044f \u0446\u044c\u043e\u0433\u043e \u0440\u0435\u0441\u0443\u0440\u0441\u0443 \u0443\u0432\u0456\u043c\u043a\u043d\u0435\u043d\u043e \u043d\u0435\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0438\u0439 HTTP-\u043c\u0435\u0442\u043e\u0434 [{0}], \u044f\u043a\u0438\u0439 \u043c\u043e\u0436\u043d\u0430 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438. \u041c\u0435\u0442\u043e\u0434\u0438 TRACK \u0456 TRACE \u043c\u043e\u0436\u0443\u0442\u044c \u0431\u0443\u0442\u0438 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u0456 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u043e\u043c \u0434\u043b\u044f \u043e\u0442\u0440\u0438\u043c\u0430\u043d\u043d\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0443 \u0434\u043e \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457 \u043c\u0430\u0440\u043a\u0435\u0440\u0443 \u0430\u0431\u043e \u0441\u0435\u0441\u0456\u0439\u043d\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0443 cookie \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0438, \u043d\u0430\u0432\u0456\u0442\u044c \u044f\u043a\u0449\u043e \u0441\u0435\u0441\u0456\u0439\u043d\u0438\u0439 \u0444\u0430\u0439\u043b cookie \u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0438\u0439 \u043f\u0440\u0430\u043f\u043e\u0440\u043e\u043c "HttpOnly". @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = \u0426\u0435\u0439 HTTP-\ ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = \u0414\u0438\u0432\u0456\u0442\u044c\u0441\u044f \u043e\u0431\u0433\u043e\u0432\u043e\u0440\u0435\u043d\u043d\u044f \u043d\u0430 stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = \u0423\u043c\u043e\u0432\u0430 \u043f\u0435\u0440\u0435\u043f\u043e\u0432\u043d\u0435\u043d\u043d\u044f \u0446\u0456\u043b\u043e\u0433\u043e \u0447\u0438\u0441\u043b\u0430 \u0432\u0438\u043d\u0438\u043a\u0430\u0454, \u043a\u043e\u043b\u0438 \u0446\u0456\u043b\u0435 \u0447\u0438\u0441\u043b\u043e, \u0449\u043e \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f \u0443 \u0441\u043a\u043e\u043c\u043f\u0456\u043b\u044c\u043e\u0432\u0430\u043d\u0456\u0439 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0456, \u0432\u0438\u0445\u043e\u0434\u0438\u0442\u044c \u0437\u0430 \u043c\u0435\u0436\u0456 \u0434\u0456\u0430\u043f\u0430\u0437\u043e\u043d\u0443 \u0456 \u043d\u0435 \u0431\u0443\u043b\u043e \u043d\u0430\u043b\u0435\u0436\u043d\u0438\u043c \u0447\u0438\u043d\u043e\u043c \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u0435\u043d\u043e \u0437 \u0432\u0445\u0456\u0434\u043d\u043e\u0433\u043e \u043f\u043e\u0442\u043e\u043a\u0443. -ascanbeta.integeroverflow.error1 = \u041f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u0435 \u043f\u0435\u0440\u0435\u043f\u043e\u0432\u043d\u0435\u043d\u043d\u044f. \u041a\u043e\u0434 \u0441\u0442\u0430\u043d\u0443 \u0437\u043c\u0456\u043d\u0438\u0432\u0441\u044f \u043f\u0440\u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u0456 \u0434\u043e\u0432\u0433\u043e\u0433\u043e \u0440\u044f\u0434\u043a\u0430 \u0432\u0438\u043f\u0430\u0434\u043a\u043e\u0432\u0438\u0445 \u0446\u0456\u043b\u0438\u0445 \u0447\u0438\u0441\u0435\u043b. -ascanbeta.integeroverflow.error2 = \u041f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u0435 \u043f\u0435\u0440\u0435\u043f\u043e\u0432\u043d\u0435\u043d\u043d\u044f. \u041a\u043e\u0434 \u0441\u0442\u0430\u043d\u0443 \u0437\u043c\u0456\u043d\u0438\u0432\u0441\u044f \u043f\u0440\u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u0456 \u0434\u043e\u0432\u0433\u043e\u0433\u043e \u0440\u044f\u0434\u043a\u0430 \u043d\u0443\u043b\u0456\u0432. -ascanbeta.integeroverflow.error3 = \u041f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u0435 \u043f\u0435\u0440\u0435\u043f\u043e\u0432\u043d\u0435\u043d\u043d\u044f. \u041a\u043e\u0434 \u0441\u0442\u0430\u043d\u0443 \u0437\u043c\u0456\u043d\u0438\u0432\u0441\u044f \u043f\u0440\u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u0456 \u0434\u043e\u0432\u0433\u043e\u0433\u043e \u0440\u044f\u0434\u043a\u0430 \u043e\u0434\u0438\u043d\u0438\u0446\u044c. -ascanbeta.integeroverflow.error4 = \u041f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u0435 \u043f\u0435\u0440\u0435\u043f\u043e\u0432\u043d\u0435\u043d\u043d\u044f. \u041a\u043e\u0434 \u0441\u0442\u0430\u043d\u0443 \u0437\u043c\u0456\u043d\u0438\u0432\u0441\u044f \u043f\u0440\u0438 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u0456 \u0434\u043e\u0432\u0433\u043e\u0433\u043e \u0440\u044f\u0434\u043a\u0430 \u0434\u0435\u0432'\u044f\u0442\u043e\u043a. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = \u041f\u043e\u043c\u0438\u043b\u043a\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043d\u043e\u0433\u043e \u043f\u0435\u0440\u0435\u043f\u043e\u0432\u043d\u0435\u043d\u043d\u044f ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = \u0429\u043e\u0431 \u0437\u0430\u043f\u043e\u0431\u0456\u0433\u0442\u0438 \u043f\u0435\u0440\u0435\u043f\u043e\u0432\u043d\u0435\u043d\u043d\u044f\u043c \u0456 \u043f\u043e\u043c\u0438\u043b\u043a\u0430\u043c \u0434\u0456\u043b\u0435\u043d\u043d\u044f \u043d\u0430 0 (\u043d\u0443\u043b\u044c) \u0443 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0456, \u0431\u0443\u0434\u044c \u043b\u0430\u0441\u043a\u0430, \u043f\u0435\u0440\u0435\u043f\u0438\u0448\u0456\u0442\u044c \u0431\u0435\u043a\u0435\u043d\u0434-\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0443, \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u0438\u0432\u0448\u0438, \u0447\u0438 \u0437\u043d\u0430\u0445\u043e\u0434\u044f\u0442\u044c\u0441\u044f \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0446\u0456\u043b\u0438\u0445 \u0447\u0438\u0441\u0435\u043b, \u0449\u043e \u043e\u0431\u0440\u043e\u0431\u043b\u044f\u044e\u0442\u044c\u0441\u044f, \u0432 \u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u043e\u043c\u0443 \u0434\u0456\u0430\u043f\u0430\u0437\u043e\u043d\u0456 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0438. \u0426\u0435 \u0432\u0438\u043c\u0430\u0433\u0430\u0442\u0438\u043c\u0435 \u043f\u0435\u0440\u0435\u043a\u043e\u043c\u043f\u0456\u043b\u044f\u0446\u0456\u0457 \u0432\u0438\u043a\u043e\u043d\u0443\u0432\u0430\u043d\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0443 \u0431\u0435\u043a\u0435\u043d\u0434\u0430. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = \u043d\u0435 \u0432\u0438\u0431\u0440\u0430\u043d\u043e \u0441\u043b\u0443\u0436\u0431\u0443 Active Scan OAST. ascanbeta.proxydisclosure.attack = \u041c\u0435\u0442\u043e\u0434\u0438 TRACE, OPTIONS \u0437 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u043e\u043c 'Max-Forwards'. \u041c\u0435\u0442\u043e\u0434 TRACK. -ascanbeta.proxydisclosure.desc = {0} \u043f\u0440\u043e\u043a\u0441\u0456-\u0441\u0435\u0440\u0432\u0435\u0440(\u0456\u0432) \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043e \u0430\u0431\u043e \u0437\u043d\u044f\u0442\u043e \u0432\u0456\u0434\u0431\u0438\u0442\u043a\u0438 \u043f\u0430\u043b\u044c\u0446\u0456\u0432. \u0426\u044f \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044f \u0434\u043e\u043f\u043e\u043c\u0430\u0433\u0430\u0454 \u043f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u043e\u043c\u0443 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u0443 \u0432\u0438\u0437\u043d\u0430\u0447\u0438\u0442\u0438\n - \u0421\u043f\u0438\u0441\u043e\u043a \u0446\u0456\u043b\u0435\u0439 \u0434\u043b\u044f \u0430\u0442\u0430\u043a\u0438 \u043d\u0430 \u0434\u043e\u0434\u0430\u0442\u043e\u043a.\n - \u041f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u0456 \u0432\u0440\u0430\u0437\u043b\u0438\u0432\u043e\u0441\u0442\u0456 \u043d\u0430 \u043f\u0440\u043e\u043a\u0441\u0456-\u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445, \u044f\u043a\u0456 \u043e\u0431\u0441\u043b\u0443\u0433\u043e\u0432\u0443\u044e\u0442\u044c \u0434\u043e\u0434\u0430\u0442\u043e\u043a.\n - \u041d\u0430\u044f\u0432\u043d\u0456\u0441\u0442\u044c \u0430\u0431\u043e \u0432\u0456\u0434\u0441\u0443\u0442\u043d\u0456\u0441\u0442\u044c \u0431\u0443\u0434\u044c-\u044f\u043a\u0438\u0445 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0456\u0432 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 \u043f\u0440\u043e\u043a\u0441\u0456, \u044f\u043a\u0456 \u043c\u043e\u0436\u0443\u0442\u044c \u0441\u043f\u0440\u0438\u0447\u0438\u043d\u0438\u0442\u0438 \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043d\u044f, \u0437\u0430\u043f\u043e\u0431\u0456\u0433\u0430\u043d\u043d\u044f \u0430\u0431\u043e \u043f\u043e\u043c\u2019\u044f\u043a\u0448\u0435\u043d\u043d\u044f \u0430\u0442\u0430\u043a \u043d\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0443. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = \u0417\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u043c\u0435\u0442\u043e\u0434\u0456\u0432 TRACE, OPTIONS \u0456 TRACK \u0431\u0443\u043b\u043e \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043e \u043d\u0430\u0441\u0442\u0443\u043f\u043d\u0456 \u043f\u0440\u043e\u043a\u0441\u0456-\u0441\u0435\u0440\u0432\u0435\u0440\u0438 \u043c\u0456\u0436 ZAP \u0456 \u0434\u043e\u0434\u0430\u0442\u043a\u043e\u043c/\u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = \u0411\u0443\u043b\u043e \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043e \u043d\u0430\u0441\u0442\u0443\u043f\u043d\u0456 'silent' \u043f\u0440\u043e\u043a\u0441\u0456-\u0441\u0435\u0440\u0432\u0435\u0440\u0438. \u0427\u0435\u0440\u0435\u0437 \u0457\u0445\u043d\u044e \u043f\u043e\u0432\u0435\u0434\u0456\u043d\u043a\u0443 \u043d\u0435\u0432\u0456\u0434\u043e\u043c\u043e, \u0432 \u044f\u043a\u0456\u0439 \u0442\u043e\u0447\u0446\u0456 \u0442\u043e\u043f\u043e\u043b\u043e\u0433\u0456\u0457 \u043c\u0435\u0440\u0435\u0436\u0456 \u0437\u043d\u0430\u0445\u043e\u0434\u044f\u0442\u044c\u0441\u044f \u0446\u0456 \u043f\u0440\u043e\u043a\u0441\u0456-\u0441\u0435\u0440\u0432\u0435\u0440\u0438\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = \u041c\u0435\u0442\u043e\u0434 "TRACE" \u0443\u0432\u0456\u043c\u043a\u043d\u0435\u043d\u043e \u043d\u0430 \u043e\u0434\u043d\u043e\u043c\u0443 \u0430\u0431\u043e \u0434\u0435\u043a\u0456\u043b\u044c\u043a\u043e\u0445 \u043f\u0440\u043e\u043a\u0441\u0456-\u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445 \u0430\u0431\u043e \u043d\u0430 \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u043c\u0443 \u0441\u0435\u0440\u0432\u0435\u0440\u0456. \u0426\u0435\u0439 \u043c\u0435\u0442\u043e\u0434 \u043f\u0435\u0440\u0435\u0434\u0430\u0454 \u0432\u0441\u044e \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e, \u043f\u0435\u0440\u0435\u0434\u0430\u043d\u0443 \u0437 \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430 \u0456 \u043f\u0440\u043e\u043a\u0441\u0456-\u0441\u0435\u0440\u0432\u0435\u0440\u0456\u0432, \u043d\u0430\u0437\u0430\u0434 \u0430\u0433\u0435\u043d\u0442\u0443 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430. \u0426\u0435 \u043c\u043e\u0436\u0435 \u043f\u043e\u043b\u0435\u0433\u0448\u0438\u0442\u0438 \u043f\u0440\u043e\u0432\u0435\u0434\u0435\u043d\u043d\u044f \u0430\u0442\u0430\u043a "\u043c\u0456\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u0433\u043e \u0432\u0456\u0434\u0441\u0442\u0435\u0436\u0435\u043d\u043d\u044f". +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = \u041d\u0435\u0432\u0456\u0434\u043e\u043c\u043e ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = \u0411\u0443\u043b\u043e \u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043e \u043d\u0430\u0441\u0442\u0443\u043f\u043d\u0438\u0439 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440/\u0441\u0435\u0440\u0432\u0435\u0440 \u0434\u043e\u0434\u0430\u0442\u043a\u0456\u0432\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = \u0420\u043e\u0437\u043a\u0440\u0438\u0442\u0442\u044f \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457 \u043f\u0440\u043e \u0434\u043e\u0432\u0456\u0440\u0435\u043d\u0438\u0445 \u043e\u0441\u0456\u0431 ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = \u0412\u0438\u043c\u043a\u043d\u0456\u0442\u044c \u043c\u0435\u0442\u043e\u0434 'TRACE' \u043d\u0430 \u043f\u0440\u043e\u043a\u0441\u0456-\u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445, \u0430 \u0442\u0430\u043a\u043e\u0436 \u043d\u0430 \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u043c\u0443 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0456/\u0441\u0435\u0440\u0432\u0435\u0440\u0456 \u0434\u043e\u0434\u0430\u0442\u043a\u0456\u0432.\n\u0412\u0438\u043c\u043a\u043d\u0456\u0442\u044c \u043c\u0435\u0442\u043e\u0434 'OPTIONS' \u043d\u0430 \u043f\u0440\u043e\u043a\u0441\u0456-\u0441\u0435\u0440\u0432\u0435\u0440\u0430\u0445, \u0430 \u0442\u0430\u043a\u043e\u0436 \u043d\u0430 \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u043c\u0443 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0456/\u0441\u0435\u0440\u0432\u0435\u0440\u0456 \u0434\u043e\u0434\u0430\u0442\u043a\u0456\u0432, \u044f\u043a\u0449\u043e \u0432\u0456\u043d \u043d\u0435 \u043f\u043e\u0442\u0440\u0456\u0431\u043d\u0438\u0439 \u0434\u043b\u044f \u0456\u043d\u0448\u0438\u0445 \u0446\u0456\u043b\u0435\u0439, \u044f\u043a 'CORS' (Cross Origin Resource Sharing).\n\u041d\u0430\u043b\u0430\u0448\u0442\u0443\u0439\u0442\u0435 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0438 \u0442\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0438 \u0434\u043e\u0434\u0430\u0442\u043a\u0456\u0432 \u0437\u0456 \u0441\u043f\u0435\u0446\u0456\u0430\u043b\u044c\u043d\u0438\u043c\u0438 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0430\u043c\u0438 \u043f\u043e\u043c\u0438\u043b\u043e\u043a, \u0449\u043e\u0431 \u0437\u0430\u043f\u043e\u0431\u0456\u0433\u0442\u0438 \u0432\u0438\u0442\u043e\u043a\u0443 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u0432\u0456 \u0441\u0442\u043e\u0440\u0456\u043d\u043e\u043a \u043f\u043e\u043c\u0438\u043b\u043e\u043a, \u0445\u0430\u0440\u0430\u043a\u0442\u0435\u0440\u043d\u0438\u0445 \u0434\u043b\u044f \u043a\u043e\u043d\u043a\u0440\u0435\u0442\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u0443, \u0443 \u0440\u0430\u0437\u0456 \u0432\u0438\u043d\u0438\u043a\u043d\u0435\u043d\u043d\u044f \u043f\u043e\u043c\u0438\u043b\u043e\u043a HTTP, \u0442\u0430\u043a\u0438\u0445 \u044f\u043a \u0437\u0430\u043f\u0438\u0442\u0438 'TRACK' \u0434\u043b\u044f \u043d\u0435\u0456\u0441\u043d\u0443\u044e\u0447\u0438\u0445 \u0441\u0442\u043e\u0440\u0456\u043d\u043e\u043a.\n\u041d\u0430\u043b\u0430\u0448\u0442\u0443\u0439\u0442\u0435 \u0432\u0441\u0456 \u043f\u0440\u043e\u043a\u0441\u0456-\u0441\u0435\u0440\u0432\u0435\u0440\u0438, \u0441\u0435\u0440\u0432\u0435\u0440\u0438 \u0434\u043e\u0434\u0430\u0442\u043a\u0456\u0432 \u0456 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0438 \u0442\u0430\u043a, \u0449\u043e\u0431 \u0437\u0430\u043f\u043e\u0431\u0456\u0433\u0442\u0438 \u0440\u043e\u0437\u043a\u0440\u0438\u0442\u0442\u044e \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457 \u043f\u0440\u043e \u0442\u0435\u0445\u043d\u043e\u043b\u043e\u0433\u0456\u044e \u0442\u0430 \u0432\u0435\u0440\u0441\u0456\u044e \u0432 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430\u0445 HTTP-\u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0435\u0439 'Server' \u0456 'X-Powered-By'. ascanbeta.relativepathconfusion.desc = \u0412\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u043e \u043d\u0430 \u043d\u0430\u0434\u0430\u043d\u043d\u044f \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0435\u0439 \u043d\u0430 \u043d\u0435\u043e\u0434\u043d\u043e\u0437\u043d\u0430\u0447\u043d\u0456 URL-\u0430\u0434\u0440\u0435\u0441\u0438 \u0442\u0430\u043a\u0438\u043c \u0447\u0438\u043d\u043e\u043c, \u0449\u043e \u043c\u043e\u0436\u0435 \u043f\u0440\u0438\u0437\u0432\u0435\u0441\u0442\u0438 \u0434\u043e \u043f\u043b\u0443\u0442\u0430\u043d\u0438\u043d\u0438 \u0449\u043e\u0434\u043e \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0433\u043e \u00ab\u0432\u0456\u0434\u043d\u043e\u0441\u043d\u043e\u0433\u043e \u0448\u043b\u044f\u0445\u0443\u00bb \u0434\u043b\u044f URL-\u0430\u0434\u0440\u0435\u0441\u0438. \u0420\u0435\u0441\u0443\u0440\u0441\u0438 (CSS, \u0437\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u043d\u044f \u0442\u043e\u0449\u043e) \u0442\u0430\u043a\u043e\u0436 \u0432\u043a\u0430\u0437\u0443\u044e\u0442\u044c\u0441\u044f \u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438 \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0432\u0456\u0434\u043d\u043e\u0441\u043d\u0438\u0445, \u0430 \u043d\u0435 \u0430\u0431\u0441\u043e\u043b\u044e\u0442\u043d\u0438\u0445 URL-\u0430\u0434\u0440\u0435\u0441. \u041f\u0456\u0434 \u0447\u0430\u0441 \u0430\u0442\u0430\u043a\u0438, \u044f\u043a\u0449\u043e \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u0430\u043d\u0430\u043b\u0456\u0437\u0443\u0454 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c \u00ab\u043f\u0435\u0440\u0435\u0445\u0440\u0435\u0441\u043d\u043e\u0433\u043e \u0432\u043c\u0456\u0441\u0442\u0443\u00bb \u0434\u043e\u0437\u0432\u0456\u043b\u044c\u043d\u0438\u043c \u0441\u043f\u043e\u0441\u043e\u0431\u043e\u043c \u0430\u0431\u043e \u0439\u043e\u0433\u043e \u043c\u043e\u0436\u043d\u0430 \u043e\u0431\u043c\u0430\u043d\u043e\u043c \u0437\u043c\u0443\u0441\u0438\u0442\u0438 \u0434\u043e\u0437\u0432\u043e\u043b\u0435\u043d\u043e \u0430\u043d\u0430\u043b\u0456\u0437\u0443\u0432\u0430\u0442\u0438 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c \u00ab\u043f\u0435\u0440\u0435\u0445\u0440\u0435\u0441\u043d\u043e\u0433\u043e \u0432\u043c\u0456\u0441\u0442\u0443\u00bb, \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u044e\u0447\u0438 \u0442\u0430\u043a\u0456 \u043c\u0435\u0442\u043e\u0434\u0438, \u044f\u043a \u0444\u0440\u0435\u0439\u043c\u0443\u0432\u0430\u043d\u043d\u044f, \u0442\u043e\u0434\u0456 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u043c\u043e\u0436\u043d\u0430 \u043e\u0431\u0434\u0443\u0440\u0438\u0442\u0438, \u0449\u043e\u0431 \u0456\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0446\u0456\u044f HTML \u044f\u043a CSS (\u0430\u0431\u043e \u0456\u043d\u0448\u0438\u0445 \u0442\u0438\u043f\u0456\u0432 \u0432\u043c\u0456\u0441\u0442\u0443), \u0449\u043e \u043f\u0440\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u044c \u0434\u043e \u0432\u0440\u0430\u0437\u043b\u0438\u0432\u043e\u0441\u0442\u0456 XSS. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = \u0412\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043e \u0442\u0438\u043f \u0432\u043c\u0456\u0441\u0442\u0443 "{0}". \u042f\u043a\u0449\u043e \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454 \u0441\u0443\u0432\u043e\u0440\u0456 \u043f\u0440\u0430\u0432\u0438\u043b\u0430 \u0441\u0438\u043d\u0442\u0430\u043a\u0441\u0438\u0447\u043d\u043e\u0433\u043e \u0430\u043d\u0430\u043b\u0456\u0437\u0443, \u0446\u0435 \u0437\u0430\u043f\u043e\u0431\u0456\u0433\u0430\u0442\u0438\u043c\u0435 \u0443\u0441\u043f\u0456\u0445\u0443 \u043f\u0435\u0440\u0435\u0445\u0440\u0435\u0441\u043d\u0438\u0445 \u0430\u0442\u0430\u043a \u043d\u0430 \u0432\u043c\u0456\u0441\u0442. \u0420\u0435\u0436\u0438\u043c \u0441\u0443\u043c\u0456\u0441\u043d\u043e\u0441\u0442\u0456 \u0443 \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0456 \u0432\u0438\u043c\u043a\u043d\u0435 \u0441\u0443\u0432\u043e\u0440\u0438\u0439 \u0430\u043d\u0430\u043b\u0456\u0437. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = \u0417\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a X-Frame-Options \u043d\u0435 \u0432\u043a\u0430\u0437\u0430\u043d\u043e, \u0442\u043e\u043c\u0443 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0443 \u043c\u043e\u0436\u043d\u0430 \u043f\u043e\u043c\u0456\u0441\u0442\u0438\u0442\u0438 \u0432 \u0440\u0430\u043c\u043a\u0443, \u0456 \u0446\u0435 \u043c\u043e\u0436\u043d\u0430 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438 \u0434\u043b\u044f \u0432\u0432\u0456\u043c\u043a\u043d\u0435\u043d\u043d\u044f \u0440\u0435\u0436\u0438\u043c\u0443 \u0441\u0443\u043c\u0456\u0441\u043d\u043e\u0441\u0442\u0456, \u0449\u043e \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u043e\u0431\u0456\u0439\u0442\u0438 \u0432\u043a\u0430\u0437\u0430\u043d\u0438\u0439 \u0442\u0438\u043f \u0432\u043c\u0456\u0441\u0442\u0443. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = \u0411\u0456\u043b\u044c\u0448 \u043d\u0456\u0436 \u043e\u0434\u0438\u043d \u0442\u0435\u0433 \u0431\u0443\u043b\u043e \u0432\u043a\u0430\u0437\u0430\u043d\u043e \u0432 \u0442\u0435\u0433\u0443 HTML \u0434\u043b\u044f \u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0440\u043e\u0437\u0442\u0430\u0448\u0443\u0432\u0430\u043d\u043d\u044f \u0432\u0456\u0434\u043d\u043e\u0441\u043d\u0438\u0445 URL-\u0430\u0434\u0440\u0435\u0441, \u0449\u043e \u0454 \u043d\u0435\u043f\u0440\u0438\u043f\u0443\u0441\u0442\u0438\u043c\u0438\u043c. ascanbeta.relativepathconfusion.extrainfo.nobasetag = \u0422\u0435\u0433 \u043d\u0435 \u0432\u043a\u0430\u0437\u0430\u043d\u043e \u0432 \u0442\u0435\u0433\u0443 HTML \u0434\u043b\u044f \u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0440\u043e\u0437\u0442\u0430\u0448\u0443\u0432\u0430\u043d\u043d\u044f \u0432\u0456\u0434\u043d\u043e\u0441\u043d\u0438\u0445 URL-\u0430\u0434\u0440\u0435\u0441. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = \u0422\u0438\u043f \u0432\u043c\u0456\u0441\u0442\u0443 \u043d\u0435 \u0432\u043a\u0430\u0437\u0430\u043d\u043e, \u0442\u043e\u043c\u0443 \u0440\u0435\u0436\u0438\u043c \u0441\u0443\u043c\u0456\u0441\u043d\u043e\u0441\u0442\u0456 \u043d\u0435 \u043f\u043e\u0442\u0440\u0456\u0431\u0435\u043d \u0434\u043b\u044f \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f \u0432\u0440\u0430\u0437\u043b\u0438\u0432\u043e\u0441\u0442\u0456 \u0443 \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0456. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = \u0420\u0435\u0436\u0438\u043c \u0441\u0443\u043c\u0456\u0441\u043d\u043e\u0441\u0442\u0456 \u044f\u0432\u043d\u043e \u0432\u043c\u0438\u043a\u0430\u0454\u0442\u044c\u0441\u044f \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e " \u0443 HTTP-\u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 \u043e\u0434\u043d\u043e\u0437\u043d\u0430\u0447\u043d\u043e \u0432\u0438\u0437\u043d\u0430\u0447\u0438\u0442\u044c \u0431\u0430\u0437\u043e\u0432\u0443 URL-\u0430\u0434\u0440\u0435\u0441\u0443 \u0434\u043b\u044f \u0432\u0441\u0456\u0445 \u0432\u0456\u0434\u043d\u043e\u0441\u043d\u0438\u0445 URL-\u0430\u0434\u0440\u0435\u0441 \u0443 \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u0456.\n\u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a HTTP-\u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 "Content-Type", \u0449\u043e\u0431 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u0443 \u0431\u0443\u043b\u043e \u0441\u043a\u043b\u0430\u0434\u043d\u0456\u0448\u0435 \u0437\u043c\u0443\u0441\u0438\u0442\u0438 \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u0456\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0443\u0432\u0430\u0442\u0438 \u0442\u0438\u043f \u0432\u043c\u0456\u0441\u0442\u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456.\n\u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a HTTP-\u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 "X-Content-Type-Options\: nosniff", \u0449\u043e\u0431 \u0437\u0430\u043f\u043e\u0431\u0456\u0433\u0442\u0438 "\u0432\u0438\u043d\u044e\u0445\u0443\u0432\u0430\u043d\u043d\u044e" \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u043c \u0442\u0438\u043f\u0443 \u0432\u043c\u0456\u0441\u0442\u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456.\n\u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u0441\u0443\u0447\u0430\u0441\u043d\u0438\u0439 DOCTYPE, \u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, "<\!doctype html>", \u0449\u043e\u0431 \u0437\u0430\u043f\u043e\u0431\u0456\u0433\u0442\u0438 \u0432\u0456\u0434\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u043d\u044e \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438 \u0443 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0456 \u0437 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f\u043c "Quirks Mode", \u043e\u0441\u043a\u0456\u043b\u044c\u043a\u0438 \u0446\u0435 \u043f\u0440\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u044c \u0434\u043e \u0456\u0433\u043d\u043e\u0440\u0443\u0432\u0430\u043d\u043d\u044f \u0442\u0438\u043f\u0443 \u0432\u043c\u0456\u0441\u0442\u0443 \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u043c.\n\u0412\u043a\u0430\u0436\u0456\u0442\u044c \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a HTTP-\u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 "X-Frame-Options", \u0449\u043e\u0431 \u0437\u0430\u043f\u043e\u0431\u0456\u0433\u0442\u0438 \u0432\u0432\u0456\u043c\u043a\u043d\u0435\u043d\u043d\u044e \u0440\u0435\u0436\u0438\u043c\u0443 Quirks Mode \u0443 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0456 \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0444\u0440\u0435\u0439\u043c\u0432\u043e\u0440\u043a\u043e\u0432\u0438\u0445 \u0430\u0442\u0430\u043a.\n\n\n\n +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = \u041f\u043e\u043b\u0435 {0}\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = \u0424\u0430\u0439\u043b cookie, \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c, \u043a\u043e\u043b\u0438 \u043f\u043e\u043b\u0435 cookie [{0}] \u043c\u0430\u0454 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f NULL\: [{1}]\n\u0424\u0430\u0439\u043b cookie, \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c \u0456\u0437 \u0437\u0430\u043f\u043e\u0437\u0438\u0447\u0435\u043d\u0438\u043c (\u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u0438\u043c) \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f\u043c cookie \u0443 \u0437\u0430\u043f\u0438\u0442\u0456 [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = URL-\u0430\u0434\u0440 ascanbeta.sessionfixation.desc = \u041c\u043e\u0436\u043b\u0438\u0432\u0430 \u0444\u0456\u043a\u0441\u0430\u0446\u0456\u044f \u0441\u0435\u0430\u043d\u0441\u0443. \u042f\u043a\u0449\u043e \u0446\u044f \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0432\u0438\u043d\u0438\u043a\u0430\u0454 \u0437 URL-\u0430\u0434\u0440\u0435\u0441\u043e\u044e \u0432\u0445\u043e\u0434\u0443 (\u0434\u0435 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0443\u0454\u0442\u044c\u0441\u044f \u0432 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0456), \u0442\u043e\u0434\u0456 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a \u043c\u043e\u0436\u0435 \u043d\u0430\u0434\u0430\u0442\u0438 URL-\u0430\u0434\u0440\u0435\u0441\u0443 \u0440\u0430\u0437\u043e\u043c \u0456\u0437 \u0444\u0456\u043a\u0441\u043e\u0432\u0430\u043d\u0438\u043c \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440\u043e\u043c \u0441\u0435\u0430\u043d\u0441\u0443 \u0436\u0435\u0440\u0442\u0432\u0456, \u0449\u043e\u0431 \u043f\u0456\u0437\u043d\u0456\u0448\u0435 \u043f\u0440\u0438\u043f\u0443\u0441\u0442\u0438\u0442\u0438 \u043e\u0441\u043e\u0431\u0443 \u0436\u0435\u0440\u0442\u0432\u0438, \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u044e\u0447\u0438 \u0432\u043a\u0430\u0437\u0430\u043d\u0438\u0439 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443. \u042f\u043a\u0449\u043e \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0432\u0438\u043d\u0438\u043a\u0430\u0454 \u0437\u0456 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u043e\u044e \u0431\u0435\u0437 \u0432\u0445\u043e\u0434\u0443, URL-\u0430\u0434\u0440\u0435\u0441\u0430 \u0442\u0430 \u0444\u0456\u043a\u0441\u043e\u0432\u0430\u043d\u0438\u0439 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 \u043c\u043e\u0436\u0443\u0442\u044c \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438\u0441\u044f \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u043e\u043c \u043b\u0438\u0448\u0435 \u0434\u043b\u044f \u0432\u0456\u0434\u0441\u0442\u0435\u0436\u0435\u043d\u043d\u044f \u0434\u0456\u0439 \u043d\u0435\u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u043e\u0432\u0430\u043d\u043e\u0433\u043e \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430. \u042f\u043a\u0449\u043e \u0432\u0440\u0430\u0437\u043b\u0438\u0432\u0456\u0441\u0442\u044c \u0432\u0438\u043d\u0438\u043a\u0430\u0454 \u0432 \u043f\u043e\u043b\u0456 cookie \u0430\u0431\u043e \u043f\u043e\u043b\u0456 \u0444\u043e\u0440\u043c\u0438 (\u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 POST), \u0430 \u043d\u0435 \u0432 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0456 URL-\u0430\u0434\u0440\u0435\u0441\u0438 (GET), \u0442\u043e \u043c\u043e\u0436\u0435 \u0437\u043d\u0430\u0434\u043e\u0431\u0438\u0442\u0438\u0441\u044f \u044f\u043a\u0430\u0441\u044c \u0456\u043d\u0448\u0430 \u0432\u0440\u0430\u0437\u043b\u0438\u0432\u0456\u0441\u0442\u044c, \u0449\u043e\u0431 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u0438 \u043f\u043e\u043b\u0435 cookie \u0443 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0456 \u0436\u0435\u0440\u0442\u0432\u0438, \u0449\u043e\u0431 \u0434\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u0438 \u0432\u0440\u0430\u0437\u043b\u0438\u0432\u043e\u0441\u0442\u0456 \u043f\u0456\u0434\u043b\u044f\u0433\u0430\u0442\u0438 \u0435\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0456\u0457. ascanbeta.sessionfixation.name = \u0424\u0456\u043a\u0441\u0430\u0446\u0456\u044f \u0441\u0435\u0430\u043d\u0441\u0443 ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) \u041d\u0435 \u0434\u0430\u0439\u0442\u0435 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u0443 \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443, \u0437\u0430\u043f\u0440\u043e\u0432\u0430\u0434\u0438\u0432\u0448\u0438 \u0441\u0443\u0432\u043e\u0440\u0456 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440\u0438 \u0441\u0435\u0430\u043d\u0441\u0456\u0432 \u0442\u0430 \u0432\u0438\u0434\u0456\u043b\u044f\u044e\u0447\u0438 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440\u0438 \u0441\u0435\u0430\u043d\u0441\u0456\u0432 \u043b\u0438\u0448\u0435 \u043f\u0456\u0441\u043b\u044f \u0443\u0441\u043f\u0456\u0448\u043d\u043e\u0457 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 \u0432 \u0437\u0430\u0441\u0442\u043e\u0441\u0443\u043d\u043a\u0443.\n2) \u0421\u0435\u0440\u0432\u0435\u0440 \u043f\u043e\u0432\u0438\u043d\u0435\u043d \u0437\u0430\u0432\u0436\u0434\u0438 \u0441\u0442\u0432\u043e\u0440\u044e\u0432\u0430\u0442\u0438 \u043d\u043e\u0432\u0438\u0439 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 \u043f\u0456\u0441\u043b\u044f \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457, \u043d\u0435\u0437\u0430\u043b\u0435\u0436\u043d\u043e \u0432\u0456\u0434 \u0442\u043e\u0433\u043e, \u0447\u0438 \u0432\u0436\u0435 \u0456\u0441\u043d\u0443\u0454 \u0441\u0435\u0430\u043d\u0441.\n3) \u041f\u0440\u0438\u0432'\u044f\u0436\u0456\u0442\u044c \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 \u0434\u043e \u043f\u0435\u0432\u043d\u043e\u0457 \u043a\u043e\u043c\u0431\u0456\u043d\u0430\u0446\u0456\u0457 \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u0456\u0432 \u043a\u043b\u0456\u0454\u043d\u0442\u0430, \u044f\u043a\u0443 \u043c\u043e\u0436\u043d\u0430 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0443\u0432\u0430\u0442\u0438, \u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, IP-\u0430\u0434\u0440\u0435\u0441\u0438, \u0441\u0435\u0440\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u0430 \u043a\u043b\u0456\u0454\u043d\u0442\u0430 SSL.\n4) \u0421\u0435\u0441\u0456\u0457 \u043f\u0440\u0438 \u0437\u043d\u0438\u0449\u0435\u043d\u043d\u0456 \u043f\u043e\u0432\u0438\u043d\u043d\u0456 \u0431\u0443\u0442\u0438 \u0437\u043d\u0438\u0449\u0435\u043d\u0456 \u044f\u043a \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0456, \u0442\u0430\u043a \u0456 \u043d\u0430 \u043a\u043b\u0456\u0454\u043d\u0442\u0456.\n5) \u0420\u0435\u0430\u043b\u0456\u0437\u0443\u0439\u0442\u0435 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c \u0432\u0438\u0445\u043e\u0434\u0443 \u0437 \u0441\u0438\u0441\u0442\u0435\u043c\u0438, \u044f\u043a\u0438\u0439 \u0437\u043d\u0438\u0449\u0438\u0442\u044c \u0432\u0441\u0456 \u043f\u043e\u043f\u0435\u0440\u0435\u0434\u043d\u0456 \u0441\u0435\u0430\u043d\u0441\u0438 \u0434\u043b\u044f \u043a\u043b\u0456\u0454\u043d\u0442\u0430.\n6) \u0417\u0430\u043f\u0440\u043e\u0432\u0430\u0434\u044c\u0442\u0435 \u0447\u0430\u0441 \u043e\u0447\u0456\u043a\u0443\u0432\u0430\u043d\u043d\u044f \u0441\u0435\u0430\u043d\u0441\u0443.\n7) \u041f\u0435\u0440\u0435\u0439\u0434\u0456\u0442\u044c \u0432\u0456\u0434 \u0440\u0435\u0430\u043b\u0456\u0437\u0430\u0446\u0456\u0457 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440\u0430 \u0441\u0435\u0430\u043d\u0441\u0443 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 URL-\u0430\u0434\u0440\u0435\u0441\u0438 \u0434\u043e \u0440\u0435\u0430\u043b\u0456\u0437\u0430\u0446\u0456\u0457 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440\u0430 \u0441\u0435\u0430\u043d\u0441\u0443 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 \u0444\u0430\u0439\u043b\u0456\u0432 cookie \u0430\u0431\u043e \u0444\u043e\u0440\u043c, \u043e\u0441\u043a\u0456\u043b\u044c\u043a\u0438 \u043e\u0441\u0442\u0430\u043d\u043d\u0456 \u0437\u0430\u0437\u0432\u0438\u0447\u0430\u0439 \u0432\u0438\u043c\u0430\u0433\u0430\u044e\u0442\u044c \u0434\u043e\u0434\u0430\u0442\u043a\u043e\u0432\u0438\u0445 \u0432\u0440\u0430\u0437\u043b\u0438\u0432\u043e\u0441\u0442\u0435\u0439, \u0449\u043e\u0431 \u0431\u0443\u0442\u0438 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u0438\u043c\u0438 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u043e\u043c.\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = \u041f\u043e\u043b\u0435 {0}\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 {0} \u043f\u043e\u043b\u0435 [{1}], \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f [{2}] \u043c\u043e\u0436\u043d\u0430 \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e JavaScript \u0443 \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0456 -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = URL-\u0430\u0434\u0440\u0435\u0441\u0443, \u043d\u0430 \u044f\u043a\u0456\u0439 \u0431\u0443\u043b\u043e \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043e \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0443, \u0431\u0443\u043b\u043e \u043f\u043e\u0437\u043d\u0430\u0447\u0435\u043d\u043e \u044f\u043a \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0443 \u0432\u0445\u043e\u0434\u0443. -ascanbeta.sessionidaccessiblebyjavascript.desc = \u0424\u0430\u0439\u043b cookie \u0437 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440\u043e\u043c \u0441\u0435\u0430\u043d\u0441\u0443, \u043d\u0430\u0434\u0456\u0441\u043b\u0430\u043d\u0438\u0439 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c (\u043a\u043e\u043b\u0438 URL-\u0430\u0434\u0440\u0435\u0441\u0430 \u0437\u043c\u0456\u043d\u044e\u0454\u0442\u044c\u0441\u044f \u0448\u043b\u044f\u0445\u043e\u043c \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044f \u043f\u043e\u043b\u044f \u043d\u0430\u0437\u0432\u0430\u043d\u043e\u0433\u043e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 \u0432 NULL), \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0438\u0439 \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e JavaScript \u043d\u0430 \u043a\u043b\u0456\u0454\u043d\u0442\u0441\u044c\u043a\u0456\u0439 \u0441\u0442\u043e\u0440\u043e\u043d\u0456. \u0423 \u043f\u043e\u0454\u0434\u043d\u0430\u043d\u043d\u0456 \u0437 \u0456\u043d\u0448\u043e\u044e \u0443\u0440\u0430\u0437\u043b\u0438\u0432\u0456\u0441\u0442\u044e \u0446\u0435 \u043c\u043e\u0436\u0435 \u043f\u0440\u0438\u0437\u0432\u0435\u0441\u0442\u0438 \u0434\u043e \u043f\u0435\u0440\u0435\u0445\u043e\u043f\u043b\u0435\u043d\u043d\u044f \u0441\u0435\u0430\u043d\u0441\u0443. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = \u0406\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 Cookie \u0414\u043e\u0441\u0442\u0443\u043f\u043d\u043e \u0434\u043b\u044f JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) \u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u043f\u0440\u0430\u043f\u043e\u0440\u0435\u0446\u044c "httponly" \u043f\u0440\u0438 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u0456 \u0444\u0430\u0439\u043b\u0443 cookie, \u0449\u043e \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0441\u0456\u0457, \u0449\u043e\u0431 \u0437\u0430\u043f\u043e\u0431\u0456\u0433\u0442\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u0443 \u0434\u043e \u043d\u044c\u043e\u0433\u043e \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e JavaScript \u0443 \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0456. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = \u041f\u043e\u043b\u0435 {0}\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 {0} \u043f\u043e\u043b\u0435 [{1}], \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f [{2}] \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0435 \u0434\u043e [{3}] (\u043e\u0441\u043a\u0456\u043b\u044c\u043a\u0438 cookie \u0431\u0443\u043b\u043e \u043e\u0442\u0440\u0438\u043c\u0430\u043d\u043e \u0432 {4}), \u044f\u043a\u0449\u043e \u0442\u0456\u043b\u044c\u043a\u0438 \u0441\u0435\u0430\u043d\u0441 \u043d\u0435 \u0431\u0443\u0434\u0435 \u0437\u043d\u0438\u0449\u0435\u043d\u043e. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = URL-\u0430\u0434\u0440\u0435\u0441\u0443, \u043d\u0430 \u044f\u043a\u0456\u0439 \u0431\u0443\u043b\u043e \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043e \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0443, \u0431\u0443\u043b\u043e \u043f\u043e\u0437\u043d\u0430\u0447\u0435\u043d\u043e \u044f\u043a \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0443 \u0432\u0445\u043e\u0434\u0443 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0443. ascanbeta.sessionidexpiry.browserclose = \u0417\u0430\u043a\u0440\u0438\u0442\u0438 \u0431\u0440\u0430\u0443\u0437\u0435\u0440 -ascanbeta.sessionidexpiry.desc = \u0424\u0430\u0439\u043b cookie \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440\u0430 \u0441\u0435\u0430\u043d\u0441\u0443, \u043d\u0430\u0434\u0456\u0441\u043b\u0430\u043d\u0438\u0439 \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c (\u044f\u043a\u0449\u043e URL-\u0430\u0434\u0440\u0435\u0441\u0443 \u0437\u043c\u0456\u043d\u0435\u043d\u043e \u0448\u043b\u044f\u0445\u043e\u043c \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044f \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f NULL \u0434\u043b\u044f \u043f\u043e\u043b\u044f \u0456\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u043e\u0433\u043e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430), \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u043e \u044f\u043a \u0434\u0456\u0439\u0441\u043d\u0438\u0439 \u043f\u0440\u043e\u0442\u044f\u0433\u043e\u043c \u043d\u0430\u0434\u043c\u0456\u0440\u043d\u043e\u0433\u043e \u043f\u0435\u0440\u0456\u043e\u0434\u0443 \u0447\u0430\u0441\u0443. \u0426\u0435 \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043e \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u043e\u043c, \u044f\u043a\u0449\u043e \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447 \u0437\u0430\u0431\u0443\u0434\u0435 \u0432\u0438\u0439\u0442\u0438, \u044f\u043a\u0449\u043e \u0444\u0443\u043d\u043a\u0446\u0456\u044f \u0432\u0438\u0445\u043e\u0434\u0443 \u043d\u0435 \u0437\u043d\u0438\u0449\u0438\u0442\u044c \u0441\u0435\u0430\u043d\u0441 \u043d\u0430\u043b\u0435\u0436\u043d\u0438\u043c \u0447\u0438\u043d\u043e\u043c \u0430\u0431\u043e \u044f\u043a\u0449\u043e \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u043e\u0432\u0430\u043d\u043e \u0456\u043d\u0448\u0438\u043c \u0441\u043f\u043e\u0441\u043e\u0431\u043e\u043c. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = \u0427\u0430\u0441 \u0434\u0456\u0457 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440\u0430 \u0441\u0435\u0430\u043d\u0441\u0443/\u043c\u0430\u043a\u0441\u0438\u043c\u0430\u043b\u044c\u043d\u0438\u0439 \u0432\u0456\u043a \u043d\u0430\u0434\u043c\u0456\u0440\u043d\u043e \u0434\u043e\u0432\u0433\u0438\u0439 #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) \u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0438 \u0449\u043e\u0434\u043e \u0444\u0430\u0439\u043b\u0456\u0432 cookie \u00abExpire\u00bb \u0430\u0431\u043e \u00abMax-Age\u00bb, \u043a\u043e\u043b\u0438 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u044e\u0454\u0442\u0435 cookie, \u0449\u043e \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443, \u0449\u043e\u0431 \u0437\u0430\u043f\u043e\u0431\u0456\u0433\u0442\u0438 \u0439\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0441\u0442\u0456 \u043f\u0440\u043e\u0442\u044f\u0433\u043e\u043c \u0442\u0440\u0438\u0432\u0430\u043b\u0438\u0445 \u043f\u0435\u0440\u0456\u043e\u0434\u0456\u0432 \u0447\u0430\u0441\u0443.\n2) \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0444\u0443\u043d\u043a\u0446\u0456\u044f \u0432\u0438\u0445\u043e\u0434\u0443 \u0437 \u0441\u0438\u0441\u0442\u0435\u043c\u0438 \u0456\u0441\u043d\u0443\u0454 \u0442\u0430 \u0449\u043e \u0432\u043e\u043d\u0430 \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u0440\u0443\u0439\u043d\u0443\u0454 \u0441\u0435\u0430\u043d\u0441.\n3) \u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u0456\u043d\u0448\u0456 \u0437\u0430\u043f\u043e\u0431\u0456\u0436\u043d\u0456 \u0437\u0430\u0445\u043e\u0434\u0438, \u0449\u043e\u0431 \u043f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0442\u0438\u0441\u044f, \u0449\u043e \u044f\u043a\u0449\u043e \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 \u0441\u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u043e\u0432\u0430\u043d\u043e, \u0432\u0456\u043d \u043d\u0435 \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u0438\u0439. ascanbeta.sessionidexpiry.timeexpired = \u0422\u0435\u0440\u043c\u0456\u043d \u0434\u0456\u0457 \u043c\u0438\u043d\u0443\u0432 ascanbeta.sessionidexpiry.timelessthanonehour = \u041c\u0435\u043d\u0448\u0435, \u043d\u0456\u0436 \u0433\u043e\u0434\u0438\u043d\u0443 @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = \u0411\u0456\u043b\u044c\u0448\u ascanbeta.sessionidexposedinurl.alert.attack = \u041f\u043e\u043b\u0435 {0}\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} \u043f\u043e\u043b\u044f [{1}] \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u0440\u043e\u0437\u043a\u0440\u0438\u0442\u0438\u0439 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = URL-\u0430\u0434\u0440\u0435\u0441\u0443, \u043d\u0430 \u044f\u043a\u0456\u0439 \u0431\u0443\u043b\u043e \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043e \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0443, \u0431\u0443\u043b\u043e \u043f\u043e\u0437\u043d\u0430\u0447\u0435\u043d\u043e \u044f\u043a \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0443 \u0432\u0445\u043e\u0434\u0443 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0443. -ascanbeta.sessionidexposedinurl.desc = \u0406\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 \u0440\u043e\u0437\u043a\u0440\u0438\u0442\u0438\u0439 \u0432 URL-\u0430\u0434\u0440\u0435\u0441\u0456. \u041d\u0430\u0434\u0430\u044e\u0447\u0438 \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u0442\u0430\u043a\u043e\u0457 URL-\u0430\u0434\u0440\u0435\u0441\u0438 \u0432\u0435\u0431\u0441\u0430\u0439\u0442\u0443 (\u0449\u043e \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443), \u043d\u0430\u0457\u0432\u043d\u0438\u0439 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447 \u043c\u043e\u0436\u0435 \u043d\u0435\u043d\u0430\u0432\u043c\u0438\u0441\u043d\u043e \u043d\u0430\u0434\u0430\u0442\u0438 \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u0441\u0432\u043e\u0457\u0445 \u0434\u0430\u043d\u0438\u0445, \u043f\u043e\u0441\u0442\u0430\u0432\u0438\u0432\u0448\u0438 \u043f\u0456\u0434 \u0437\u0430\u0433\u0440\u043e\u0437\u0443 \u0457\u0445\u043d\u044e \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0456\u0441\u0442\u044c, \u0446\u0456\u043b\u0456\u0441\u043d\u0456\u0441\u0442\u044c \u0456 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0456\u0441\u0442\u044c. URL-\u0430\u0434\u0440\u0435\u0441\u0438, \u0449\u043e \u043c\u0456\u0441\u0442\u044f\u0442\u044c \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443, \u0442\u0430\u043a\u043e\u0436 \u0437'\u044f\u0432\u043b\u044f\u044e\u0442\u044c\u0441\u044f \u0432 \u0437\u0430\u043a\u043b\u0430\u0434\u043a\u0430\u0445 \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430, \u0444\u0430\u0439\u043b\u0430\u0445 \u0436\u0443\u0440\u043d\u0430\u043b\u0443 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0456 \u0444\u0430\u0439\u043b\u0430\u0445 \u0436\u0443\u0440\u043d\u0430\u043b\u0443 \u043f\u0440\u043e\u043a\u0441\u0456-\u0441\u0435\u0440\u0432\u0435\u0440\u0430. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = \u0412\u0438\u044f\u0432\u043b\u0435\u043d\u043e \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = \u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u0431\u0435\u0437\u043f\u0435\u0447\u043d\u0456\u0448\u0443 \u0440\u0435\u0430\u043b\u0456\u0437\u0430\u0446\u0456\u044e \u043a\u0435\u0440\u0443\u0432\u0430\u043d\u043d\u044f \u0441\u0435\u0430\u043d\u0441\u043e\u043c, \u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434 \u0442\u0430\u043a\u0443, \u044f\u043a\u0430 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454 \u0444\u0430\u0439\u043b\u0438 \u0441\u0435\u0430\u043d\u0441\u0443 cookie, \u044f\u043a\u0438\u043c\u0438 \u043d\u0435 \u0442\u0430\u043a \u043b\u0435\u0433\u043a\u043e \u0432\u0438\u043f\u0430\u0434\u043a\u043e\u0432\u043e \u043f\u043e\u0434\u0456\u043b\u0438\u0442\u0438\u0441\u044f, \u0456 \u044f\u043a\u0456 \u0437\u0430\u0437\u0432\u0438\u0447\u0430\u0439 \u043d\u0435 \u0432\u0456\u0434\u043e\u0431\u0440\u0430\u0436\u0430\u044e\u0442\u044c\u0441\u044f \u0443 \u0444\u0430\u0439\u043b\u0430\u0445 \u0436\u0443\u0440\u043d\u0430\u043b\u0443 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0447\u0438 \u0437\u0430\u043a\u043b\u0430\u0434\u043a\u0430\u0445 \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430. ascanbeta.sessionidsentinsecurely.alert.attack = \u041f\u043e\u043b\u0435 {0}\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 {0}, \u043f\u043e\u043b\u0435 [{1}], \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f [{2}] \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u043d\u0430\u0434\u0456\u0441\u043b\u0430\u043d\u043e \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0438\u0439 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = URL-\u0430\u0434\u0440\u0435\u0441\u0443, \u043d\u0430 \u044f\u043a\u0456\u0439 \u0431\u0443\u043b\u043e \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043e \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0443, \u0431\u0443\u043b\u043e \u043f\u043e\u0437\u043d\u0430\u0447\u0435\u043d\u043e \u044f\u043a \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0443 \u0432\u0445\u043e\u0434\u0443. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = \u041f\u043e\u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u00ab\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0438\u0439\u00bb \u043d\u0435 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043e \u043d\u0430 \u0444\u0430\u0439\u043b\u0456 cookie \u0441\u0435\u0430\u043d\u0441\u0443, \u044f\u043a\u0438\u0439 \u043d\u0430\u0434\u0430\u0454 \u0441\u0435\u0440\u0432\u0435\u0440. -ascanbeta.sessionidsentinsecurely.desc = \u0406\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u043d\u0430\u0434\u0456\u0441\u043b\u0430\u043d\u043e \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0438\u0439 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c. \u0423 \u0432\u0438\u043f\u0430\u0434\u043a\u0443 \u0444\u0430\u0439\u043b\u0456\u0432 cookie, \u043d\u0430\u0434\u0456\u0441\u043b\u0430\u043d\u0438\u0445 \u0443 \u0437\u0430\u043f\u0438\u0442\u0456, \u0446\u0435 \u0432\u0456\u0434\u0431\u0443\u0432\u0430\u0454\u0442\u044c\u0441\u044f, \u043a\u043e\u043b\u0438 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f HTTP, \u0430 \u043d\u0435 HTTPS. \u0423 \u0432\u0438\u043f\u0430\u0434\u043a\u0443 \u0444\u0430\u0439\u043b\u0443 cookie, \u043d\u0430\u0434\u0456\u0441\u043b\u0430\u043d\u043e\u0433\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c \u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c (\u043a\u043e\u043b\u0438 URL-\u0430\u0434\u0440\u0435\u0441\u0443 \u0437\u043c\u0456\u043d\u0435\u043d\u043e \u0448\u043b\u044f\u0445\u043e\u043c \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044f \u0434\u043b\u044f \u043f\u043e\u043b\u044f \u0456\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u043e\u0433\u043e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f NULL), \u043f\u0440\u0430\u043f\u043e\u0440 \u00ab\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u043e\u0433\u043e\u00bb \u043d\u0435 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043e, \u0449\u043e \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u043d\u0430\u0434\u0456\u0441\u043b\u0430\u0442\u0438 \u0444\u0430\u0439\u043b cookie \u043f\u0456\u0437\u043d\u0456\u0448\u0435 \u0447\u0435\u0440\u0435\u0437 HTTP, \u0430 \u043d\u0435 \u0447\u0435\u0440\u0435\u0437 HTTPS . \u0426\u0435 \u043c\u043e\u0436\u0435 \u0434\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u0438 \u043f\u0430\u0441\u0438\u0432\u043d\u043e\u043c\u0443 \u043f\u0456\u0434\u0441\u043b\u0443\u0445\u0443\u0432\u0430\u0447\u0443 \u043d\u0430 \u043c\u0435\u0440\u0435\u0436\u0435\u0432\u043e\u043c\u0443 \u0448\u043b\u044f\u0445\u0443 \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u043f\u043e\u0432\u043d\u0438\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u0441\u0435\u0430\u043d\u0441\u0443 \u0436\u0435\u0440\u0442\u0432\u0438. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = \u0406\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 \u043f\u0435\u0440\u0435\u0434\u0430\u043d\u043e \u043d\u0435\u043d\u0430\u0434\u0456\u0439\u043d\u043e #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) \u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u043e\u0441\u0442\u0430\u043d\u043d\u044e \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0443 \u0432\u0435\u0440\u0441\u0456\u044e SSL/TLS (\u0434\u043b\u044f HTTPS) \u0434\u043b\u044f \u0432\u0441\u0456\u0445 \u0441\u0442\u043e\u0440\u0456\u043d\u043e\u043a, \u0434\u0435 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443 \u043f\u0435\u0440\u0435\u0434\u0430\u0454\u0442\u044c\u0441\u044f \u043c\u0456\u0436 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u043c \u0456 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c.\n2) \u041d\u0435 \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0439\u0442\u0435 \u0437\u0432\u2019\u044f\u0437\u043a\u0443 \u043f\u0440\u0438\u043c\u0443\u0441\u043e\u0432\u043e \u043f\u0435\u0440\u0435\u0439\u0442\u0438 \u0434\u043e \u043d\u0435\u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0443 HTTP.\n3) \u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u043f\u043e\u0437\u043d\u0430\u0447\u043a\u0443 \u00ab\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u043e\u00bb \u043f\u0456\u0434 \u0447\u0430\u0441 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044f \u0444\u0430\u0439\u043b\u0443 cookie, \u0449\u043e \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u0441\u0435\u0430\u043d\u0441\u0443, \u0449\u043e\u0431 \u0437\u0430\u043f\u043e\u0431\u0456\u0433\u0442\u0438 \u0439\u043e\u0433\u043e \u043f\u043e\u0434\u0430\u043b\u044c\u0448\u0456\u0439 \u043f\u0435\u0440\u0435\u0434\u0430\u0447\u0456 \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0438\u0439 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c.\n4) \u041f\u0435\u0440\u0435\u0441\u0438\u043b\u0430\u0439\u0442\u0435 \u0437\u0430\u043f\u0438\u0442\u0438 \u043d\u0435\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u043e\u0457 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438 HTTP \u043d\u0430 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0443, \u0435\u043a\u0432\u0456\u0432\u0430\u043b\u0435\u043d\u0442\u043d\u0443 \u0431\u0435\u0437\u043f\u0435\u0447\u043d\u043e\u043c\u0443 HTTPS. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = \u041d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0456 \u043f\u0440\u0430\u0446\u044e\u0454 \u0432\u0435\u0440\u0441\u0456\u044f \u043e\u0431\u043e\u043b\u043e\u043d\u043a\u0438 Bash, \u044f\u043a\u0430 \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0432\u0456\u0434\u0434\u0430\u043b\u0435\u043d\u0438\u043c \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u0430\u043c \u0432\u0438\u043a\u043e\u043d\u0443\u0432\u0430\u0442\u0438 \u0434\u043e\u0432\u0456\u043b\u044c\u043d\u0438\u0439 \u043a\u043e\u0434 +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = \u0412\u0456\u0434 CVE-2014-6271\: GNU Bash \u0434\u043e \u0432\u0435\u0440\u0441\u0456\u0457 4.3 \u043e\u0431\u0440\u043e\u0431\u043b\u044f\u0454 \u043a\u0456\u043d\u0446\u0435\u0432\u0456 \u0440\u044f\u0434\u043a\u0438 \u043f\u0456\u0441\u043b\u044f \u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u044c \u0444\u0443\u043d\u043a\u0446\u0456\u0439 \u0443 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f\u0445 \u0437\u043c\u0456\u043d\u043d\u0438\u0445 \u0441\u0435\u0440\u0435\u0434\u043e\u0432\u0438\u0449\u0430, \u0449\u043e \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0432\u0456\u0434\u0434\u0430\u043b\u0435\u043d\u0438\u043c \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u0430\u043c \u0432\u0438\u043a\u043e\u043d\u0443\u0432\u0430\u0442\u0438 \u0434\u043e\u0432\u0456\u043b\u044c\u043d\u0438\u0439 \u043a\u043e\u0434 \u0447\u0435\u0440\u0435\u0437 \u0441\u0442\u0432\u043e\u0440\u0435\u043d\u0435 \u0441\u0435\u0440\u0435\u0434\u043e\u0432\u0438\u0449\u0435, \u044f\u043a \u043f\u0440\u043e\u0434\u0435\u043c\u043e\u043d\u0441\u0442\u0440\u043e\u0432\u0430\u043d\u043e \u0432\u0435\u043a\u0442\u043e\u0440\u0430\u043c\u0438, \u0449\u043e \u0432\u043a\u043b\u044e\u0447\u0430\u044e\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0456\u044e ForceCommand \u0443 OpenSSH sshd, \u043c\u043e\u0434\u0443\u043b\u0456 mod_cgi \u0442\u0430 mod_cgid \u043d\u0430 HTTP-\u0441\u0435\u0440\u0432\u0435\u0440\u0456 Apache, \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u0457, \u0449\u043e \u0432\u0438\u043a\u043e\u043d\u0443\u044e\u0442\u044c\u0441\u044f \u043d\u0435\u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u0438\u043c\u0438 \u043a\u043b\u0456\u0454\u043d\u0442\u0430\u043c\u0438 DHCP, \u0442\u0430 \u0456\u043d\u0448\u0456 \u0441\u0438\u0442\u0443\u0430\u0446\u0456\u0457, \u0443 \u044f\u043a\u0438\u0445 \u043d\u0430\u043b\u0430\u0448\u0442\u0443\u0432\u0430\u043d\u043d\u044f \u0441\u0435\u0440\u0435\u0434\u043e\u0432\u0438\u0449\u0430 \u0432\u0456\u0434\u0431\u0443\u0432\u0430\u0454\u0442\u044c\u0441\u044f \u0447\u0435\u0440\u0435\u0437 \u043c\u0435\u0436\u0456 \u043f\u0440\u0438\u0432\u0456\u043b\u0435\u0457\u0432 \u0432\u0456\u0434 \u0432\u0438\u043a\u043e\u043d\u0430\u043d\u043d\u044f Bash, \u0442\u0430\u043a\u043e\u0436 \u0432\u0456\u0434\u043e\u043c\u043e\u0433\u043e \u044f\u043a \u00abShellShock\u00bb. \u041f\u0420\u0418\u041c\u0406\u0422\u041a\u0410\: \u043e\u0440\u0438\u0433\u0456\u043d\u0430\u043b\u044c\u043d\u0435 \u0432\u0438\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044f \u0446\u0456\u0454\u0457 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0438 \u0431\u0443\u043b\u043e \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0438\u043c; CVE-2014-7169 \u0431\u0443\u043b\u043e \u043f\u0440\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043e \u0434\u043b\u044f \u043f\u043e\u043a\u0440\u0438\u0442\u0442\u044f \u0432\u0440\u0430\u0437\u043b\u0438\u0432\u043e\u0441\u0442\u0456, \u044f\u043a\u0430 \u0432\u0441\u0435 \u0449\u0435 \u043f\u0440\u0438\u0441\u0443\u0442\u043d\u044f \u043f\u0456\u0441\u043b\u044f \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0433\u043e \u0432\u0438\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044f. ascanbeta.shellshock.name = \u0412\u0456\u0434\u0434\u0430\u043b\u0435\u043d\u0435 \u0432\u0438\u043a\u043e\u043d\u0430\u043d\u043d\u044f \u043a\u043e\u0434\u0443 - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = \u041e\u043d\u043e\u0432\u0456\u0442\u044c Bash \u043d\u0430 \u0441\u0435\u0440\u0432\u0435\u0440\u0456 \u0434\u043e \u043e\u0441\u0442\u0430\u043d\u043d\u044c\u043e\u0457 \u0432\u0435\u0440\u0441\u0456\u0457 +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = \u0417\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0430\u0442\u0430\u043a\u0438 \u0431\u0443\u043b\u043e \u0441\u043f\u0440\u0438\u0447\u0438\u043d\u0435\u043d\u043e \u0442\u0430 \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043e \u0437\u0430\u0442\u0440\u0438\u043c\u043a\u0443 \u0442\u0440\u0438\u0432\u0430\u043b\u0456\u0441\u0442\u044e \u0432 \u043c\u0456\u043b\u0456\u0441\u0435\u043a\u0443\u043d\u0434\u0430\u0445\: {0} ascanbeta.sourcecodedisclosure.desc = \u0412\u0438\u0445\u0456\u0434\u043d\u0438\u0439 \u043a\u043e\u0434 \u043f\u043e\u0442\u043e\u0447\u043d\u043e\u0457 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438 \u0431\u0443\u043b\u043e \u0440\u043e\u0437\u043a\u0440\u0438\u0442\u043e \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c. ascanbeta.sourcecodedisclosure.gitbased.evidence = \u0412\u0438\u0445\u0456\u0434\u043d\u0438\u0439 \u043a\u043e\u0434 \u0434\u043b\u044f [{0}] \u0437\u0434\u043e\u0431\u0443\u043b\u0438, \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u0432\u0448\u0438 [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = \u0412\u0438\u043a\u0440\u0438\u0442\u0442\u044f \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0443 - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u043c\u0435\u0442\u0430\u0434\u0430\u043d\u0456 \u0444\u0430\u0439\u043b\u0456\u0432 Git \u043d\u0435 \u043e\u043f\u043e\u0440\u044f\u0434\u0436\u0430\u044e\u0442\u044c\u0441\u044f \u0434\u043e \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0430\u0431\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u0443 \u0434\u043e\u0434\u0430\u0442\u043a\u0443 +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = \u0412\u0438\u0445\u0456\u0434 \u0434\u043b\u044f \u043d\u0430\u0437\u0432\u0438 \u0444\u0430\u0439\u043b\u0443 \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0443 [{0}] \u0437\u043d\u0430\u0447\u043d\u043e \u0432\u0456\u0434\u0440\u0456\u0437\u043d\u044f\u0454\u0442\u044c\u0441\u044f \u0432\u0456\u0434 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0443 \u0432\u0438\u043f\u0430\u0434\u043a\u043e\u0432\u043e\u0433\u043e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 [{1}] \u043d\u0430 [{2}%] \u0443 \u043f\u043e\u0440\u0456\u0432\u043d\u044f\u043d\u043d\u0456 \u0437 \u043f\u043e\u0440\u043e\u0433\u043e\u0432\u0438\u043c \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f\u043c [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = \u0412\u0438\u043a\u0440\u0438\u0442\u0442\u044f \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0443 - \u0434\u043e\u0434\u0430\u0432\u0430\u043d\u043d\u044f \u0444\u0430\u0439\u043b\u0456\u0432 ascanbeta.sourcecodedisclosure.svnbased.extrainfo = \u0412\u0438\u0445\u0456\u0434\u043d\u0438\u0439 \u043a\u043e\u0434 \u0434\u043b\u044f [{0}] \u0437\u043d\u0430\u0439\u0448\u043b\u0438 \u0432 [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = \u0412\u0438\u043a\u0440\u0438\u0442\u0442\u044f \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0443 - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0444\u0430\u0439\u043b\u0438 \u043c\u0435\u0442\u0430\u0434\u0430\u043d\u0438\u0445 SVN \u043d\u0435 \u0440\u043e\u0437\u0433\u043e\u0440\u043d\u0443\u0442\u0456 \u043d\u0430 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0456 \u0430\u0431\u043e \u0441\u0435\u0440\u0432\u0435\u0440\u0456 \u043f\u0440\u043e\u0433\u0440\u0430\u043c +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = \u0414\u0435\u044f\u043a\u0456 \u0432\u0435\u0440\u0441\u0456\u0457 PHP, \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u0456 \u043d\u0430 \u0440\u043e\u0431\u043e\u0442\u0443 \u0437 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f\u043c CGI, \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043e\u0431\u0440\u043e\u0431\u043b\u044f\u044e\u0442\u044c \u0440\u044f\u0434\u043a\u0438 \u0437\u0430\u043f\u0438\u0442\u0443, \u0443 \u044f\u043a\u0438\u0445 \u0432\u0456\u0434\u0441\u0443\u0442\u043d\u0456\u0439 \u043d\u0435\u0435\u043a\u0440\u0430\u043d\u043e\u0432\u0430\u043d\u0438\u0439 \u0441\u0438\u043c\u0432\u043e\u043b "\=", \u0449\u043e \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0440\u043e\u0437\u043a\u0440\u0438\u0432\u0430\u0442\u0438 \u0432\u0438\u0445\u0456\u0434\u043d\u0438\u0439 \u043a\u043e\u0434 PHP \u0456 \u0432\u0438\u043a\u043e\u043d\u0443\u0432\u0430\u0442\u0438 \u0434\u043e\u0432\u0456\u043b\u044c\u043d\u0438\u0439 \u043a\u043e\u0434. \u0423 \u0446\u044c\u043e\u043c\u0443 \u0432\u0438\u043f\u0430\u0434\u043a\u0443 \u0432\u043c\u0456\u0441\u0442 \u0444\u0430\u0439\u043b\u0443 PHP \u0431\u0443\u043b\u043e \u043f\u043e\u0434\u0430\u043d\u043e \u0431\u0435\u0437\u043f\u043e\u0441\u0435\u0440\u0435\u0434\u043d\u044c\u043e \u0443 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440. \u0426\u0435\u0439 \u0432\u0438\u0445\u0456\u0434 \u0437\u0430\u0437\u0432\u0438\u0447\u0430\u0439 \u043c\u0456\u0441\u0442\u0438\u0442\u0438\u043c\u0435 PHP, \u0445\u043e\u0447\u0430 \u0432\u0456\u043d \u0442\u0430\u043a\u043e\u0436 \u043c\u043e\u0436\u0435 \u043c\u0456\u0441\u0442\u0438\u0442\u0438 \u0437\u0432\u0438\u0447\u0430\u0439\u043d\u0438\u0439 HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = \u0420\u043e\u0437\u043a\u0440\u0438\u0442\u0442\u044f \u0432\u0438\u0445\u0456\u0434\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0443 - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = \u043d\u0435 \u0432\u0438\u0431\u0440\u0430\u043d\u043e \u0441\u043b\u0443\u0436\u0431\u0443 Active Scan OAST. ascanbeta.text4shell.soln = \u041e\u043d\u043e\u0432\u0456\u0442\u044c Apache Commons Text \u0434\u043e \u0432\u0435\u0440\u0441\u0456\u0457 1.10.0 \u0430\u0431\u043e \u043d\u043e\u0432\u0456\u0448\u043e\u0457. -ascanbeta.usernameenumeration.alert.attack = \u041a\u0435\u0440\u0443\u0432\u0430\u0442\u0438 \u043f\u043e\u043b\u0435\u043c [{0}]\: [{1}] \u0456 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044e\u0432\u0430\u0442\u0438 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442 -ascanbeta.usernameenumeration.alert.extrainfo = \u041f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 [{0}] [{1}] \u0441\u0442\u0432\u043e\u0440\u044e\u0454 \u0432\u0438\u0442\u0456\u043a \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457 \u043f\u0440\u043e \u0442\u0435, \u0447\u0438 \u0456\u0441\u043d\u0443\u0454 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447. \u0412\u0456\u0434\u043c\u0456\u043d\u043d\u043e\u0441\u0442\u0456 [{5}] \u0443 \u0432\u0438\u0445\u0456\u0434\u043d\u0438\u0445 \u0434\u0430\u043d\u0438\u0445 \u0434\u043b\u044f \u0434\u0456\u0439\u0441\u043d\u043e\u0433\u043e \u043f\u043e\u0447\u0430\u0442\u043a\u043e\u0432\u043e\u0433\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0456\u043c\u0435\u043d\u0456 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 [{2}] \u0456 \u043d\u0435\u0434\u0456\u0439\u0441\u043d\u043e\u0433\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0456\u043c\u0435\u043d\u0456 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 [{3}] \u0442\u0430\u043a\u0456\:\n[{4}] -ascanbeta.usernameenumeration.desc = \u0404 \u043c\u043e\u0436\u043b\u0438\u0432\u0456\u0441\u0442\u044c \u043f\u0435\u0440\u0435\u0440\u0430\u0445\u0443\u0432\u0430\u0442\u0438 \u0456\u043c\u0435\u043d\u0430 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0456\u0432 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0456 \u0440\u0456\u0437\u043d\u0438\u0445 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0435\u0439 HTTP, \u044f\u043a\u0449\u043e \u043d\u0430\u0434\u0430\u0442\u0438 \u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u0456 \u0442\u0430 \u043d\u0435\u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u0456 \u0456\u043c\u0435\u043d\u0430 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0456\u0432. \u0426\u0435 \u0437\u043d\u0430\u0447\u043d\u043e \u043f\u0456\u0434\u0432\u0438\u0449\u0438\u0442\u044c \u0456\u043c\u043e\u0432\u0456\u0440\u043d\u0456\u0441\u0442\u044c \u0443\u0441\u043f\u0456\u0445\u0443 \u0430\u0442\u0430\u043a \u043f\u0456\u0434\u0431\u043e\u0440\u0443 \u043f\u0430\u0440\u043e\u043b\u044f \u043f\u0440\u043e\u0442\u0438 \u0441\u0438\u0441\u0442\u0435\u043c\u0438. \u0417\u0430\u0443\u0432\u0430\u0436\u0442\u0435, \u0449\u043e \u043f\u043e\u043c\u0438\u043b\u043a\u043e\u0432\u0456 \u0440\u0435\u0437\u0443\u043b\u044c\u0442\u0430\u0442\u0438 \u0456\u043d\u043e\u0434\u0456 \u043c\u043e\u0436\u043d\u0430 \u043c\u0456\u043d\u0456\u043c\u0456\u0437\u0443\u0432\u0430\u0442\u0438, \u0437\u0431\u0456\u043b\u044c\u0448\u0438\u0432\u0448\u0438 \u043e\u043f\u0446\u0456\u044e \u00ab\u0421\u0438\u043b\u0430 \u0430\u0442\u0430\u043a\u0438\u00bb \u0432 ZAP. \u0411\u0443\u0434\u044c \u043b\u0430\u0441\u043a\u0430, \u0432\u0440\u0443\u0447\u043d\u0443 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u0442\u0435 \u043f\u043e\u043b\u0435 \u00ab\u0406\u043d\u0448\u0430 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044f\u00bb, \u0449\u043e\u0431 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u0438\u0442\u0438, \u0447\u0438 \u0456\u0441\u043d\u0443\u0454 \u0446\u044f \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = \u041c\u043e\u0436\u043b\u0438\u0432\u0435 \u043f\u0435\u0440\u0435\u0440\u0430\u0445\u0443\u0432\u0430\u043d\u043d\u044f \u0456\u043c\u0435\u043d \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0456\u0432 ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = \u041d\u0435 \u0440\u043e\u0437\u0433\u043e\u043b\u043e\u0448\u0443\u0439\u0442\u0435 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e \u043f\u0440\u043e \u0442\u0435, \u0447\u0438 \u0454 \u0456\u043c'\u044f \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0434\u0456\u0439\u0441\u043d\u0438\u043c \u0430\u0431\u043e \u043d\u0435\u0434\u0456\u0439\u0441\u043d\u0438\u043c. \u0417\u043e\u043a\u0440\u0435\u043c\u0430, \u043f\u0440\u0438 \u043d\u0435\u0432\u0434\u0430\u043b\u0438\u0445 \u0441\u043f\u0440\u043e\u0431\u0430\u0445 \u0432\u0445\u043e\u0434\u0443 \u043d\u0435 \u0440\u043e\u0437\u0440\u0456\u0437\u043d\u044f\u0439\u0442\u0435 \u043d\u0435\u0434\u0456\u0439\u0441\u043d\u043e\u0433\u043e \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0456 \u043d\u0435\u0434\u0456\u0439\u0441\u043d\u0438\u0439 \u043f\u0430\u0440\u043e\u043b\u044c \u0443 \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u0456 \u043f\u0440\u043e \u043f\u043e\u043c\u0438\u043b\u043a\u0443, \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0443 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438, \u0432\u043c\u0456\u0441\u0442\u0456 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438, \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430\u0445 HTTP \u0430\u0431\u043e \u043b\u043e\u0433\u0456\u0446\u0456 \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044f. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ur_PK.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ur_PK.properties index 912eb88e329..8b1fcc5133d 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ur_PK.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_ur_PK.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = \u0641\u0627\u0626\u0644 \u06a9\u06cc \u0628\u06cc\u06a9 \u0627\u067e \u0648\u06cc\u0628 \u0633\u0631\u0648\u0631 \u06a9\u06cc \u0637\u0631\u0641 \u0633\u06d2 \u0638\u0627\u06c1\u0631 \u06a9\u06cc\u0627 \u06af\u06cc\u0627 \u062a\u06be\u0627 +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = \u0628\u06cc\u06a9 \u0627\u067e \u0641\u0627\u0626\u0644 \u0627\u0641\u0634\u0627 ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = \u0648\u06cc\u0628 \u0633\u0631\u0648\u0631 \u067e\u0631 \u0641\u0627\u0626\u0644\u0648\u06ba \u0645\u06cc\u06ba \u0622\u0679\u06be\u0648\u06cc\u06ba\u0679 \u0645\u06cc\u06ba \u062a\u0631\u0645\u06cc\u0645 \u0646\u06c1 \u06a9\u0631\u06cc\u06ba\u060c \u0627\u0648\u0631 \u0627\u0633 \u0628\u0627\u062a \u06a9\u0648 \u06cc\u0642\u06cc\u0646\u06cc \u0628\u0646\u0627\u0626\u06cc\u06ba \u06a9\u06c1 \u063a\u06cc\u0631 \u0636\u0631\u0648\u0631\u06cc \u0641\u0627\u0626\u0644\u0648\u06ba (\u067e\u0648\u0634\u06cc\u062f\u06c1 \u0641\u0627\u0626\u0644\u0648\u06ba \u0633\u0645\u06cc\u062a) \u0648\u06cc\u0628 \u0633\u0631\u0648\u0631 \u0633\u06d2 \u06c1\u0679\u0627 \u062f\u06cc\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = \u0648\u06cc\u0628 \u0633\u0631\u0648\u0631 \u06a9\u0648 \u063a\u06cc\u0631 \u0641\u0639\u0627\u0644 \u06a9\u0631\u0627\u0633 \u0688\u0648\u0645\u06cc\u0646 \u06a9\u06d2 \u0688\u06cc\u0679\u0627 \u06a9\u06cc \u0627\u062c\u0627\u0632\u062a \u062f\u06cc\u062a\u0627 \u06c1\u06d2 \u0641\u0644\u06cc\u0634 / \u0633\u0644\u0648\u0631 \u0644\u0627\u0626\u0679 \u06a9\u06d2 \u0627\u062c\u0632\u0627\u0621 \u0633\u06d2 \u067e\u06cc\u062f\u0627 \u06c1\u0648\u0646\u06d2 \u0648\u0627\u0644\u06d2 \u062f\u0631\u062e\u0648\u0627\u0633\u062a\u0648\u06ba \u06a9\u0648 \u06a9\u0633\u06cc \u0628\u06be\u06cc \u062a\u06cc\u0633\u0631\u06cc \u067e\u0627\u0631\u0679\u06cc \u06a9\u0627 \u0688\u0648\u0645\u06cc\u0646 \u0633\u06d2 \u0627\u0633 \u0688\u0648\u0645\u06cc\u0646 \u067e\u0631 \u067e\u06cc\u0634 \u06a9\u06cc\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2. \u0627\u06af\u0631 \u0627\u0633 \u0635\u0627\u0631\u0641 \u0645\u06cc\u06ba \u0634\u06a9\u0627\u0631 \u0635\u0627\u0631\u0641 \u06a9\u0648 \u0644\u0627\u06af \u0627\u0646 \u06a9\u06cc\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2 \u062a\u0648\u060c \u0634\u06a9\u0627\u0631 \u06a9\u06d2 \u0627\u0645\u062a\u06cc\u0627\u0632\u06cc \u0633\u0644\u0648\u06a9 \u06a9\u0627 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u062a\u06d2 \u06c1\u0648\u0626\u06d2 \u0628\u062f\u0633\u0644\u0648\u06a9\u06cc \u067e\u0691\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a\u0648\u06ba \u067e\u0631 \u0639\u0645\u0644 \u062f\u0631\u0622\u0645\u062f \u06a9\u06cc\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2\u060c \u0627\u0648\u0631 \u0646\u062a\u06cc\u062c\u06d2 \u0645\u06cc\u06ba \u0627\u0633 \u0633\u0631\u0648\u0633 \u0633\u06d2 \u0627\u0639\u062f\u0627\u062f \u0648 \u0634\u0645\u0627\u0631 \u0634\u06a9\u0627\u0631 \u06a9\u06d2 \u0648\u06cc\u0628 \u0628\u0631\u0627\u0624\u0632\u0631 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06c1 \u063a\u06cc\u0631 \u0645\u062c\u0627\u0632 \u0634\u062f\u06c1 \u062a\u06cc\u0633\u0631\u06d2 \u0641\u0631\u06cc\u0642 \u06a9\u06cc \u0648\u06cc\u0628 \u0633\u0627\u0626\u0679 \u06a9\u06cc \u0637\u0631\u0641 \u0633\u06d2 \u0633\u0645\u062c\u06be\u0627 \u062c\u0627\u062a\u0627 \u06c1\u06d2. \u06a9\u0648\u06a9\u06cc \u0628\u0646\u06cc\u0627\u062f \u067e\u0631 \u0633\u06cc\u0634\u0646 \u06a9\u06d2 \u0639\u0645\u0644 \u06a9\u0648 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u0645\u06cc\u06ba \u06c1\u06d2 \u062a\u0648 \u06cc\u06c1 \u062e\u0627\u0635 \u0637\u0648\u0631 \u067e\u0631 \u0627\u06cc\u06a9 \u0645\u0633\u0626\u0644\u06c1 \u0628\u0646\u0646\u06d2 \u06a9\u0627 \u0627\u0645\u06a9\u0627\u0646 \u06c1\u06d2. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = \u0688\u0648\u0645\u06cc\u0646\u0632 \u06a9\u06cc \u0641\u06c1\u0631\u0633\u062a \u06a9\u0648 \u0645\u062d\u062f\u0648\u062f \u06a9\u0631\u0646\u06d2 \u06a9\u06d2 \u0644\u0626\u06d2 \u06a9\u0631\u0627\u0633 \u0688\u0648\u0645\u06cc\u0646. \u0627\u06cc\u06a9\u0633\u06cc\u0645 \u0641\u0627\u0626\u0644 \u06a9\u0648 \u062a\u0634\u06a9\u06cc\u0644 \u062f\u06cc\u06ba \u062c\u0648 \u0627\u0633 \u0648\u06cc\u0628 \u0633\u0631\u0648\u0631 \u06a9\u06d2 \u0630\u0631\u06cc\u0639\u06d2 \u06a9\u0631\u0627\u0633 \u0688\u0648\u0645\u06cc\u0646 \u06a9\u0648 \u067e\u0691\u06be\u0646\u06d2 \u06a9\u06cc \u062f\u0631\u062e\u0648\u0627\u0633\u062a\u0648\u06ba \u06a9\u0648 \u0627\u0633\u062a\u0639\u0645\u0627\u0644 \u06a9\u0631\u0646\u06d2 \u06a9\u06cc \u0627\u062c\u0627\u0632\u062a \u062f\u06cc \u062c\u0627\u062a\u06cc \u06c1\u06d2. \u0622\u067e \u06a9\u0648 \u0635\u0631\u0641 "*" (\u062a\u0645\u0627\u0645 \u0688\u0648\u0645\u06cc\u0646\u0632) \u062a\u06a9 \u0631\u0633\u0627\u0626\u06cc \u0641\u0631\u0627\u06c1\u0645 \u06a9\u0631\u0646\u0627 \u0686\u0627\u06c1\u0626\u06d2 \u062a\u0648 \u0622\u067e \u06a9\u0648 \u06cc\u06c1 \u06cc\u0642\u06cc\u0646 \u06c1\u06d2 \u06a9\u06c1 \u06cc\u06c1 \u0633\u0631\u0648\u0633 \u06a9\u0633\u06cc \u0628\u06be\u06cc \u0631\u0633\u0627\u0626\u06cc\u060c \u06a9\u0646\u0679\u0631\u0648\u0644\u060c \u0630\u0627\u062a\u06cc \u06cc\u0627 \u0646\u062c\u06cc \u0688\u06cc\u0679\u0627 \u06a9\u0648 \u0645\u06cc\u0632\u0628\u0627\u0646\u06cc \u0646\u06c1\u06cc\u06ba \u06a9\u0631\u062a\u0627 \u06c1\u06d2. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_vi_VN.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_vi_VN.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_vi_VN.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_vi_VN.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_yo_NG.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_yo_NG.properties index 7e81381519c..a933d0b6eda 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_yo_NG.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_yo_NG.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP Parameter Pollution -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS Misconfiguration -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. -ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. -ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. -ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = Integer Overflow Error ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_zh_CN.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_zh_CN.properties index f52ae08bf54..1927d80245f 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_zh_CN.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_zh_CN.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP\u53c2\u6570\u6c61\u67d3\uff08HPP\uff09\u653b\u51fb\u5305\u62ec\u5c06\u7f16\u7801\u7684\u67e5\u8be2\u5b57\u7b26\u4e32\u5206\u9694\u7b26\u6ce8\u5165\u5230\u5176\u4ed6\u73b0\u6709\u53c2\u6570\u4e2d\u3002\u5982\u679cweb\u5e94\u7528\u7a0b\u5e8f\u6ca1\u6709\u9002\u5f53\u51c0\u5316\u7528\u6237\u6240\u8f93\u5165\u7684\u6570\u636e\uff0c\u6076\u610f\u7528\u6237\u5c31\u53ef\u80fd\u7834\u574f\u5e94\u7528\u7a0b\u5e8f\u7684\u903b\u8f91\uff0c\u6765\u6267\u884c\u5ba2\u6237\u7aef\u6216\u670d\u52a1\u5668\u7aef\u7684\u653b\u51fb\u3002HPP\u653b\u51fb\u7684\u4e00\u4e2a\u540e\u679c\u662f\uff0c\u653b\u51fb\u8005\u6709\u673a\u4f1a\u8986\u76d6\u73b0\u6709\u7684\u786c\u7f16\u7801HTTP\u53c2\u6570\uff0c\u4ece\u800c\u4fee\u6539\u5e94\u7528\u7a0b\u5e8f\u7684\u884c\u4e3a\uff0c\u7ed5\u8fc7\u8f93\u5165\u9a8c\u8bc1\u68c0\u67e5\u70b9\uff0c\u4ee5\u53ca\u8bbf\u95ee\u5e76\u6709\u673a\u4f1a\u5229\u7528\u539f\u672c\u4e0d\u80fd\u76f4\u63a5\u8bbf\u95ee\u7684\u53d8\u91cf\u3002 ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP \u53c2\u6570\u6c61\u67d3 -ascanbeta.HTTPParamPoll.sol = \u6b63\u786e\u6e05\u7406\u7528\u6237\u8f93\u5165\u7684\u53c2\u6570\u5206\u9694\u7b26 +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = \u8be5\u6587\u4ef6\u7684\u5907\u4efd\u7531Web\u670d\u52a1\u5668\u6240\u6cc4\u6f0f +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = \u5907\u4efd\u6587\u4ef6\u6cc4\u9732 ascanbeta.backupfiledisclosure.otherinfo = \u5728[{1}]\u6709\u4e00\u4efd[{0}]\u7684\u5907\u4efd\u53ef\u7528 ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = \u4e0d\u539f\u4f4dWeb\u670d\u52a1\u5668\u4e0a\u7f16\u8f91\u6587\u4ef6\uff0c\u5e76\u4e14\u786e\u4fdd\u975e\u5fc5\u8981\u7684\u6587\u4ef6\uff08\u5305\u62ec\u9690\u85cf\u6587\u4ef6\uff09\u4eceWeb\u670d\u52a1\u5668\u4e0a\u5220\u9664\u3002 -ascanbeta.cookieslack.affect.response.no = \u8fd9\u4e9b Cookie *\u4e0d*\u5f71\u54cd\u670d\u52a1\u5668\u7684\u54cd\u5e94\uff1a -ascanbeta.cookieslack.affect.response.yes = \u8fd9\u4e9b Cookie \u5f71\u54cd\u670d\u52a1\u5668\u7684\u54cd\u5e94\uff1a +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = \u91cd\u590d\u53d1\u9001GET\u8bf7\u6c42\uff1a\u6bcf\u6b21\u4f7f\u7528\u4e0d\u540c\u7684 Cookie \u548c\u666e\u901a\u7684GET\u8bf7\u6c42\u3002\u8fd9\u6837\u6765\u6d4b\u8bd5\u8fde\u63a5\u72b6\u6001\u7684\u7a33\u5b9a\u6027\u5e76\u6bd4\u8f83\u6d4b\u8bd5\u56de\u590d\u548c\u6807\u51c6GET\u8bf7\u6c42\u7684\u6807\u51c6\u56de\u590d\u3002\u8fd9\u6837\u80fd\u68c0\u6d4b\u57fa\u4e8e cookie \u7684\u8ba4\u8bc1\u65b9\u6cd5\u662f\u5426\u6709\u6548\u3002 ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = \u6709\u6548 Cookie \u68c0\u6d4b\u5668 ascanbeta.cookieslack.otherinfo.intro = \u5df2\u77e5\u65e0\u6548\u7684 Cookie \u53ef\u4ee5\u68c0\u6d4b\u7a0b\u5e8f\u903b\u8f91\u9519\u8bef\u3002\u81f3\u5c11\u8fd9\u6837\u53ef\u4ee5\u68c0\u67e5\u51fa\u6765\u57fa\u4e8e Cookie \u7684\u8eab\u4efd\u8ba4\u8bc1\u7684\u6709\u6548\u6027\u3002\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = \u5220\u9664\u6b64 Cookie \u5c06\u4f1a\u4f7f\u672c\u6b21\u8fde\u63a5\u4f1a\u8bdd\u65e0\u6548\uff1a[{0}] \u540e\u7eed\u4f7f\u7528\u8fd9\u4e9b Cookie \u7684\u8bf7\u6c42\u5c06\u5f97\u5230\u4e0e\u539f\u59cb\u8bf7\u6c42\u4e0d\u540c\u7684\u670d\u52a1\u5668\u54cd\u5e94\u3002\n -ascanbeta.cookieslack.session.warning = \u6ce8\u610f\uff1a\u7531\u4e8e\u5176\u540d\u79f0\uff0c\u6b64 Cookie \u53ef\u80fd\u5f88\u91cd\u8981\uff0c\u4f46\u5220\u9664\u5b83\u4f3c\u4e4e\u6ca1\u6709\u6548\u679c\uff1a[{0}] +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = \u8de8\u6e90\u8d44\u6e90\u5171\u4eab (CORS) \u662f\u4e00\u79cd\u57fa\u4e8e HTTP \u6807\u5934\u7684\u673a\u5236\uff0c\u5b83\u5141\u8bb8\u670d\u52a1\u5668\u6307\u793a\u6d4f\u89c8\u5668\u5e94\u5141\u8bb8\u4ece\u5176\u52a0\u8f7d\u8d44\u6e90\u7684\u4efb\u4f55\u5176\u4ed6\u6765\u6e90\uff08\u57df\u3001\u6a21\u5f0f\uff08scheme\uff09\u6216\u7aef\u53e3\uff09\u3002 \u5b83\u653e\u5bbd\u4e86\u540c\u6e90\u7b56\u7565\uff08SOP\uff09\u3002 ascanbeta.cors.info.name = CORS Header @@ -26,8 +26,8 @@ ascanbeta.cors.soln = \u5982\u679c Web \u8d44\u6e90\u5305\u542b\u654f\u611f\u4fe ascanbeta.cors.vuln.desc = \u8fd9\u79cd CORS \u9519\u8bef\u914d\u7f6e\u53ef\u80fd\u5141\u8bb8\u653b\u51fb\u8005\u4ece\u53d7\u5bb3\u8005\u7684\u7528\u6237\u4ee3\u7406\uff08user agent\uff09\u52a0\u8f7d\u7684\u6076\u610f\u9875\u9762\u5411\u6613\u53d7\u653b\u51fb\u7684\u7f51\u7ad9\u6267\u884c AJAX \u67e5\u8be2\u3002\n\u4e3a\u4e86\u6267\u884c\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684 AJAX \u67e5\u8be2\uff0c\u670d\u52a1\u5668\u5fc5\u987b\u6307\u5b9a\u6807\u5934\u201cAccess-Control-Allow-Credentials\: true\u201d\uff0c\u5e76\u4e14\u201cAccess-Control-Allow-Origin\u201d\u6807\u5934\u5fc5\u987b\u8bbe\u7f6e\u4e3a null \u6216\u6076\u610f\u9875\u9762\u7684\u57df\u3002 \u5373\u4f7f\u6b64\u9519\u8bef\u914d\u7f6e\u4e0d\u5141\u8bb8\u7ecf\u8fc7\u8eab\u4efd\u9a8c\u8bc1\u7684 AJAX \u8bf7\u6c42\uff0c\u4ecd\u53ef\u4ee5\u8bbf\u95ee\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u654f\u611f\u5185\u5bb9\uff08\u4f8b\u5982\u5185\u7f51\u7f51\u7ad9\uff09\u3002\n\u6076\u610f\u9875\u9762\u53ef\u80fd\u5c5e\u4e8e\u6076\u610f\u7f51\u7ad9\uff0c\u4f46\u4e5f\u53ef\u80fd\u5c5e\u4e8e\u5b58\u5728\u7f3a\u9677\u7684\u53d7\u4fe1\u4efb\u7f51\u7ad9\uff08\u4f8b\u5982 XSS\u3001\u4e0d\u652f\u6301\u901a\u8fc7 MITM \u6ce8\u5165\u4ee3\u7801\u7684\u4e0d\u5e26 TLS \u7684 HTTP \u7b49\uff09\u3002 ascanbeta.cors.vuln.name = CORS \u9519\u8bef\u914d\u7f6e -ascanbeta.crossdomain.adobe.desc = \u7531\u4e8eWeb\u670d\u52a1\u5668\u4e0a\u7684\u9519\u8bef\u914d\u7f6e\uff0c\u57fa\u4e8eFlash/Silverlight\u7684\u8de8\u7ad9\u70b9\u8bf7\u6c42\u4f2a\u9020\u6709\u53ef\u80fd\u53d1\u751f\u3002 -ascanbeta.crossdomain.adobe.read.extrainfo = Web\u670d\u52a1\u5668\u5141\u8bb8\u6076\u610f\u7684\u8de8\u57df\u6570\u636e\u8bfb\u53d6\u6765\u81ea\u4efb\u4f55\u7b2c\u4e09\u65b9\u57df\u7684Flash/Silverlight\u7ec4\u4ef6\u5411\u6b64\u57df\u53d1\u9001\u7684\u8bf7\u6c42\u3002\u5982\u679c\u53d7\u5bb3\u8005\u7528\u6237\u767b\u5f55\u4e86\u6b64\u670d\u52a1\uff0c\u90a3\u4e48\u5c06\u4f7f\u7528\u53d7\u5bb3\u8005\u7684\u7279\u6743\u5904\u7406\u8fd9\u4e2a\u6076\u610f\u7684\u8bfb\u53d6\u8bf7\u6c42\uff0c\u5e76\u53ef\u80fd\u5bfc\u81f4\u6b64\u670d\u52a1\u53d1\u9001\u7684\u6570\u636e\u88ab\u672a\u7ecf\u6388\u6743\u7684\u7b2c\u4e09\u65b9\u7f51\u7ad9\u4ee5\u53d7\u5bb3\u8005\u7684\u7f51\u9875\u6d4f\u89c8\u5668\u4e3a\u4e2d\u4ecb\u6cc4\u9732\u51fa\u53bb\u3002\u5982\u679c\u4f7f\u7528\u7684\u662f\u57fa\u4e8eCookie\u7684\u4f1a\u8bdd\u5b9e\u73b0\uff0c\u8fd9\u79cd\u60c5\u51b5\u5c31\u5f88\u53ef\u80fd\u53d1\u751f\u3002 +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = \u8de8\u57df\u914d\u7f6e\u9519\u8bef - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = \u4f7f\u7528\uff0c\u914d\u7f6ecrossdomain.xml\u6587\u4ef6\u6765\u6536\u7a84\u90a3\u4e9b\u88ab\u5141\u8bb8\u5411\u6b64Web\u670d\u52a1\u5668\u8fdb\u884c\u8de8\u57df\u8bfb\u53d6\u8bf7\u6c42\u7684\u57df\u7684\u540d\u5355\u3002\u53ea\u6709\u5f53\u4f60\u786e\u5b9a\u6b64\u670d\u52a1\u4e0d\u6258\u7ba1\u4efb\u4f55\u53d7\u8bbf\u95ee\u6743\u9650\u63a7\u5236\u7684\u3001\u4e2a\u6027\u5316\u7684\u6216\u79c1\u6709\u7684\u6570\u636e\u65f6\uff0c\u4f60\u624d\u5e94\u8be5\u5411\u201c*\u201d\uff08\u6240\u6709\u57df\uff09\u6388\u4e88\u8bbf\u95ee\u6743\u9650\u3002 ascanbeta.crossdomain.adobe.send.extrainfo = Web\u670d\u52a1\u5668\u5141\u8bb8\u6076\u610f\u7684\u8de8\u57df\u6570\u636e\u5411\u6b64\u57df\u53d1\u9001\uff08\u4f46\u4e0d\u4e00\u5b9a\u8bfb\u53d6\uff09\u6765\u81ea\u4efb\u4f55\u7b2c\u4e09\u65b9\u57df\u7684Flash/Silverlight\u7ec4\u4ef6\u7684\u8bf7\u6c42\u3002\u5982\u679c\u53d7\u5bb3\u8005\u7528\u6237\u767b\u5f55\u4e86\u6b64\u670d\u52a1\uff0c\u5c31\u4f1a\u4f7f\u7528\u53d7\u5bb3\u8005\u7684\u7279\u6743\u6765\u5904\u7406\u8fd9\u4e2a\u6076\u610f\u7684\u53d1\u9001\u8bf7\u6c42\uff0c\u5e76\u5c06\u5bfc\u81f4\u4ee5\u53d7\u5bb3\u8005\u7684\u7f51\u9875\u6d4f\u89c8\u5668\u4e3a\u4e2d\u4ecb\u7684\u8de8\u7ad9\u70b9\u8bf7\u6c42\u4f2a\u9020\uff08CSRF\uff09\u4e00\u7c7b\u7684\u653b\u51fb\u3002\u5982\u679c\u4f7f\u7528\u7684\u662f\u57fa\u4e8eCookie\u7684\u4f1a\u8bdd\u5b9e\u73b0\uff0c\u8fd9\u79cd\u60c5\u51b5\u5c31\u5f88\u53ef\u80fd\u53d1\u751f\u3002 @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = \u91cd\u5b9a\u5411 URI \u4e0d\u ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = \u914d\u7f6e\u4f60\u7684\u7f51\u7ad9\u6216\u670d\u52a1\u5668\u4f7f\u7528 SSL \u5b89\u5168\u534f\u8bae\uff08https\uff09\u3002 -ascanbeta.httpoxy.desc = \u670d\u52a1\u5668\u901a\u8fc7\u8bf7\u6c42\u7684 HTTP \u4ee3\u7406\u6807\u5934\u4e2d\u6307\u5b9a\u7684\u4ee3\u7406\u53d1\u8d77\u4ee3\u7406\u8bf7\u6c42\u3002Httpoxy \u901a\u5e38\u4f1a\u5f71\u54cd\u5728 CGI \u6216\u7c7b\u4f3c CGI \u7684\u73af\u5883\u4e2d\u8fd0\u884c\u7684\u4ee3\u7801\u3002\n\u8fd9\u53ef\u80fd\u5141\u8bb8\u653b\u51fb\u8005\uff1a\n* \u4ee3\u7406Web\u5e94\u7528\u7a0b\u5e8f\u53d1\u51fa\u7684\u4f20\u51faHTTP\u8bf7\u6c42\n* \u6307\u793a\u670d\u52a1\u5668\u6253\u5f00\u5230\u5176\u9009\u62e9\u7684\u5730\u5740\u548c\u7aef\u53e3\u7684\u4f20\u51fa\u8fde\u63a5\u6216\n* \u901a\u8fc7\u5f3a\u5236\u6613\u53d7\u653b\u51fb\u7684\u8f6f\u4ef6\u4f7f\u7528\u6076\u610f\u4ee3\u7406\u6765\u5360\u7528\u670d\u52a1\u5668\u8d44\u6e90 +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - \u4ee3\u7406\u6807\u5934\u6ee5\u7528 ascanbeta.httpoxy.otherinfo = \u53d1\u5f80 {0} \u7684\u4f20\u51fa\u6d88\u606f\u662f\u901a\u8fc7 ZAP \u6ce8\u5165 HTTP \u4ee3\u7406\u6807\u5934\u7684\u4e3b\u673a\u548c\u7aef\u53e3\u8fdb\u884c\u4ee3\u7406\u7684\u3002 ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = \u7f51\u7edc\u6269\u5c55\u88ab\u7981\u7528 ascanbeta.httpoxy.soln = \u6700\u597d\u7684\u7acb\u5373\u7f13\u89e3\u63aa\u65bd\u662f\u5728\u4ee3\u7406\u8bf7\u6c42\u6807\u5934\u5230\u8fbe\u60a8\u7684\u5e94\u7528\u7a0b\u5e8f\u4e4b\u524d\u5c3d\u65e9\u963b\u6b62\u5b83\u4eec\u3002 -ascanbeta.httpsashttp.desc = \u6700\u521d\u901a\u8fc7 HTTPS\uff08\u5373\uff1a\u4f7f\u7528 SSL/TLS \u52a0\u5bc6\uff09\u8bbf\u95ee\u7684\u5185\u5bb9\u4e5f\u53ef\u4ee5\u901a\u8fc7 HTTP\uff08\u4e0d\u52a0\u5bc6\uff09\u8bbf\u95ee\u3002 +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = \u901a\u8fc7 HTTP \u83b7\u53d6 HTTPS \u5185\u5bb9 ascanbeta.httpsashttp.otherinfo = ZAP \u8bd5\u56fe\u901a\u8fc7\u4ee5\u4e0b\u65b9\u6cd5\u8fdb\u884c\u8fde\u63a5\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = \u786e\u4fdd\u60a8\u7684 Web \u670d\u52a1\u5668\u3001\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u3001\u8d1f\u8f7d\u5e73\u8861\u5668\u7b49\u914d\u7f6e\u4e3a\u4ec5\u901a\u8fc7 HTTPS \u63d0\u4f9b\u6b64\u7c7b\u5185\u5bb9\u3002 \u8003\u8651\u5b9e\u65bd HTTP \u4e25\u683c\u4f20\u8f93\u5b89\u5168\u3002 -ascanbeta.insecurehttpmethod.connect.exploitable.desc = \u5411\u6b64\u8d44\u6e90\u542f\u7528\u4e0d\u5b89\u5168\u7684HTTP\u65b9\u6cd5[{0}]\uff0c\u8fd9\u662f\u53ef\u88ab\u5229\u7528\u7684\u3002\u6211\u4eec\u53d1\u73b0\uff0c\u901a\u8fc7\u4f7f\u7528\u8fd9\u79cdHTTP\u65b9\u6cd5\uff0c\u6709\u53ef\u80fd\u4e0e\u7b2c\u4e09\u65b9\u670d\u52a1\u5efa\u7acb\u8d77\u4e00\u4e2a\u96a7\u9053\u5f0f\u7684\u5957\u63a5\u5b57\u8fde\u63a5\u3002\u8fd9\u6837\u5c06\u5141\u8bb8\u6b64\u670d\u52a1\u4f5c\u4e3a\u533f\u540d\u5783\u573e\u90ae\u4ef6\u4f20\u9012\uff0c\u6216\u4f5c\u4e3aWeb\u4ee3\u7406\u6765\u7ed5\u8fc7\u7f51\u7edc\u9650\u5236\u3002\u800c\u4e14\uff0c\u8fd8\u5141\u8bb8\u4f7f\u7528\u6b64\u670d\u52a1\u6765\u5efa\u7acb\u4e00\u4e2a\u96a7\u9053\u5f0fVPN\uff0c\u6709\u6548\u5730\u6269\u5c55\u7f51\u7edc\u5468\u754c\uff0c\u5c06\u4e0d\u53d7\u4fe1\u4efb\u7684\u7ec4\u4ef6\u4e5f\u5305\u62ec\u8fdb\u6765\u3002 +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = \u8fd9\u79cd\u8fde\u63a5\u65b9\u6cd5\u7528\u6765\u5efa\u7acb\u4e00\u4e2a\u901a\u8fc7web\u670d\u52a1\u5668\u8fde\u63a5\u5230[{0}]\u7684\u5957\u63a5\u5b57\u3002 ascanbeta.insecurehttpmethod.delete.exploitable.desc = \u8be5\u65b9\u6cd5\u6700\u5e38\u7528\u4e8e REST \u670d\u52a1\u4e2d\uff0c\u7528\u4e8e\u5220\u9664\u8d44\u6e90\u3002 ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = \u8bf7\u53c2\u9605\u5728stackexchange \u4e0a\u7684\u8ba8\u8bba\uff1ahttps\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods\uff0c\u4e86\u89e3 REST \u64cd\u4f5c\u8bf7\u53c2\u9605 https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = \u8bf7\u53c2\u9605 ascanbeta.insecurehttpmethod.patch.exploitable.desc = \u8fd9\u79cd\u65b9\u6cd5\u73b0\u5728\u6700\u5e38\u7528\u4e8e REST \u670d\u52a1\u4e2d\uff0cPATCH \u7528\u4e8e**\u4fee\u6539**\u529f\u80fd\u3002 PATCH \u8bf7\u6c42\u53ea\u9700\u8981\u5305\u542b\u5bf9\u8d44\u6e90\u7684\u66f4\u6539\uff0c\u800c\u4e0d\u662f\u5b8c\u6574\u7684\u8d44\u6e90\u3002 ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = \u8bf7\u53c2\u9605\u5728stackexchange \u4e0a\u7684\u8ba8\u8bba\uff1ahttps\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods\uff0c\u4e86\u89e3 REST \u64cd\u4f5c\u8bf7\u53c2\u9605 https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = \u53ef\u80fd\u4e0d\u5b89\u5168\u7684 HTTP \u65b9\u6cd5\u7684\u54cd\u5e94\u4ee3\u7801 {0} -ascanbeta.insecurehttpmethod.put.exploitable.desc = \u8be5\u65b9\u6cd5\u6700\u521d\u662f\u7528\u4e8e\u6587\u4ef6\u7ba1\u7406\u64cd\u4f5c\u3002 \u5b83\u73b0\u5728\u6700\u5e38\u7528\u4e8e REST \u670d\u52a1\uff0cPUT \u6700\u5e38\u7528\u4e8e**\u66f4\u65b0**\u529f\u80fd\uff0cPUT \u5230\u5df2\u77e5\u8d44\u6e90 URI\uff0c\u8bf7\u6c42\u6b63\u6587\u5305\u542b\u539f\u59cb\u8d44\u6e90\u7684\u65b0\u66f4\u65b0\u8868\u793a\u5f62\u5f0f\u3002 +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = \u8bf7\u53c2\u9605\u5728stackexchange \u4e0a\u7684\u8ba8\u8bba\uff1ahttps\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods\uff0c\u4e86\u89e3 REST \u64cd\u4f5c\u8bf7\u53c2\u9605 https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = \u505c\u7528\u4e0d\u5b89\u5168\u7684web\u670d\u52a1\u5668\u8ddf\u8e2a\u548c\u8fde\u63a5\u7b49\u65b9\u6cd5\uff0c\u5e76\u786e\u4fdd\u5b9e\u73b0\u57fa\u7840\u670d\u52a1\u65f6\u4e0d\u652f\u6301\u4e0d\u5b89\u5168\u7684\u65b9\u6cd5\u3002 ascanbeta.insecurehttpmethod.trace.exploitable.desc = \u5411\u6b64\u8d44\u6e90\u542f\u7528\u4e0d\u5b89\u5168\u7684HTTP\u65b9\u6cd5[{0}]\uff0c\u8fd9\u662f\u53ef\u88ab\u5229\u7528\u7684\u3002\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u201c\u8ddf\u8e2a\u548c\u8ffd\u8e2a\u201d\u65b9\u6cd5\u6765\u83b7\u5f97\u5e94\u7528\u7a0b\u5e8f\u7528\u6237\u7684\u6388\u6743\u4ee4\u724c/\u4f1a\u8bddcookie\u7684\u8bbf\u95ee\u6743\u9650\uff0c\u5373\u4f7f\u4f1a\u8bddcookie\u4f7f\u7528\u4e86\u201cHttpOnly\u201d\u6807\u8bb0\u8fdb\u884c\u4fdd\u62a4\u3002\u653b\u51fb\u82e5\u8981\u6210\u529f\uff0c\u5e94\u7528\u7a0b\u5e8f\u7528\u6237\u901a\u5e38\u5fc5\u987b\u4f7f\u7528\u8f83\u65e7\u7684\u7f51\u9875\u6d4f\u89c8\u5668\uff0c\u6216\u4f7f\u7528\u5177\u6709\u540c\u6e90\u7b56\u7565\uff08SOP\uff09\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u7f51\u9875\u6d4f\u89c8\u5668\u3002 @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = \u6b64 HTTP \u65b9\u6cd5\ ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = \u8bf7\u53c2\u9605 stackexchange \u4e0a\u7684\u8ba8\u8bba\uff1ahttps\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = \u5f53\u7f16\u8bd1\u7a0b\u5e8f\u4e2d\u4f7f\u7528\u7684\u6574\u6570\u8d85\u51fa\u8303\u56f4\u9650\u5236\u5e76\u4e14\u672a\u4ece\u8f93\u5165\u6d41\u4e2d\u6b63\u786e\u68c0\u67e5\u65f6\uff0c\u5b58\u5728\u6574\u6570\u6ea2\u51fa\u60c5\u51b5\u3002 -ascanbeta.integeroverflow.error1 = \u53ef\u80fd\u53d1\u751f\u7684\u6574\u6570\u6ea2\u51fa\u7684\u60c5\u51b5\u3002\u5728\u8f93\u5165\u4e00\u957f\u4e32\u968f\u673a\u6574\u6570\u65f6\uff0c\u72b6\u6001\u4ee3\u7801\u53d1\u751f\u4e86\u53d8\u5316\u3002 -ascanbeta.integeroverflow.error2 = \u53ef\u80fd\u53d1\u751f\u7684\u6574\u6570\u6ea2\u51fa\u7684\u60c5\u51b5\u3002\u5728\u8f93\u5165\u4e00\u957f\u4e32\u96f6\u65f6\uff0c\u72b6\u6001\u4ee3\u7801\u53d1\u751f\u4e86\u53d8\u5316\u3002 -ascanbeta.integeroverflow.error3 = \u53ef\u80fd\u53d1\u751f\u7684\u6574\u6570\u6ea2\u51fa\u7684\u60c5\u51b5\u3002\u5728\u8f93\u5165\u4e00\u957f\u4e32\u76841\u65f6\uff0c\u72b6\u6001\u4ee3\u7801\u53d1\u751f\u4e86\u53d8\u5316\u3002 -ascanbeta.integeroverflow.error4 = \u53ef\u80fd\u53d1\u751f\u7684\u6574\u6570\u6ea2\u51fa\u7684\u60c5\u51b5\u3002\u5728\u8f93\u5165\u4e00\u957f\u4e32\u76849\u65f6\uff0c\u72b6\u6001\u4ee3\u7801\u53d1\u751f\u4e86\u53d8\u5316\u3002 +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = \u6574\u6570\u6ea2\u51fa\u9519\u8bef ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = \u4e3a\u4e86\u9632\u6b62\u5e94\u7528\u7a0b\u5e8f\u51fa\u73b0\u6ea2\u51fa\u548c\u9664\u4ee50\uff08\u96f6\uff09\u9519\u8bef\uff0c\u8bf7\u91cd\u5199\u540e\u7aef\u7a0b\u5e8f\uff0c\u68c0\u67e5\u6b63\u5728\u5904\u7406\u7684\u6574\u6570\u503c\u662f\u5426\u5728\u5e94\u7528\u7a0b\u5e8f\u5141\u8bb8\u7684\u8303\u56f4\u5185\u3002 \u8fd9\u5c06\u9700\u8981\u91cd\u65b0\u7f16\u8bd1\u540e\u7aef\u53ef\u6267\u884c\u6587\u4ef6\u3002 @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = \u5e26\u5916 XSS ascanbeta.oobxss.skipped = \u672a\u9009\u62e9\u4e3b\u52a8\u626b\u63cf OAST \u670d\u52a1\u3002 ascanbeta.proxydisclosure.attack = \u5e26\u6709\u201cMax-Forwards\u201d\u6807\u5934\u7684 TRACE\u3001OPTIONS \u65b9\u6cd5\u3002 TRACK \u65b9\u6cd5\u3002 -ascanbeta.proxydisclosure.desc = {0} \u4e2a\u4ee3\u7406\u670d\u52a1\u5668\u88ab\u68c0\u6d4b\u5230\u6216\u6307\u7eb9\u8bc6\u522b\u3002 \u6b64\u4fe1\u606f\u6709\u52a9\u4e8e\u6f5c\u5728\u7684\u653b\u51fb\u8005\u786e\u5b9a\n - \u9488\u5bf9\u5e94\u7528\u7a0b\u5e8f\u7684\u653b\u51fb\u76ee\u6807\u5217\u8868\u3002\n - \u4e3a\u5e94\u7528\u7a0b\u5e8f\u63d0\u4f9b\u670d\u52a1\u7684\u4ee3\u7406\u670d\u52a1\u5668\u4e0a\u7684\u6f5c\u5728\u6f0f\u6d1e\u3002\n - \u662f\u5426\u5b58\u5728\u4efb\u4f55\u53ef\u80fd\u5bfc\u81f4\u5bf9\u5e94\u7528\u7a0b\u5e8f\u7684\u653b\u51fb\u88ab\u68c0\u6d4b\u3001\u963b\u6b62\u6216\u51cf\u8f7b\u7684\u57fa\u4e8e\u4ee3\u7406\u7684\u7ec4\u4ef6\u3002 +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = \u4f7f\u7528TRACE, OPTIONS, \u548c TRACK\u65b9\u6cd5\uff0c\u5df2\u8bc6\u522b\u51fa\u4e0b\u8ff0\u5728 ZAP \u548c\u5e94\u7528\u7a0b\u5e8f/Web \u670d\u52a1\u5668\u4e4b\u95f4\u7684\u4ee3\u7406\u670d\u52a1\u5668\uff1a +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = \u4e0b\u5217"\u9759\u9ed8"\u7684\u4ee3\u7406\u670d\u52a1\u5668\u88ab\u8bc6\u522b\u51fa\u6765\u3002\u7531\u4e8e\u5b83\u4eec\u7684\u884c\u5f84\uff0c\u8fd9\u4e9b\u4ee3\u7406\u670d\u52a1\u5668\u9a7b\u7559\u5728\u7f51\u7edc\u62d3\u6251\u7ed3\u6784\u4e2d\u7684\u54ea\u4e2a\u70b9\u662f\u4e0d\u77e5\u9053\u7684\uff1a -ascanbeta.proxydisclosure.extrainfo.traceenabled = \u5728\u4e00\u53f0\u6216\u591a\u53f0\u4ee3\u7406\u670d\u52a1\u5668\u4e0a\u6216\u5728\u539f\u59cb\u670d\u52a1\u5668\u4e0a\u542f\u7528\u201c\u8ffd\u8e2a\u201d\u65b9\u6cd5\u3002\u8be5\u65b9\u6cd5\u6f0f\u6d1e\u4eceweb\u6d4f\u89c8\u5668\u63d0\u4ea4\u7684\u6240\u6709\u4fe1\u606f\uff0c\u5e76\u4ee3\u7406\u56de\u5230\u7528\u6237\u4ee3\u7406\u3002\u8fd9\u53ef\u80fd\u4f1a\u4fc3\u8fdb\u201c\u8de8\u7ad9\u70b9\u8ffd\u8e2a\u201d\u653b\u51fb\u3002 +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = \u672a\u77e5 ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = \u4ee5\u4e0b\u7f51\u7ad9/\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u5df2\u88ab\u8bc6\u522b\uff1a +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = \u4ee3\u7406\u62ab\u9732 ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = \u7981\u7528\u4ee3\u7406\u670d\u52a1\u5668\u4ee5\u53ca\u539f\u59cb\u7f51\u7ad9\u6216\u8005\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u4e0a\u7684\u201cTRACE\u201d\u65b9\u6cd5\u3002\u5982\u679c\u4ee3\u7406\u670d\u52a1\u5668\u4ee5\u53ca\u6e90\u7f51\u7ad9\u6216\u8005\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\uff08\u4f8b\u5982\u201cCORS\u201d\u8de8\u8d44\u6e90\u5171\u4eab\uff09\u4e0d\u9700\u8981\u5176\u4ed6\u7684\u7528\u9014\uff0c\u90a3\u4e48\u5219\u8981\u7981\u7528\u4ee3\u7406\u670d\u52a1\u533a\u4e0a\u7684\u201c\u9009\u9879\u201d\u65b9\u6cd5\u3002\u4f7f\u7528\u81ea\u5b9a\u4e49\u9519\u8bef\u9875\u9762\u914d\u7f6e\u7f51\u7ad9\u548c\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\uff0c\u4ee5\u9632\u6b62\u53d1\u751fHTTP\u9519\u8bef\uff08\u4f8b\u5982\u201cTRACK\u201d\u8bf7\u6c42\u4e0d\u5b58\u5728\u9875\u9762\uff09\u7684\u6307\u7eb9\u4ea7\u54c1\u7279\u5b9a\u9519\u8bef\u9875\u9762\u6cc4\u9732\u7ed9\u7528\u6237\u3002\u914d\u7f6e\u6240\u6709\u4ee3\u7406\uff0c\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668\u548c\u7f51\u7ad9\u670d\u52a1\u5668\uff0c\u4ee5\u9632\u6b62\u5728\u201c\u670d\u52a1\u5668\u201d\u548c\u201cX-Powered-By\u201dHTTP\u54cd\u5e94\u5934\u4e2d\u62ab\u9732\u6280\u672f\u548c\u7248\u672c\u4fe1\u606f\u3002\n ascanbeta.relativepathconfusion.desc = Web \u670d\u52a1\u5668\u88ab\u914d\u7f6e\u4e3a\u4ee5\u53ef\u80fd\u5bfc\u81f4\u5bf9 URL \u7684\u6b63\u786e\u201c\u76f8\u5bf9\u8def\u5f84\u201d\u4ea7\u751f\u6df7\u6dc6\u7684\u65b9\u5f0f\u63d0\u4f9b\u5bf9\u4e0d\u660e\u786e URL \u7684\u54cd\u5e94\u3002 \u8d44\u6e90\uff08CSS\u3001\u56fe\u50cf\u7b49\uff09\u4e5f\u5728\u9875\u9762\u54cd\u5e94\u4e2d\u4f7f\u7528\u76f8\u5bf9 URL\uff08\u800c\u4e0d\u662f\u7edd\u5bf9 URL\uff09\u6307\u5b9a\u3002 \u5728\u653b\u51fb\u4e2d\uff0c\u5982\u679c Web \u6d4f\u89c8\u5668\u4ee5\u5141\u8bb8\u7684\u65b9\u5f0f\u89e3\u6790\u201c\u8de8\u5185\u5bb9\u201d\u54cd\u5e94\uff0c\u6216\u8005\u53ef\u4ee5\u4f7f\u7528\u8bf8\u5982Frame\u6846\u67b6\u4e4b\u7c7b\u7684\u6280\u672f\u8bf1\u9a97\u5141\u8bb8\u5730\u89e3\u6790\u201c\u8de8\u5185\u5bb9\u201d\u54cd\u5e94\uff0c\u5219 Web \u6d4f\u89c8\u5668\u53ef\u80fd\u4f1a\u88ab\u6b3a\u9a97 \u5c06 HTML \u89e3\u91ca\u4e3a CSS\uff08\u6216\u5176\u4ed6\u5185\u5bb9\u7c7b\u578b\uff09\uff0c\u4ece\u800c\u5bfc\u81f4 XSS \u6f0f\u6d1e\u3002 -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = \u6307\u5b9a\u4e86\u201c{0}\u201d\u7684\u5185\u5bb9\u7c7b\u578b\u3002\u5982\u679cweb\u6d4f\u89c8\u5668\u4f7f\u7528\u4e25\u683c\u7684\u89e3\u6790\u89c4\u5219\uff0c\u8fd9\u5c06\u9632\u6b62\u6765\u81ea\u4e00\u8fde\u4e32\u7684\u4ea4\u53c9\u5185\u5bb9\u653b\u51fb\uff0cweb\u6d4f\u89c8\u5668\u4e2d\u7684\u602a\u5f02\uff08Quirks\uff09\u6a21\u5f0f\u4f1a\u7981\u7528\u4e25\u683c\u7684\u89e3\u6790\u3002 +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = \u672a\u6307\u5b9a X-Frame-Options \u6807\u5934\uff0c\u56e0\u6b64\u53ef\u4ee5\u5bf9\u9875\u9762\u8fdb\u884c\u6846\u67b6\uff08Frame\uff09\uff0c\u8fd9\u53ef\u7528\u4e8e\u542f\u7528 Quirks \u6a21\u5f0f\uff0c\u4ece\u800c\u5141\u8bb8\u7ed5\u8fc7\u6307\u5b9a\u7684\u5185\u5bb9\u7c7b\u578b\u3002 ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = \u5728 HTML \u6807\u8bb0\u4e2d\u6307\u5b9a\u4e86\u591a\u4e2a \u6807\u8bb0\u6765\u5b9a\u4e49\u76f8\u5bf9 URL \u7684\u4f4d\u7f6e\uff0c\u8fd9\u662f\u65e0\u6548\u7684\u3002 ascanbeta.relativepathconfusion.extrainfo.nobasetag = \u5728HTML\u6807\u8bb0\u4e2d\u6ca1\u6709\u6307\u5b9a\u6807\u8bb0\u6765\u5b9a\u4e49\u76f8\u5bf9URLs\u7684\u4f4d\u7f6e\u3002 -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = \u672a\u6307\u5b9a\u5185\u5bb9\u7c7b\u578b\uff0c\u56e0\u6b64\u4e0d\u9700\u8981 Quirks \u6a21\u5f0f\u5373\u53ef\u5229\u7528 Web \u6d4f\u89c8\u5668\u4e2d\u7684\u6f0f\u6d1e\u3002 +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = \u602a\u5f02\uff08Quirks\uff09\u6a21\u5f0f\u901a\u8fc7\u201dHTML\u6807\u8bb0\u7684\u6b63\u786e\u4f7f\u7528\u5c06\u660e\u786e\u6307\u5b9a\u6587\u6863\u4e2d\u6240\u6709\u76f8\u5bf9URL\u7684\u57fa\u672cURL\u3002\u4f7f\u7528\u201cContent-Type\u201dHTTP\u54cd\u5e94\u5934\u4f7f\u653b\u51fb\u8005\u66f4\u96be\u4e8e\u8feb\u4f7fweb\u6d4f\u89c8\u5668\u9519\u8bef\u5730\u89e3\u91ca\u5b83\u6240\u54cd\u5e94\u7684\u5185\u5bb9\u7c7b\u578b\u3002\n\u4f7f\u7528\u201cX-Content-Type-Options\: nosniff\u201dHTTP\u54cd\u5e94\u5934\u6765\u9632\u6b62web\u6d4f\u89c8\u5668\u201c\u55c5\u63a2\u201d\u54cd\u5e94\u7684\u5185\u5bb9\u7c7b\u578b\u3002\n\u4f7f\u7528\u73b0\u4ee3\u7684doctype\uff0c\u5982\u201c<\!doctype html>\u201d\u9632\u6b62\u9875\u9762\u4f7f\u7528\u201cQuirks\u6a21\u5f0f\u201d\u5728web\u6d4f\u89c8\u5668\u4e2d\u5448\u73b0\uff0c\u56e0\u4e3a\u8fd9\u4f1a\u5bfc\u81f4web\u6d4f\u89c8\u5668\u5ffd\u7565\u5185\u5bb9\u7c7b\u578b\u3002\u6307\u5b9a\u201cX-Frame-Options\u201dHTTP\u54cd\u5e94\u5934\uff0c\u4ee5\u9632\u6b62\u5728web\u6d4f\u89c8\u5668\u4e2d\u4f7f\u7528\u6846\u67b6\u653b\u51fb\u542f\u7528Quirks\u6a21\u5f0f\u3002 +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} \u5b57\u6bb5\uff1a[{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = \u5f53 Cookie \u5b57\u6bb5 [{0}] \u8bbe\u7f6e\u4e3a NULL \u65f6\u54cd\u5e94\u4e2d\u8bbe\u7f6e\u7684 Cookie\uff1a[{1}]\n\u4f7f\u7528\u8bf7\u6c42 [{1}] \u4e2d\u501f\u7528\u7684\uff08\u6709\u6548\uff09Cookie \u503c\u54cd\u5e94\u8bbe\u7f6e Cookie\uff1a[{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = \u88ab\u68c0\u51fa\u67 ascanbeta.sessionfixation.desc = \u201c\u4f1a\u8bdd\u56fa\u5b9a\u201d\u653b\u51fb\u662f\u6709\u53ef\u80fd\u53d1\u751f\u7684\u3002\u5982\u679c\u8fd9\u4e2a\u95ee\u9898\u53d1\u751f\u5728\u4e00\u4e2a\u767b\u5f55URL\u4e0a\uff08\u5728\u767b\u5f55URL\u4e0a\u7528\u6237\u81ea\u5df1\u9a8c\u8bc1\u81ea\u5df1\u5728\u5e94\u7528\u7a0b\u5e8f\u4e0a\u7684\u8eab\u4efd\uff09\uff0c\u90a3\u4e48\u653b\u51fb\u8005\u5c31\u53ef\u80fd\u5c06\u8fd9\u4e2aURL\u8fde\u540c\u4e00\u4e2a\u56fa\u5b9a\u4f1a\u8bddID\u4e00\u540c\u53d1\u7ed9\u53d7\u5bb3\u8005\uff0c\u4ee5\u4fbf\u7a0d\u540e\u7528\u8fd9\u4e2a\u7ed9\u5b9a\u7684\u4f1a\u8bddID\u6765\u5047\u88c5\u53d7\u5bb3\u8005\u7684\u8eab\u4efd\u3002\u5982\u679c\u8fd9\u4e2a\u95ee\u9898\u53d1\u751f\u5728\u672a\u767b\u5f55\u9875\u9762\uff0c\u90a3\u4e48URL\u548c\u56fa\u5b9a\u4f1a\u8bddID\u5c31\u53ea\u80fd\u88ab\u653b\u51fb\u8005\u7528\u4e8e\u8ffd\u8e2a\u672a\u7ecf\u8eab\u4efd\u9a8c\u8bc1\u7684\u7528\u6237\u7684\u884c\u4e3a\u3002\u5982\u679c\u8fd9\u4e2a\u6f0f\u6d1e\u53d1\u751f\u5728cookie\u5b57\u6bb5\u6216\u8868\u5355\u5b57\u6bb5\uff08POST\u53c2\u6570\uff09\u800c\u4e0d\u662fURL\uff08GET\uff09\u53c2\u6570\u4e0a\uff0c\u90a3\u5c31\u53ef\u80fd\u9700\u8981\u66f4\u591a\u4e00\u4e9b\u5176\u4ed6\u7684\u6f0f\u6d1e\u624d\u80fd\u5728\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e0a\u8bbe\u7f6ecookie\u5b57\u6bb5\uff0c\u6765\u4f7f\u5f97\u8fd9\u4e2a\u6f0f\u6d1e\u80fd\u88ab\u5229\u7528\u3002 ascanbeta.sessionfixation.name = \u4f1a\u8bdd\u56fa\u5b9a ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1\uff09\u5f3a\u5236\u6267\u884c\u4e25\u683c\u7684\u4f1a\u8bddID\uff0c\u4e14\u53ea\u5728\u5bf9\u5e94\u7528\u7a0b\u5e8f\u7684\u4f7f\u7528\u8005\u7684\u8eab\u4efd\u9a8c\u8bc1\u6210\u529f\u540e\u624d\u5206\u914d\u4f1a\u8bddID\uff0c\u901a\u8fc7\u8fd9\u4e9b\u65b9\u6cd5\u6765\u9632\u6b62\u653b\u51fb\u8005\u83b7\u5f97\u4f1a\u8bddID\u3002\n2\uff09\u65e0\u8bba\u4f1a\u8bdd\u662f\u5426\u5df2\u7ecf\u5b58\u5728\uff0c\u670d\u52a1\u5668\u90fd\u5e94\u5f53\u5728\u8eab\u4efd\u9a8c\u8bc1\u65f6\u521b\u5efa\u4e00\u4e2a\u65b0\u7684\u4f1a\u8bddID\u3002\n3\uff09\u5c06\u4f1a\u8bddID\u7ed1\u5b9a\u5230\u4e00\u4e9b\u53ef\u8bc6\u522b\u7684\u5ba2\u6237\u7aef\u5c5e\u6027\u7ec4\u5408\uff0c\u5982IP\u5730\u5740\u3001SSL\u5ba2\u6237\u7aef\u8bc1\u4e66\u3002\n4\uff09\u8981\u9500\u6bc1\u4f1a\u8bdd\u65f6\uff0c\u5fc5\u987b\u5728\u670d\u52a1\u5668\u4e0a\u9500\u6bc1\uff0c\u540c\u65f6\u4e5f\u5728\u5ba2\u6237\u673a\u4e0a\u9500\u6bc1\u3002\n5\uff09\u5b9e\u65bd\u4e00\u79cd\u4f1a\u9500\u6bc1\u5ba2\u6237\u7aef\u4e4b\u524d\u7684\u6240\u6709\u4f1a\u8bdd\u7684\u6ce8\u9500\u673a\u5236\u3002\n6\uff09\u5b9e\u73b0\u65e0\u6761\u4ef6\u7684\u4f1a\u8bdd\u8d85\u65f6\u3002\n7\uff09\u5c06\u57fa\u4e8eURL\u7684\u4f1a\u8bddID\u5b9e\u73b0\u8f6c\u6362\u4e3a\u57fa\u4e8ecookie\u6216\u8868\u5355\u7684\u4f1a\u8bddID\u5b9e\u73b0\uff0c\u56e0\u4e3a\u540e\u8005\u8981\u88ab\u653b\u51fb\u8005\u5229\u7528\u7684\u8bdd\uff0c\u901a\u5e38\u9700\u8981\u66f4\u591a\u7684\u6f0f\u6d1e\u3002 +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} \u5b57\u6bb5\uff1a[{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = \u53ef\u4ee5\u4f7f\u7528\u7f51\u9875\u6d4f\u89c8\u5668\u7684JavaScript\u6765\u8bbf\u95ee\u4f1a\u8bdd\u6807\u8bc6\u7b26{0}\u5b57\u6bb5[{1}]\u3001\u503c[{2}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = \u88ab\u68c0\u51fa\u6709\u6b64\u95ee\u9898\u7684URL\u88ab\u6807\u8bb0\u4e3a\u767b\u5f55\u9875\u3002 -ascanbeta.sessionidaccessiblebyjavascript.desc = \u670d\u52a1\u5668\u53d1\u9001\u7684\u4f1a\u8bddID cookie\uff08\u901a\u8fc7\u5c06\u547d\u540d\u53c2\u6570\u5b57\u6bb5\u8bbe\u7f6e\u4e3aNULL\u6765\u4fee\u6539URL\u65f6\uff09\u53ef\u80fd\u88ab\u5ba2\u6237\u7aef\u4e0a\u7684JavaScript\u8bbf\u95ee\u3002\u82e5\u7ed3\u5408\u53e6\u4e00\u4e2a\u6f0f\u6d1e\uff0c\u8fd9\u5c06\u6709\u673a\u4f1a\u9020\u6210\u4f1a\u8bdd\u88ab\u52ab\u6301\u3002 +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = JavaScript \u53ef\u8bbf\u95ee\u4f1a\u8bdd ID Cookie #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) \u5728\u8bbe\u7f6e\u5305\u542b\u4f1a\u8bdd ID \u7684 cookie \u65f6\u4f7f\u7528\u201chttponly\u201d\u6807\u5fd7\uff0c\u4ee5\u9632\u6b62 Web \u6d4f\u89c8\u5668\u4e2d\u7684 JavaScript \u8bbf\u95ee\u5b83\u3002 +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} \u5b57\u6bb5\uff1a[{1}] ascanbeta.sessionidexpiry.alert.extrainfo = \u53ef\u4ee5\u8bbf\u95ee\u4f1a\u8bdd\u6807\u8bc6\u7b26{0}\u5b57\u6bb5[{1}]\u3001\u503c[{2}]\uff0c\u76f4\u5230[{3}]\u65f6\uff08\u56e0\u4e3a\u5728{4}\u6536\u5230cookie\uff09\uff0c\u9664\u975e\u4f1a\u8bdd\u88ab\u9500\u6bc1\u3002 ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = \u88ab\u68c0\u51fa\u6709\u6b64\u95ee\u9898\u7684URL\u88ab\u6807\u8bb0\u4e3a\u767b\u5f55\u9875\u3002 ascanbeta.sessionidexpiry.browserclose = \u6d4f\u89c8\u5668\u5173\u95ed -ascanbeta.sessionidexpiry.desc = \u670d\u52a1\u5668\u53d1\u9001\u7684\u4f1a\u8bddID cookie\uff08\u901a\u8fc7\u5c06\u547d\u540d\u53c2\u6570\u5b57\u6bb5\u8bbe\u7f6e\u4e3aNULL\u6765\u4fee\u6539URL\u65f6\uff09\u88ab\u8bbe\u7f6e\u4e3a\u5728\u4e00\u6bb5\u8fc7\u957f\u65f6\u95f4\u5185\u6709\u6548\u3002\u5982\u679c\u7528\u6237\u5fd8\u8bb0\u6ce8\u9500\uff0c\u6216\u6ce8\u9500\u529f\u80fd\u6ca1\u80fd\u6b63\u786e\u5730\u9500\u6bc1\u4f1a\u8bdd\uff0c\u53c8\u6216\u8005\u4f1a\u8bddID\u901a\u8fc7\u67d0\u4e9b\u5176\u4ed6\u65b9\u6cd5\u6cc4\u9732\uff0c\u90a3\u4e48\u653b\u51fb\u8005\u5c31\u53ef\u80fd\u5229\u7528\u8fd9\u4e00\u70b9\u3002 +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = \u4f1a\u8bdd ID \u8fc7\u671f\u65f6\u95f4/Max-Age \u8fc7\u9ad8 #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1\uff09\u5728\u8bbe\u7f6e\u5305\u542b\u4f1a\u8bddID\u7684cookie\u65f6\uff0c\u4f7f\u7528\u201cExpire\u201d\u6216\u201cMax-Age\u201dcookie\u6307\u4ee4\uff0c\u6765\u907f\u514d\u5b83\u5728\u8fc7\u957f\u65f6\u95f4\u5185\u53ef\u7528\u3002\n2\uff09\u786e\u4fdd\u6ce8\u9500\u529f\u80fd\u5b58\u5728\uff0c\u5e76\u786e\u4fdd\u5b83\u80fd\u6b63\u786e\u5730\u9500\u6bc1\u4f1a\u8bdd\u3002\n3\uff09\u4f7f\u7528\u5176\u4ed6\u9884\u9632\u63aa\u65bd\u6765\u786e\u4fdd\u5373\u4f7f\u4f1a\u8bddID\u88ab\u6cc4\u9732\uff0c\u4e5f\u4e0d\u80fd\u88ab\u5229\u7528\u3002 ascanbeta.sessionidexpiry.timeexpired = \u5df2\u8fc7\u671f ascanbeta.sessionidexpiry.timelessthanonehour = \u5c0f\u4e8e1\u5c0f\u65f6 @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = \u8d85\u8fc71\u661f\u671f ascanbeta.sessionidexposedinurl.alert.attack = {0}\u5b57\u6bb5\uff1a[{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0}\u5b57\u6bb5[{1}]\u542b\u6709\u4e00\u4e2a\u516c\u5f00\u7684\u4f1a\u8bdd\u6807\u8bc6\u7b26[{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = \u88ab\u68c0\u51fa\u6709\u6b64\u95ee\u9898\u7684URL\u88ab\u6807\u8bb0\u4e3a\u767b\u5f55\u9875\u3002 -ascanbeta.sessionidexposedinurl.desc = URL\u4e2d\u66b4\u9732\u4e86\u4e00\u4e2a\u4f1a\u8bddID\u3002\u4e00\u540d\u65b0\u624b\u7528\u6237\u53ef\u80fd\u4f1a\u901a\u8fc7\u5206\u4eab\u8fd9\u6837\u7684\u4e00\u4e2a\u7f51\u7ad9URL\uff08\u5305\u542b\u4f1a\u8bddID\uff09\uff0c\u800c\u65e0\u610f\u4e2d\u628a\u81ea\u5df1\u7684\u6570\u636e\u7684\u8bbf\u95ee\u6743\u6388\u6743\u4e86\u51fa\u53bb\uff0c\u5f71\u54cd\u4e86\u6570\u636e\u7684\u673a\u5bc6\u6027\u3001\u5b8c\u6574\u6027\u548c\u53ef\u7528\u6027\u3002\u542b\u6709\u4f1a\u8bdd\u6807\u8bc6\u7b26\u7684URL\u4e5f\u4f1a\u5728\u7f51\u9875\u6d4f\u89c8\u5668\u4e66\u7b7e\u3001Web\u670d\u52a1\u5668\u65e5\u5fd7\u6587\u4ef6\u548c\u4ee3\u7406\u670d\u52a1\u5668\u65e5\u5fd7\u6587\u4ef6\u4e2d\u51fa\u73b0\u3002 +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = \u516c\u5f00\u7684\u4f1a\u8bdd ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = \u4f7f\u7528\u4e00\u79cd\u66f4\u4e3a\u5b89\u5168\u7684\u4f1a\u8bdd\u7ba1\u7406\u5b9e\u73b0\u65b9\u6cd5\uff0c\u4f8b\u5982\u4f7f\u7528\u4f1a\u8bddcookie\u8fd9\u79cd\u5b9e\u73b0\u65b9\u6cd5\uff0c\u5c31\u4e0d\u90a3\u4e48\u5bb9\u6613\u5728\u65e0\u610f\u95f4\u5206\u4eab\u4e86\u4f1a\u8bdd\u6807\u8bc6\u7b26\uff0c\u4e5f\u4e0d\u4f1a\u5728\u670d\u52a1\u5668\u65e5\u5fd7\u6587\u4ef6\u6216\u7f51\u9875\u6d4f\u89c8\u5668\u4e66\u7b7e\u91cc\u51fa\u73b0\u4f1a\u8bdd\u6807\u8bc6\u7b26\u3002 ascanbeta.sessionidsentinsecurely.alert.attack = {0} \u5b57\u6bb5\uff1a[{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = \u53ef\u80fd\u901a\u8fc7\u4e0d\u5b89\u5168\u7684\u673a\u5236\u6765\u53d1\u9001\u4f1a\u8bdd\u6807\u8bc6\u7b26{0}\u5b57\u6bb5[{1}]\u3001\u503c[{2}]\u3002 +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = \u88ab\u68c0\u51fa\u6709\u6b64\u95ee\u9898\u7684URL\u5df2\u6807\u8bb0\u4e3a\u767b\u5f55\u9875\u9762\u3002 ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = \u5728\u7531\u670d\u52a1\u5668\u63d0\u4f9b\u7684\u4f1a\u8bddcookie\u4e2d\u6ca1\u6709\u8bbe\u7f6e\u201c\u5b89\u5168\u201d\u6807\u5fd7\u3002 -ascanbeta.sessionidsentinsecurely.desc = \u6709\u53ef\u80fd\u7ecf\u7531\u4e0d\u5b89\u5168\u7684\u673a\u5236\u5c06\u4f1a\u8bddID\u53d1\u9001\u51fa\u53bb\u3002\u5728\u8bf7\u6c42\u4e2d\u53d1\u9001cookie\u65f6\uff0c\u82e5\u4f7f\u7528\u7684\u662fHTTP\u800c\u4e0d\u662fHTTPS\uff0c\u5c31\u4f1a\u53d1\u751f\u8fd9\u79cd\u60c5\u51b5\u3002\u5f53\u670d\u52a1\u5668\u6839\u636e\u54cd\u5e94\u53d1\u9001cookie\u65f6\uff08\u5728\u901a\u8fc7\u5c06\u547d\u540d\u53c2\u6570\u5b57\u6bb5\u8bbe\u7f6e\u4e3aNULL\u6765\u4fee\u6539URL\u65f6\uff09\uff0c\u6ca1\u6709\u8bbe\u7f6e\u201c\u5b89\u5168\u201d\u6807\u5fd7\uff0c\u5c31\u4f1a\u5141\u8bb8cookie\u5728\u8fc7\u540e\u901a\u8fc7HTTP\u800c\u4e0d\u662fHTTPS\u6765\u53d1\u9001\u51fa\u53bb\u3002\u8fd9\u6837\u7684\u8bdd\uff0c\u7f51\u7edc\u8def\u5f84\u4e0a\u7684\u4e00\u540d\u88ab\u52a8\u7a83\u542c\u8005\u5c31\u6709\u53ef\u80fd\u83b7\u53d6\u8bbf\u95ee\u53d7\u5bb3\u8005\u7684\u4f1a\u8bdd\u7684\u5b8c\u5168\u8bbf\u95ee\u6743\u9650\u3002 +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = \u6240\u4f20\u8f93\u7684\u4f1a\u8bddID\u4e0d\u5b89\u5168 #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) \u5bf9\u4e8e\u5728\u6d4f\u89c8\u5668\u548c Web \u670d\u52a1\u5668\u4e4b\u95f4\u4f20\u9012\u4f1a\u8bdd ID \u7684\u6240\u6709\u9875\u9762\uff0c\u4f7f\u7528\u6700\u65b0\u53ef\u7528\u7248\u672c\u7684 SSL/TLS\uff08\u9002\u7528\u4e8e HTTPS\uff09\u3002\n2) \u4e0d\u5141\u8bb8\u5f3a\u5236\u4f7f\u7528\u672a\u52a0\u5bc6\u7684 HTTP \u534f\u8bae\u8fdb\u884c\u901a\u4fe1\u3002\n3) \u5728\u8bbe\u7f6e\u5305\u542b\u4f1a\u8bdd ID \u7684 cookie \u65f6\u4f7f\u7528\u201c\u5b89\u5168\u201d\u6807\u5fd7\uff0c\u4ee5\u9632\u6b62\u5176\u540e\u7eed\u901a\u8fc7\u4e0d\u5b89\u5168\u7684\u673a\u5236\u8fdb\u884c\u4f20\u8f93\u3002\n4) \u5c06\u975e\u5b89\u5168 HTTP \u9875\u9762\u8bf7\u6c42\u8f6c\u53d1\u5230\u5b89\u5168 HTTPS \u7b49\u6548\u9875\u9762\u3002 +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = \u670d\u52a1\u5668\u6b63\u5728\u8fd0\u884c Bash shell \u7248\u672c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u6267\u884c\u4efb\u610f\u4ee3\u7801 +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = \u4f7f\u7528\u8be5\u653b\u51fb\uff0c\u5f15\u53d1\u5e76\u68c0\u6d4b\u5230 [{0}] \u6beb\u79d2\u7684\u5ef6\u8fdf ascanbeta.shellshock.name = \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = \u5c06\u670d\u52a1\u5668\u4e0a\u7684 Bash \u66f4\u65b0\u5230\u6700\u65b0\u7248\u672c +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = \u4f7f\u7528\u8be5\u653b\u51fb\uff0c\u5f15\u53d1\u5e76\u68c0\u6d4b\u5230 [{0}] \u6beb\u79d2\u7684\u5ef6\u8fdf ascanbeta.sourcecodedisclosure.desc = \u5f53\u524d\u9875\u9762\u7684\u6e90\u4ee3\u7801\u88abWeb\u670d\u52a1\u5668\u6cc4\u9732\u3002 ascanbeta.sourcecodedisclosure.gitbased.evidence = [{0}] \u7684\u6e90\u4ee3\u7801\u662f\u4f7f\u7528[{1}] \u63d0\u53d6\u7684 -ascanbeta.sourcecodedisclosure.gitbased.name = Git - \u6e90\u4ee3\u7801\u6cc4\u9732 -ascanbeta.sourcecodedisclosure.gitbased.soln = \u786e\u4fdd Git \u5143\u6570\u636e\u6587\u4ef6\u672a\u90e8\u7f72\u5230 Web \u670d\u52a1\u5668\u6216\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668 +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = \u4e0e\u9608\u503c [{3}%] \u76f8\u6bd4\uff0c\u6e90\u4ee3\u7801\u6587\u4ef6\u540d [{0}] \u7684\u8f93\u51fa\u4e0e\u968f\u673a\u53c2\u6570 [{1}] \u7684\u8f93\u51fa\u5728 [{2}%] \u5904\u6709\u5f88\u5927\u5dee\u5f02 ascanbeta.sourcecodedisclosure.lfibased.name = \u6e90\u4ee3\u7801\u6cc4\u6f0f - \u6587\u4ef6\u5305\u542b ascanbeta.sourcecodedisclosure.svnbased.extrainfo = [{0}] \u7684\u6e90\u4ee3\u7801\u4f4d\u4e8e [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = \u6e90\u4ee3\u7801\u6cc4\u9732 - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = \u786e\u4fdd SVN \u5143\u6570\u636e\u6587\u4ef6\u672a\u90e8\u7f72\u5230 Web \u670d\u52a1\u5668\u6216\u5e94\u7528\u7a0b\u5e8f\u670d\u52a1\u5668 +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = \u67d0\u4e9b PHP \u7248\u672c\u5728\u914d\u7f6e\u4e3a\u4f7f\u7528 CGI \u8fd0\u884c\u65f6\uff0c\u65e0\u6cd5\u6b63\u786e\u5904\u7406\u7f3a\u5c11\u672a\u8f6c\u4e49\u201c\=\u201d\u5b57\u7b26\u7684\u67e5\u8be2\u5b57\u7b26\u4e32\uff0c\u4ece\u800c\u5bfc\u81f4 PHP \u6e90\u4ee3\u7801\u6cc4\u9732\u548c\u4efb\u610f\u4ee3\u7801\u6267\u884c\u3002 \u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0cPHP \u6587\u4ef6\u7684\u5185\u5bb9\u76f4\u63a5\u63d0\u4f9b\u7ed9 Web \u6d4f\u89c8\u5668\u3002 \u6b64\u8f93\u51fa\u901a\u5e38\u5305\u542b PHP\uff0c\u4f46\u4e5f\u53ef\u80fd\u5305\u542b\u7eaf HTML\u3002 ascanbeta.sourcecodedisclosurecve-2012-1823.name = \u6e90\u4ee3\u7801\u6cc4\u9732 - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = \u672a\u9009\u62e9\u4e3b\u52a8\u626b\u63cf OAST \u670d\u52a1\u3002 ascanbeta.text4shell.soln = \u5347\u7ea7 Apache Commons Text 1.10.0 \u6216\u66f4\u9ad8\u7248\u672c\u3002 -ascanbeta.usernameenumeration.alert.attack = \u64cd\u7eb5 [{0}] \u5b57\u6bb5\uff1a[{1}] \u5e76\u76d1\u89c6\u8f93\u51fa -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] \u53c2\u6570 [{1}] \u6cc4\u6f0f\u6709\u5173\u7528\u6237\u662f\u5426\u5b58\u5728\u7684\u4fe1\u606f\u3002 \u5bf9\u4e8e\u6709\u6548\u7684\u539f\u59cb\u7528\u6237\u540d\u503c [{2}] \u548c\u65e0\u6548\u7684\u7528\u6237\u540d\u503c [{3}]\uff0c\u8f93\u51fa\u4e2d\u7684 [{5}] \u5dee\u5f02\u4e3a\uff1a\n[{4}] -ascanbeta.usernameenumeration.desc = \u5f53\u63d0\u4f9b\u6709\u6548\u548c\u65e0\u6548\u7528\u6237\u540d\u65f6\uff0c\u53ef\u4ee5\u6839\u636e\u4e0d\u540c\u7684 HTTP \u54cd\u5e94\u6765\u679a\u4e3e\u7528\u6237\u540d\u3002 \u8fd9\u5c06\u5927\u5927\u589e\u52a0\u5bf9\u7cfb\u7edf\u8fdb\u884c\u5bc6\u7801\u66b4\u529b\u653b\u51fb\u7684\u6210\u529f\u6982\u7387\u3002 \u8bf7\u6ce8\u610f\uff0c\u6709\u65f6\u53ef\u4ee5\u901a\u8fc7\u589e\u52a0 ZAP \u4e2d\u7684\u201c\u653b\u51fb\u5f3a\u5ea6\u201d\u9009\u9879\u6765\u6700\u5927\u7a0b\u5ea6\u5730\u51cf\u5c11\u8bef\u62a5\u3002 \u8bf7\u624b\u52a8\u68c0\u67e5\u201c\u5176\u4ed6\u4fe1\u606f\u201d\u5b57\u6bb5\u4ee5\u786e\u8ba4\u8fd9\u662f\u5426\u786e\u5b9e\u662f\u4e00\u4e2a\u95ee\u9898\u3002 +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = \u53ef\u80fd\u7684\u7528\u6237\u540d\u679a\u4e3e ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = \u4e0d\u8981\u6cc4\u9732\u7528\u6237\u540d\u662f\u5426\u6709\u6548\u7684\u8be6\u7ec6\u4fe1\u606f\u3002 \u7279\u522b\u662f\uff0c\u5bf9\u4e8e\u4e0d\u6210\u529f\u7684\u767b\u5f55\u5c1d\u8bd5\uff0c\u4e0d\u8981\u5728\u9519\u8bef\u6d88\u606f\u3001\u9875\u9762\u6807\u9898\u3001\u9875\u9762\u5185\u5bb9\u3001HTTP \u6807\u5934\u6216\u91cd\u5b9a\u5411\u903b\u8f91\u4e2d\u533a\u5206\u65e0\u6548\u7528\u6237\u548c\u65e0\u6548\u5bc6\u7801\u3002 diff --git a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_zh_TW.properties b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_zh_TW.properties index 0b248f7ad7d..03805c23515 100644 --- a/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_zh_TW.properties +++ b/addOns/ascanrulesBeta/src/main/resources/org/zaproxy/zap/extension/ascanrulesBeta/resources/Messages_zh_TW.properties @@ -1,23 +1,23 @@ ascanbeta.HTTPParamPoll.desc = HTTP Parameter Pollution (HPP) attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach. ascanbeta.HTTPParamPoll.extrainfo = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution ascanbeta.HTTPParamPoll.name = HTTP \u53c3\u6578\u6c59\u67d3 -ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters +ascanbeta.HTTPParamPoll.sol = Properly sanitize the user input for parameter delimiters. -ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server +ascanbeta.backupfiledisclosure.desc = A backup of the file was disclosed by the web server. ascanbeta.backupfiledisclosure.name = Backup File Disclosure ascanbeta.backupfiledisclosure.otherinfo = A backup of [{0}] is available at [{1}] ascanbeta.backupfiledisclosure.refs = https\://cwe.mitre.org/data/definitions/530.html\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html ascanbeta.backupfiledisclosure.soln = Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server. -ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: -ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: +ascanbeta.cookieslack.affect.response.no = These cookies did NOT affect the response\: +ascanbeta.cookieslack.affect.response.yes = These cookies affected the response\: ascanbeta.cookieslack.desc = Repeated GET requests\: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced. ascanbeta.cookieslack.endline = \n ascanbeta.cookieslack.name = Cookie Slack Detector ascanbeta.cookieslack.otherinfo.intro = Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.\n ascanbeta.cookieslack.separator = , -ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request. \n -ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}] \n +ascanbeta.cookieslack.session.destroyed = Dropping this cookie appears to have invalidated the session\: [{0}] A follow-on request with all original cookies still had a different response than the original request.\n +ascanbeta.cookieslack.session.warning = NOTE\: Because of its name this cookie may be important, but dropping it appears to have no effect\: [{0}]\n ascanbeta.cors.info.desc = Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP). ascanbeta.cors.info.name = CORS \u6a19\u982d @@ -26,8 +26,8 @@ ascanbeta.cors.soln = If a web resource contains sensitive information, the orig ascanbeta.cors.vuln.desc = This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim's user agent.\nIn order to perform authenticated AJAX queries, the server must specify the header "Access-Control-Allow-Credentials\: true" and the "Access-Control-Allow-Origin" header must be set to null or the malicious page's domain. Even if this misconfiguration doesn't allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites).\nA malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc). ascanbeta.cors.vuln.name = CORS \u8a2d\u5b9a\u932f\u8aa4 -ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. -ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. +ascanbeta.crossdomain.adobe.desc = Flash/Silverlight based cross-site request forgery may be possible, due to a misconfiguration on the web server. +ascanbeta.crossdomain.adobe.read.extrainfo = The web server permits malicious cross-domain data read requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious read requests are processed using the privileges of the victim, and can result in data from this service being compromised by an unauthorised third party web site, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. ascanbeta.crossdomain.adobe.read.name = Cross-Domain Misconfiguration - Adobe - Read ascanbeta.crossdomain.adobe.read.soln = Configure the crossdomain.xml file to restrict the list of domains that are allowed to make cross-domain read requests to this web server, using . You should only grant access to "*" (all domains) if you are certain that this service does not host any access-controlled, personalized, or private data. ascanbeta.crossdomain.adobe.send.extrainfo = The web server permits malicious cross-domain data send (but not necessarily read) requests originating from Flash/Silverlight components served from any third party domain, to this domain. If the victim user is logged into this service, the malicious send requests are processed using the privileges of the victim, and can result in Cross Site Request Forgery (CSRF) type attacks, via the victim's web browser. This is particularly likely to be an issue if a Cookie based session implementation is in use. @@ -73,20 +73,20 @@ ascanbeta.httponlysite.otherinfo.urinotencoded = Redirection URI couldn't be enc ascanbeta.httponlysite.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html\nhttps\://letsencrypt.org/ ascanbeta.httponlysite.soln = Configure your web or application server to use SSL (https). -ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy +ascanbeta.httpoxy.desc = The server initiated a proxied request via the proxy specified in the HTTP Proxy header of the request.Httpoxy typically affects code running in CGI or CGI like environments.\nThis may allow attackers to\:\n* Proxy the outgoing HTTP requests made by the web application\n* Direct the server to open outgoing connections to an address and port of their choosing or\n* Tie up server resources by forcing the vulnerable software to use a malicious proxy. ascanbeta.httpoxy.name = Httpoxy - Proxy Header Misuse ascanbeta.httpoxy.otherinfo = An outgoing message to {0} was proxied via the host and port that ZAP injected into the HTTP Proxy header. ascanbeta.httpoxy.refs = https\://httpoxy.org/ ascanbeta.httpoxy.skipped = the Network extension is disabled ascanbeta.httpoxy.soln = The best immediate mitigation is to block Proxy request headers as early as possible, and before they hit your application. -ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). +ascanbeta.httpsashttp.desc = Content which was initially accessed via HTTPS (i.e.\: using SSL/TLS encryption) is also accessible via HTTP (without encryption). ascanbeta.httpsashttp.name = HTTPS Content Available via HTTP ascanbeta.httpsashttp.otherinfo = ZAP attempted to connect via\: {0} ascanbeta.httpsashttp.refs = https\://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html\nhttps\://owasp.org/www-community/Security_Headers\nhttps\://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security\nhttps\://caniuse.com/stricttransportsecurity\nhttps\://datatracker.ietf.org/doc/html/rfc6797 ascanbeta.httpsashttp.soln = Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security. -ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. +ascanbeta.insecurehttpmethod.connect.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. It was found to be possible to establish a tunneled socket connection to a third party service, using this HTTP method. This would allow the service to be used as an anonymous spam relay, or as a web proxy, bypassing network restrictions. It also allows it to be used to establish a tunneled VPN, effectively extending the network perimeter to include untrusted components. ascanbeta.insecurehttpmethod.connect.exploitable.extrainfo = The CONNECT method was used to establish a socket connection to [{0}], via the web server. ascanbeta.insecurehttpmethod.delete.exploitable.desc = This method is most commonly used in REST services, It is used to delete a resource. ascanbeta.insecurehttpmethod.delete.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html @@ -100,7 +100,7 @@ ascanbeta.insecurehttpmethod.options.exploitable.extrainfo = See the discussion ascanbeta.insecurehttpmethod.patch.exploitable.desc = This method is now most commonly used in REST services, PATCH is used for **modify** capabilities. The PATCH request only needs to contain the changes to the resource, not the complete resource. ascanbeta.insecurehttpmethod.patch.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.potentiallyinsecure = response code {0} for potentially insecure HTTP METHOD -ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource.. +ascanbeta.insecurehttpmethod.put.exploitable.desc = This method was originally intended for file management operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource. ascanbeta.insecurehttpmethod.put.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see https\://www.restapitutorial.com/lessons/httpmethods.html ascanbeta.insecurehttpmethod.soln = Disable insecure methods such as TRACK, TRACE, and CONNECT on the web server, and ensure that the underlying service implementation does not support insecure methods. ascanbeta.insecurehttpmethod.trace.exploitable.desc = The insecure HTTP method [{0}] is enabled for this resource, and is exploitable. The TRACK and TRACE methods may be used by an attacker, to gain access to the authorisation token/session cookie of an application user, even if the session cookie is protected using the ''HttpOnly'' flag. For the attack to be successful, the application user must typically be using an older web browser, or a web browser which has a Same Origin Policy (SOP) bypass vulnerability. @@ -109,10 +109,10 @@ ascanbeta.insecurehttpmethod.webdav.exploitable.desc = This HTTP method is a WEB ascanbeta.insecurehttpmethod.webdav.exploitable.extrainfo = See the discussion on stackexchange\: https\://security.stackexchange.com/questions/21413/how-to-exploit-http-methods ascanbeta.integeroverflow.desc = An integer overflow condition exists when an integer used in a compiled program extends beyond the range limits and has not been properly checked from the input stream. -ascanbeta.integeroverflow.error1 = \u6f5b\u5728\u6574\u6578\u6ea2\u51fa\u3002\u72c0\u614b\u78bc\u5728\u8f38\u5165\u4e00\u9577\u4e32\u96a8\u6a5f\u6574\u6578\u6642\u767c\u751f\u8b8a\u5316\u3002 -ascanbeta.integeroverflow.error2 = \u6f5b\u5728\u6574\u6578\u6ea2\u51fa\u3002\u72c0\u614b\u78bc\u5728\u8f38\u5165\u4e00\u9577\u4e32 0 \u6642\u767c\u751f\u8b8a\u5316\u3002 -ascanbeta.integeroverflow.error3 = \u6f5b\u5728\u6574\u6578\u6ea2\u51fa\u3002\u72c0\u614b\u78bc\u5728\u8f38\u5165\u4e00\u9577\u4e32 1 \u6642\u767c\u751f\u8b8a\u5316\u3002 -ascanbeta.integeroverflow.error4 = \u6f5b\u5728\u6574\u6578\u6ea2\u51fa\u3002\u72c0\u614b\u78bc\u5728\u8f38\u5165\u4e00\u9577\u4e32 9 \u6642\u767c\u751f\u8b8a\u5316\u3002 +ascanbeta.integeroverflow.error1 = Potential Integer Overflow. Status code changed on the input of a long string of random integers. +ascanbeta.integeroverflow.error2 = Potential Integer Overflow. Status code changed on the input of a long string of zeros. +ascanbeta.integeroverflow.error3 = Potential Integer Overflow. Status code changed on the input of a long string of ones. +ascanbeta.integeroverflow.error4 = Potential Integer Overflow. Status code changed on the input of a long string of nines. ascanbeta.integeroverflow.name = \u6574\u6578\u6ea2\u51fa\u932f\u8aa4 ascanbeta.integeroverflow.refs = https\://en.wikipedia.org/wiki/Integer_overflow\nhttps\://cwe.mitre.org/data/definitions/190.html ascanbeta.integeroverflow.soln = In order to prevent overflows and divide by 0 (zero) errors in the application, please rewrite the backend program, checking if the values of integers being processed are within the application's allowed range. This will require a recompilation of the backend executable. @@ -126,31 +126,31 @@ ascanbeta.oobxss.name = Out of Band XSS ascanbeta.oobxss.skipped = no Active Scan OAST service is selected. ascanbeta.proxydisclosure.attack = TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method. -ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine \n - A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. +ascanbeta.proxydisclosure.desc = {0} proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine\n- A list of targets for an attack against the application.\n - Potential vulnerabilities on the proxy servers that service the application.\n - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ascanbeta.proxydisclosure.extrainfo.proxyserver = - {0} -ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: +ascanbeta.proxydisclosure.extrainfo.proxyserver.header = Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between ZAP and the application/web server\: ascanbeta.proxydisclosure.extrainfo.silentproxyserver = - {0} ascanbeta.proxydisclosure.extrainfo.silentproxyserver.header = The following 'silent' proxy servers were identified. Due to their behaviour, it is not known at which point in the network topology these proxy servers reside\: -ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. +ascanbeta.proxydisclosure.extrainfo.traceenabled = The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. ascanbeta.proxydisclosure.extrainfo.unknown = Unknown ascanbeta.proxydisclosure.extrainfo.webserver = - {0} -ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: +ascanbeta.proxydisclosure.extrainfo.webserver.header = The following web/application server has been identified\: ascanbeta.proxydisclosure.name = Proxy Disclosure ascanbeta.proxydisclosure.refs = https\://tools.ietf.org/html/rfc7231\#section-5.1.2 ascanbeta.proxydisclosure.soln = Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.\nDisable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).\nConfigure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.\nConfigure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.\n ascanbeta.relativepathconfusion.desc = The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct "relative path" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the "cross-content" response in a permissive manner, or can be tricked into permissively parsing the "cross-content" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability. -ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. +ascanbeta.relativepathconfusion.extrainfo.contenttypeenabled = A Content Type of "{0}" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. ascanbeta.relativepathconfusion.extrainfo.framingallowed = No X-Frame-Options header was specified, so the page can be framed, and this can be used to enable Quirks Mode, allowing the specified Content Type to be bypassed. ascanbeta.relativepathconfusion.extrainfo.morethanonebasetag = More than one tag was specified in the HTML tag to define the location for relative URLs, which is not valid. ascanbeta.relativepathconfusion.extrainfo.nobasetag = No tag was specified in the HTML tag to define the location for relative URLs. -ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. +ascanbeta.relativepathconfusion.extrainfo.nocontenttype = No Content Type was specified, so Quirks Mode is not required to exploit the vulnerability in the web browser. ascanbeta.relativepathconfusion.extrainfo.quirksmodeenabledexplicitly = Quirks Mode is explicitly enabled via " HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. +ascanbeta.relativepathconfusion.soln = Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.\nWithin the application, the correct use of the "" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.\nUse the "Content-Type" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.\nUse the "X-Content-Type-Options\: nosniff" HTTP response header to prevent the web browser from "sniffing" the content type of the response.\nUse a modern DOCTYPE such as "<\!doctype html>" to prevent the page from being rendered in the web browser using "Quirks Mode", since this results in the content type being ignored by the web browser.\nSpecify the "X-Frame-Options" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. ascanbeta.sessionfixation.alert.attack = {0} field\: [{1}] ascanbeta.sessionfixation.alert.cookie.extrainfo = Cookie set in response when cookie field [{0}] is set to NULL\: [{1}]\nCookie set in response with borrowed (valid) cookie value in request [{1}] \: [{2}] @@ -160,27 +160,25 @@ ascanbeta.sessionfixation.alert.url.extrainfo.loginpage = The url on which the i ascanbeta.sessionfixation.desc = Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user's actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim's browser, to allow the vulnerability to be exploited. ascanbeta.sessionfixation.name = Session Fixation ascanbeta.sessionfixation.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication\nhttps\://owasp.org/www-community/attacks/Session_fixation\nhttps\://acrossecurity.com/papers/session_fixation.pdf\nhttps\://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html -ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker\n +ascanbeta.sessionfixation.soln = 1) Prevent the attacker from gaining a session id by enforcing strict session ids, and by only allocating session ids upon successful authentication to the application.\n2) The server should always create a new session id upon authentication, regardless of whether a session is already in place.\n3) Bind the session id to some identifiable client attribute combination, such as IP address, SSL client certificate.\n4) Sessions, when destroyed, must be destroyed on the server, as well as on the client.\n5) Implement a logout mechanism which will destroy all previous sessions for the client.\n6) Implement absolute session timeouts.\n7)Switch from a URL based to a cookie or form based session id implementation, as the latter typically require additional vulnerabilities, in order to be exploitable by an attacker. ascanbeta.sessionidaccessiblebyjavascript.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser -ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed using JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.alert.extrainfo.loginpage = The URL on which the issue was discovered was flagged as a logon page. +ascanbeta.sessionidaccessiblebyjavascript.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked. #Session Id Cookie accessible by JavaScript ascanbeta.sessionidaccessiblebyjavascript.name = Session ID Cookie Accessible to JavaScript #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidaccessiblebyjavascript.refs= -ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. +ascanbeta.sessionidaccessiblebyjavascript.soln = 1) Use the 'httponly' flag when setting a cookie containing a session id, to prevent it from being accessed by JavaScript in the web browser. ascanbeta.sessionidexpiry.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexpiry.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be accessed until [{3}] (since cookie was received at {4}), unless the session is destroyed. ascanbeta.sessionidexpiry.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidexpiry.browserclose = browser close -ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. +ascanbeta.sessionidexpiry.desc = A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means. #Session Id Cookie Expiry ascanbeta.sessionidexpiry.name = Session ID Expiry Time/Max-Age is Excessive #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. -ascanbeta.sessionidexpiry.refs= ascanbeta.sessionidexpiry.soln = 1) Use the 'Expire' or 'Max-Age' cookie directives when setting a cookie containing a session id, to prevent it from being available for prolonged periods of time.\n2) Ensure that logout functionality exists, and that it correctly destroys the session.\n3) Use other preventative measures to ensure that if a session id is compromised, it may not be exploited. ascanbeta.sessionidexpiry.timeexpired = Expired ascanbeta.sessionidexpiry.timelessthanonehour = Less than one hour @@ -191,7 +189,7 @@ ascanbeta.sessionidexpiry.timemorethanoneweek = More than one week ascanbeta.sessionidexposedinurl.alert.attack = {0} field\: [{1}] ascanbeta.sessionidexposedinurl.alert.extrainfo = {0} field [{1}] contains an exposed session identifier [{2}] ascanbeta.sessionidexposedinurl.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. -ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. +ascanbeta.sessionidexposedinurl.desc = A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files. #Exposed Session Id messages ascanbeta.sessionidexposedinurl.name = Exposed Session ID #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. @@ -199,32 +197,32 @@ ascanbeta.sessionidexposedinurl.refs = https\://owasp.org/www-project-top-ten/OW ascanbeta.sessionidexposedinurl.soln = Use a more secure session management implementation, such as one that uses session cookies, which are not as easily shared inadvertently, and which do not typically appear in server log files or web browser bookmarks. ascanbeta.sessionidsentinsecurely.alert.attack = {0} field\: [{1}] -ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. +ascanbeta.sessionidsentinsecurely.alert.extrainfo = session identifier {0} field [{1}], value [{2}] may be sent via an insecure mechanism. ascanbeta.sessionidsentinsecurely.alert.extrainfo.loginpage = The url on which the issue was discovered was flagged as a logon page. ascanbeta.sessionidsentinsecurely.alert.extrainfo.secureflagnotset = The 'secure' flag was not set on the session cookie supplied by the server. -ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. +ascanbeta.sessionidsentinsecurely.desc = A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the 'secure' flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim's session. #Session Id Cookie not sent securely ascanbeta.sessionidsentinsecurely.name = Session ID Transmitted Insecurely #these refs cannot be referenced, but we leave it here in the hope that it can be in the future.. ascanbeta.sessionidsentinsecurely.refs = https\://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A2-Broken_Authentication -ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. +ascanbeta.sessionidsentinsecurely.soln = 1) Use the latest available version of SSL/TLS (for HTTPS) for all pages where a session id is communicated between the browser and the web server.\n2) Do not allow the communication to be forced down to the unencrypted HTTP protocol.\n3) Use the 'secure' flag when setting a cookie containing a session id, to prevent its subsequent transmission by an insecure mechanism.\n4) Forward non-secure HTTP page requests to the secure HTTPS equivalent page. -ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code +ascanbeta.shellshock.desc = The server is running a version of the Bash shell that allows remote attackers to execute arbitrary code. ascanbeta.shellshock.extrainfo = From CVE-2014-6271\: GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE\: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix. ascanbeta.shellshock.name = Remote Code Execution - Shell Shock ascanbeta.shellshock.ref = https\://nvd.nist.gov/vuln/detail/CVE-2014-6271\nhttps\://www.troyhunt.com/everything-you-need-to-know-about2/ -ascanbeta.shellshock.soln = Update Bash on the server to the latest version +ascanbeta.shellshock.soln = Update Bash on the server to the latest version. ascanbeta.shellshock.timingbased.evidence = Using the attack, a delay of [{0}] milliseconds was induced and detected ascanbeta.sourcecodedisclosure.desc = The source code for the current page was disclosed by the web server. ascanbeta.sourcecodedisclosure.gitbased.evidence = The source code for [{0}] was extracted using [{1}] -ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git -ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.gitbased.name = Source Code Disclosure - Git +ascanbeta.sourcecodedisclosure.gitbased.soln = Ensure that Git metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosure.lfibased.extrainfo = The output for the source code filename [{0}] differs sufficiently from that of the random parameter [{1}], at [{2}%], compared to a threshold of [{3}%] ascanbeta.sourcecodedisclosure.lfibased.name = Source Code Disclosure - File Inclusion ascanbeta.sourcecodedisclosure.svnbased.extrainfo = The source code for [{0}] was found at [{1}] ascanbeta.sourcecodedisclosure.svnbased.name = Source Code Disclosure - SVN -ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server +ascanbeta.sourcecodedisclosure.svnbased.soln = Ensure that SVN metadata files are not deployed to the web server or application server. ascanbeta.sourcecodedisclosurecve-2012-1823.desc = Some PHP versions, when configured to run using CGI, do not correctly handle query strings that lack an unescaped "\=" character, enabling PHP source code disclosure, and arbitrary code execution. In this case, the contents of the PHP file were served directly to the web browser. This output will typically contain PHP, although it may also contain straight HTML. ascanbeta.sourcecodedisclosurecve-2012-1823.name = Source Code Disclosure - CVE-2012-1823 @@ -243,9 +241,9 @@ ascanbeta.text4shell.refs = https\://nvd.nist.gov/vuln/detail/CVE-2022-42889\nht ascanbeta.text4shell.skipped = no Active Scan OAST service is selected. ascanbeta.text4shell.soln = Upgrade Apache Commons Text prior to version 1.10.0 or newer. -ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output -ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}] -ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. +ascanbeta.usernameenumeration.alert.attack = Manipulate [{0}] field\: [{1}] and monitor the output +ascanbeta.usernameenumeration.alert.extrainfo = [{0}] parameter [{1}] leaks information on whether a user exists. The [{5}] differences in output, for the valid original username value [{2}], and invalid username value [{3}] are\:\n[{4}]. +ascanbeta.usernameenumeration.desc = It may be possible to enumerate usernames, based on differing HTTP responses when valid and invalid usernames are provided. This would greatly increase the probability of success of password brute-forcing attacks against the system. Note that false positives may sometimes be minimised by increasing the 'Attack Strength' Option in ZAP. Please manually check the 'Other Info' field to confirm if this is actually an issue. ascanbeta.usernameenumeration.name = Possible Username Enumeration ascanbeta.usernameenumeration.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account.html\nhttps\://dl.ifip.org/db/conf/sec/sec2011/FreilingS11.pdf\nhttps\://cwe.mitre.org/data/definitions/204.html ascanbeta.usernameenumeration.soln = Do not divulge details of whether a username is valid or invalid. In particular, for unsuccessful login attempts, do not differentiate between an invalid user and an invalid password in the error message, page title, page contents, HTTP headers, or redirection logic. diff --git a/addOns/exim/src/main/javahelp/help_ar_SA/contents/exim.html b/addOns/exim/src/main/javahelp/help_ar_SA/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_ar_SA/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_ar_SA/contents/exim.html @@ -24,6 +24,13 @@

Save XML Message

Import HAR (HTTP Archive File)

An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
    +
  • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
  • +
  • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
  • +
  • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
  • +
      +

      Import Log File

      Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_az_AZ/contents/exim.html b/addOns/exim/src/main/javahelp/help_az_AZ/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_az_AZ/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_az_AZ/contents/exim.html @@ -24,6 +24,13 @@

      Save XML Message

      Import HAR (HTTP Archive File)

      An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
        +
      • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
      • +
      • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
      • +
      • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
      • +
          +

          Import Log File

          Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_bs_BA/contents/exim.html b/addOns/exim/src/main/javahelp/help_bs_BA/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_bs_BA/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_bs_BA/contents/exim.html @@ -24,6 +24,13 @@

          Save XML Message

          Import HAR (HTTP Archive File)

          An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
            +
          • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
          • +
          • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
          • +
          • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
          • +
              +

              Import Log File

              Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_da_DK/contents/exim.html b/addOns/exim/src/main/javahelp/help_da_DK/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_da_DK/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_da_DK/contents/exim.html @@ -24,6 +24,13 @@

              Save XML Message

              Import HAR (HTTP Archive File)

              An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                +
              • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
              • +
              • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
              • +
              • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
              • +
                  +

                  Import Log File

                  Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_de_DE/contents/exim.html b/addOns/exim/src/main/javahelp/help_de_DE/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_de_DE/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_de_DE/contents/exim.html @@ -24,6 +24,13 @@

                  Save XML Message

                  Import HAR (HTTP Archive File)

                  An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                    +
                  • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                  • +
                  • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                  • +
                  • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                  • +
                      +

                      Import Log File

                      Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_el_GR/contents/exim.html b/addOns/exim/src/main/javahelp/help_el_GR/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_el_GR/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_el_GR/contents/exim.html @@ -24,6 +24,13 @@

                      Save XML Message

                      Import HAR (HTTP Archive File)

                      An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                        +
                      • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                      • +
                      • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                      • +
                      • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                      • +
                          +

                          Import Log File

                          Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_es_ES/contents/exim.html b/addOns/exim/src/main/javahelp/help_es_ES/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_es_ES/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_es_ES/contents/exim.html @@ -24,6 +24,13 @@

                          Save XML Message

                          Import HAR (HTTP Archive File)

                          An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                            +
                          • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                          • +
                          • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                          • +
                          • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                          • +
                              +

                              Import Log File

                              Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_fa_IR/contents/exim.html b/addOns/exim/src/main/javahelp/help_fa_IR/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_fa_IR/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_fa_IR/contents/exim.html @@ -24,6 +24,13 @@

                              Save XML Message

                              Import HAR (HTTP Archive File)

                              An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                +
                              • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                              • +
                              • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                              • +
                              • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                              • +
                                  +

                                  Import Log File

                                  Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_fil_PH/contents/exim.html b/addOns/exim/src/main/javahelp/help_fil_PH/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_fil_PH/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_fil_PH/contents/exim.html @@ -24,6 +24,13 @@

                                  Save XML Message

                                  Import HAR (HTTP Archive File)

                                  An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                    +
                                  • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                  • +
                                  • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                  • +
                                  • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                  • +
                                      +

                                      Import Log File

                                      Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_fr_FR/contents/exim.html b/addOns/exim/src/main/javahelp/help_fr_FR/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_fr_FR/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_fr_FR/contents/exim.html @@ -24,6 +24,13 @@

                                      Save XML Message

                                      Import HAR (HTTP Archive File)

                                      An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                        +
                                      • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                      • +
                                      • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                      • +
                                      • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                      • +
                                          +

                                          Import Log File

                                          Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_hi_IN/contents/exim.html b/addOns/exim/src/main/javahelp/help_hi_IN/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_hi_IN/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_hi_IN/contents/exim.html @@ -24,6 +24,13 @@

                                          Save XML Message

                                          Import HAR (HTTP Archive File)

                                          An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                            +
                                          • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                          • +
                                          • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                          • +
                                          • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                          • +
                                              +

                                              Import Log File

                                              Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_hu_HU/contents/exim.html b/addOns/exim/src/main/javahelp/help_hu_HU/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_hu_HU/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_hu_HU/contents/exim.html @@ -24,6 +24,13 @@

                                              Save XML Message

                                              Import HAR (HTTP Archive File)

                                              An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                                +
                                              • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                              • +
                                              • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                              • +
                                              • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                              • +
                                                  +

                                                  Import Log File

                                                  Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_id_ID/contents/exim.html b/addOns/exim/src/main/javahelp/help_id_ID/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_id_ID/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_id_ID/contents/exim.html @@ -24,6 +24,13 @@

                                                  Save XML Message

                                                  Import HAR (HTTP Archive File)

                                                  An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                                    +
                                                  • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                                  • +
                                                  • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                                  • +
                                                  • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                                  • +
                                                      +

                                                      Import Log File

                                                      Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_it_IT/contents/exim.html b/addOns/exim/src/main/javahelp/help_it_IT/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_it_IT/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_it_IT/contents/exim.html @@ -24,6 +24,13 @@

                                                      Save XML Message

                                                      Import HAR (HTTP Archive File)

                                                      An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                                        +
                                                      • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                                      • +
                                                      • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                                      • +
                                                      • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                                      • +
                                                          +

                                                          Import Log File

                                                          Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_ja_JP/contents/exim.html b/addOns/exim/src/main/javahelp/help_ja_JP/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_ja_JP/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_ja_JP/contents/exim.html @@ -24,6 +24,13 @@

                                                          Save XML Message

                                                          Import HAR (HTTP Archive File)

                                                          An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                                            +
                                                          • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                                          • +
                                                          • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                                          • +
                                                          • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                                          • +
                                                              +

                                                              Import Log File

                                                              Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_ms_MY/contents/exim.html b/addOns/exim/src/main/javahelp/help_ms_MY/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_ms_MY/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_ms_MY/contents/exim.html @@ -24,6 +24,13 @@

                                                              Save XML Message

                                                              Import HAR (HTTP Archive File)

                                                              An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                                                +
                                                              • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                                              • +
                                                              • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                                              • +
                                                              • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                                              • +
                                                                  +

                                                                  Import Log File

                                                                  Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_pl_PL/contents/exim.html b/addOns/exim/src/main/javahelp/help_pl_PL/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_pl_PL/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_pl_PL/contents/exim.html @@ -24,6 +24,13 @@

                                                                  Save XML Message

                                                                  Import HAR (HTTP Archive File)

                                                                  An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                                                    +
                                                                  • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                                                  • +
                                                                  • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                                                  • +
                                                                  • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                                                  • +
                                                                      +

                                                                      Import Log File

                                                                      Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_pt_BR/contents/exim.html b/addOns/exim/src/main/javahelp/help_pt_BR/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_pt_BR/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_pt_BR/contents/exim.html @@ -24,6 +24,13 @@

                                                                      Save XML Message

                                                                      Import HAR (HTTP Archive File)

                                                                      An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                                                        +
                                                                      • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                                                      • +
                                                                      • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                                                      • +
                                                                      • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                                                      • +
                                                                          +

                                                                          Import Log File

                                                                          Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_ro_RO/contents/exim.html b/addOns/exim/src/main/javahelp/help_ro_RO/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_ro_RO/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_ro_RO/contents/exim.html @@ -24,6 +24,13 @@

                                                                          Save XML Message

                                                                          Import HAR (HTTP Archive File)

                                                                          An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                                                            +
                                                                          • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                                                          • +
                                                                          • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                                                          • +
                                                                          • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                                                          • +
                                                                              +

                                                                              Import Log File

                                                                              Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_ru_RU/contents/exim.html b/addOns/exim/src/main/javahelp/help_ru_RU/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_ru_RU/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_ru_RU/contents/exim.html @@ -24,6 +24,13 @@

                                                                              Save XML Message

                                                                              Import HAR (HTTP Archive File)

                                                                              An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                                                                +
                                                                              • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                                                              • +
                                                                              • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                                                              • +
                                                                              • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                                                              • +
                                                                                  +

                                                                                  Import Log File

                                                                                  Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_sr_CS/contents/exim.html b/addOns/exim/src/main/javahelp/help_sr_CS/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_sr_CS/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_sr_CS/contents/exim.html @@ -24,6 +24,13 @@

                                                                                  Save XML Message

                                                                                  Import HAR (HTTP Archive File)

                                                                                  An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                                                                    +
                                                                                  • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                                                                  • +
                                                                                  • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                                                                  • +
                                                                                  • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                                                                  • +
                                                                                      +

                                                                                      Import Log File

                                                                                      Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_tr_TR/contents/exim.html b/addOns/exim/src/main/javahelp/help_tr_TR/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_tr_TR/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_tr_TR/contents/exim.html @@ -24,6 +24,13 @@

                                                                                      Save XML Message

                                                                                      Import HAR (HTTP Archive File)

                                                                                      An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                                                                        +
                                                                                      • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                                                                      • +
                                                                                      • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                                                                      • +
                                                                                      • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                                                                      • +
                                                                                          +

                                                                                          Import Log File

                                                                                          Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_ur_PK/contents/exim.html b/addOns/exim/src/main/javahelp/help_ur_PK/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_ur_PK/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_ur_PK/contents/exim.html @@ -24,6 +24,13 @@

                                                                                          Save XML Message

                                                                                          Import HAR (HTTP Archive File)

                                                                                          An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                                                                            +
                                                                                          • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                                                                          • +
                                                                                          • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                                                                          • +
                                                                                          • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                                                                          • +
                                                                                              +

                                                                                              Import Log File

                                                                                              Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/javahelp/help_zh_CN/contents/exim.html b/addOns/exim/src/main/javahelp/help_zh_CN/contents/exim.html index 9d3ea0ed613..6d8c2fdc415 100644 --- a/addOns/exim/src/main/javahelp/help_zh_CN/contents/exim.html +++ b/addOns/exim/src/main/javahelp/help_zh_CN/contents/exim.html @@ -24,6 +24,13 @@

                                                                                              Save XML Message

                                                                                              Import HAR (HTTP Archive File)

                                                                                              An option to import messages from a HTTP Archive (HAR), available via the 'Import' menu. +Note: The following modifications may be made when importing a HAR (HTTP Archive File): +
                                                                                                +
                                                                                              • Missing HTTP Version - If the message is missing the httpVersion attribute it will be set to "HTTP/1.1".
                                                                                              • +
                                                                                              • HTTP Version 3 - If the message has its httpVersion attribute set as "h3", "http/3", "http/3.0" it will be set to "HTTP/2".
                                                                                              • +
                                                                                              • Carriage return (CR) or Line feed (LF) in Headers - If the message contains headers with CR or LF, the CRLF(s) will be removed.
                                                                                              • +
                                                                                                  +

                                                                                                  Import Log File

                                                                                                  Allows you to import log files from ModSecurity and files previously exported from ZAP. diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ar_SA.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ar_SA.properties index fd10b09d7ad..979e2914cf8 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ar_SA.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ar_SA.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = الكل diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_az_AZ.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_az_AZ.properties index 1e73f6a8a39..e630d6240b3 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_az_AZ.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_az_AZ.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = Bütün diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_bn_BD.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_bn_BD.properties index f59ff126755..536273c74bd 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_bn_BD.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_bn_BD.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_bs_BA.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_bs_BA.properties index 2447077d458..907ec226374 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_bs_BA.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_bs_BA.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = Svi diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ceb_PH.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ceb_PH.properties index 0e5a8061650..dccc060e78e 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ceb_PH.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ceb_PH.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = Tanan diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_da_DK.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_da_DK.properties index 2f4e06e0e06..c83a04ea31a 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_da_DK.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_da_DK.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = Alle diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_de_DE.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_de_DE.properties index a7406d6d5b3..ff62a04629e 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_de_DE.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_de_DE.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = Alles diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_el_GR.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_el_GR.properties index ffcea894359..37f93eead86 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_el_GR.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_el_GR.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = Όλα diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_es_ES.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_es_ES.properties index 37900237627..3a852bf79d7 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_es_ES.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_es_ES.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = Fichero que contienen URLs exim.options.value.type.zapmessages = Mensajes ZAP exim.output.end = Importación finalizada {0} -exim.output.error = Error al importar {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importando {0} exim.popup.option.all = Todos diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_fa_IR.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_fa_IR.properties index 20a8b8a3dc5..4e78ec24e36 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_fa_IR.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_fa_IR.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = همه diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_fil_PH.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_fil_PH.properties index eaa5da4f673..bc6e4131085 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_fil_PH.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_fil_PH.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = Lahat diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_fr_FR.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_fr_FR.properties index 121951e0464..784ada9596f 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_fr_FR.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_fr_FR.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = Tous diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ha_HG.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ha_HG.properties index 6a013810971..bab61845adf 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ha_HG.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ha_HG.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_he_IL.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_he_IL.properties index 6a013810971..bab61845adf 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_he_IL.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_he_IL.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_hi_IN.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_hi_IN.properties index 6a013810971..bab61845adf 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_hi_IN.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_hi_IN.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_hr_HR.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_hr_HR.properties index 6a013810971..bab61845adf 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_hr_HR.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_hr_HR.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_hu_HU.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_hu_HU.properties index 48b2d596d4a..fa24ba25e2a 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_hu_HU.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_hu_HU.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = Minden diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_id_ID.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_id_ID.properties index f1892e9d2c1..ae5ecf44340 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_id_ID.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_id_ID.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = Semua diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_it_IT.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_it_IT.properties index f8a45f85085..d11278829c9 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_it_IT.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_it_IT.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Contenente URL exim.options.value.type.zapmessages = Messaggi ZAP exim.output.end = Importazione di {0} completata -exim.output.error = Errore importando {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importando {0} exim.popup.option.all = Tutti diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ja_JP.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ja_JP.properties index 82458ae4fd4..7a9a22741d2 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ja_JP.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ja_JP.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = 全て diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ko_KR.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ko_KR.properties index 6a013810971..bab61845adf 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ko_KR.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ko_KR.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_mk_MK.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_mk_MK.properties index 6a013810971..bab61845adf 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_mk_MK.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_mk_MK.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ms_MY.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ms_MY.properties index cff974987e9..1e0dacbecf3 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ms_MY.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ms_MY.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_nb_NO.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_nb_NO.properties index 6a013810971..bab61845adf 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_nb_NO.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_nb_NO.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_nl_NL.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_nl_NL.properties index 5592f5465a0..7bfcd177b19 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_nl_NL.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_nl_NL.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = Alle diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pcm_NG.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pcm_NG.properties index e200313839e..1553e4f6f07 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pcm_NG.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pcm_NG.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pl_PL.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pl_PL.properties index 1cee88ee92a..2b2b1cf6ef8 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pl_PL.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pl_PL.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = Wszystkie diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pt_BR.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pt_BR.properties index 7867c4d3c41..3e82adf444f 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pt_BR.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pt_BR.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = Tudo diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pt_PT.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pt_PT.properties index 2d077bb79a7..5d1749ff68d 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pt_PT.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_pt_PT.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ro_RO.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ro_RO.properties index a1f64164b21..bc58d6b8990 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ro_RO.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ro_RO.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ru_RU.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ru_RU.properties index c683c7ad780..7b9c5721769 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ru_RU.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ru_RU.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = Файл, содержащий URL-адреса exim.options.value.type.zapmessages = ZAP-сообщения exim.output.end = Импорт {0} завершен -exim.output.error = Ошибка импорта {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Импорт {0} exim.popup.option.all = Все diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_si_LK.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_si_LK.properties index 6a013810971..bab61845adf 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_si_LK.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_si_LK.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sk_SK.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sk_SK.properties index 6a013810971..bab61845adf 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sk_SK.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sk_SK.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sl_SI.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sl_SI.properties index c8577d9897d..21ff61a5bd0 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sl_SI.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sl_SI.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sq_AL.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sq_AL.properties index 6a013810971..bab61845adf 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sq_AL.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sq_AL.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sr_CS.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sr_CS.properties index bd4594d838f..79958ec4e7c 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sr_CS.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sr_CS.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sr_SP.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sr_SP.properties index 6a013810971..bab61845adf 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sr_SP.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_sr_SP.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_tr_TR.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_tr_TR.properties index d1da341fd94..674b74c91f7 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_tr_TR.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_tr_TR.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = Tümü diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_uk_UA.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_uk_UA.properties index fc26dff54a2..e3860773cfd 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_uk_UA.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_uk_UA.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = Файл, що містить URL-адреси exim.options.value.type.zapmessages = Повідомлення ZAP exim.output.end = Імпортувати {0} завершено -exim.output.error = Не вдалося імпортувати {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Імпортування {0} exim.popup.option.all = Усе diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ur_PK.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ur_PK.properties index 6a013810971..bab61845adf 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ur_PK.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_ur_PK.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_vi_VN.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_vi_VN.properties index 6a013810971..bab61845adf 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_vi_VN.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_vi_VN.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_yo_NG.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_yo_NG.properties index 6a013810971..bab61845adf 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_yo_NG.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_yo_NG.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_zh_CN.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_zh_CN.properties index eccb132370e..a5fb693af6b 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_zh_CN.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_zh_CN.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = 所有 diff --git a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_zh_TW.properties b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_zh_TW.properties index 4c769e4e1f7..7eafe327068 100644 --- a/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_zh_TW.properties +++ b/addOns/exim/src/main/resources/org/zaproxy/addon/exim/resources/Messages_zh_TW.properties @@ -72,7 +72,7 @@ exim.options.value.type.url = File Containing URLs exim.options.value.type.zapmessages = ZAP Messages exim.output.end = Done importing {0} -exim.output.error = Error importing {0} +exim.output.error = Error importing HAR file.\n{0} exim.output.start = Importing {0} exim.popup.option.all = All diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ar_SA/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ar_SA/contents/pscanrules.html index 48014f87e24..f875734f7d6 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ar_SA/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ar_SA/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_az_AZ/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_az_AZ/contents/pscanrules.html index ef990c93270..4d36422fbdb 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_az_AZ/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_az_AZ/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_bs_BA/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_bs_BA/contents/pscanrules.html index d769e8642f1..ef2d5ba518b 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_bs_BA/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_bs_BA/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_da_DK/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_da_DK/contents/pscanrules.html index 48014f87e24..f875734f7d6 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_da_DK/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_da_DK/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_de_DE/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_de_DE/contents/pscanrules.html index 48014f87e24..f875734f7d6 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_de_DE/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_de_DE/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_el_GR/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_el_GR/contents/pscanrules.html index 48014f87e24..f875734f7d6 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_el_GR/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_el_GR/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_es_ES/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_es_ES/contents/pscanrules.html index 3343ea939bb..176252ea846 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_es_ES/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_es_ES/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_fa_IR/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_fa_IR/contents/pscanrules.html index 48014f87e24..f875734f7d6 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_fa_IR/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_fa_IR/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_fil_PH/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_fil_PH/contents/pscanrules.html index 59fe8f8e1c1..9818a60b1b1 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_fil_PH/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_fil_PH/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_fr_FR/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_fr_FR/contents/pscanrules.html index 4353aeede75..32d88193f04 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_fr_FR/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_fr_FR/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_hi_IN/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_hi_IN/contents/pscanrules.html index 48014f87e24..f875734f7d6 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_hi_IN/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_hi_IN/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_hu_HU/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_hu_HU/contents/pscanrules.html index 48014f87e24..f875734f7d6 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_hu_HU/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_hu_HU/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_id_ID/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_id_ID/contents/pscanrules.html index 63d5bb79453..21a696a3232 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_id_ID/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_id_ID/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_it_IT/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_it_IT/contents/pscanrules.html index 48014f87e24..f875734f7d6 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_it_IT/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_it_IT/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ja_JP/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ja_JP/contents/pscanrules.html index 8895cfd4846..e262262b7e1 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ja_JP/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ja_JP/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ms_MY/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ms_MY/contents/pscanrules.html index 48014f87e24..f875734f7d6 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ms_MY/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ms_MY/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_pl_PL/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_pl_PL/contents/pscanrules.html index 48014f87e24..f875734f7d6 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_pl_PL/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_pl_PL/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_pt_BR/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_pt_BR/contents/pscanrules.html index 23299a05241..00edc5319be 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_pt_BR/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_pt_BR/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ro_RO/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ro_RO/contents/pscanrules.html index 48014f87e24..f875734f7d6 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ro_RO/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ro_RO/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ru_RU/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ru_RU/contents/pscanrules.html index d30901b56b3..61ff0a2925b 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ru_RU/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ru_RU/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_sr_CS/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_sr_CS/contents/pscanrules.html index 48014f87e24..f875734f7d6 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_sr_CS/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_sr_CS/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_tr_TR/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_tr_TR/contents/pscanrules.html index 790437b2af1..4d3acd8c382 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_tr_TR/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_tr_TR/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ur_PK/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ur_PK/contents/pscanrules.html index 48014f87e24..f875734f7d6 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ur_PK/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_ur_PK/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_zh_CN/contents/pscanrules.html b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_zh_CN/contents/pscanrules.html index 48014f87e24..f875734f7d6 100644 --- a/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_zh_CN/contents/pscanrules.html +++ b/addOns/pscanrules/src/main/javahelp/org/zaproxy/zap/extension/pscanrules/resources/help_zh_CN/contents/pscanrules.html @@ -398,6 +398,28 @@

                                                                                                  Reverse Tabnabbing


                                                                                                  Alert ID: 10108. +

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  +This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  +It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, +and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. +

                                                                                                  +The known malicious 'polyfill' domains are: +

                                                                                                    +
                                                                                                  • polyfill.io
                                                                                                  • +
                                                                                                  • bootcdn.net
                                                                                                  • +
                                                                                                  • bootcss.com
                                                                                                  • +
                                                                                                  • staticfile.net
                                                                                                  • +
                                                                                                  • staticfile.org
                                                                                                  • +
                                                                                                  • unionadjs.com
                                                                                                  • +
                                                                                                  • xhsbpza.com
                                                                                                  • +
                                                                                                  • union.macoms.la
                                                                                                  • +
                                                                                                  • newcrbpc.com
                                                                                                  • +
                                                                                                  +

                                                                                                  +Latest code: PolyfillCdnScriptScanRule.java +
                                                                                                  +Alert ID: 10115. +

                                                                                                  Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

                                                                                                  This checks response headers for the presence of X-Powered-By details.

                                                                                                  diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ar_SA.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ar_SA.properties index 758ae43c7b4..ede4f72373f 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ar_SA.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ar_SA.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] \u062a\u0633\u062a\u062e\u062f\u0645 \u0622\u0644\u064a\u0629 \u063a\u064a\u0631 \u0622\u0645\u0646\u0629 \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0647\u0648\u064a\u0629 [{2}]\u060c \u062a\u0643\u0634\u0641 \u0627\u0633\u0645 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 [{3}] \u0648\u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] \u062a\u0633\u062a\u062e\u062f\u0645 \u0622\u0644\u064a\u0629 \u063a\u064a\u0631 \u0622\u0645\u0646\u0629 \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0647\u0648\u064a\u0629 [{2}]\u060c \u062a\u0643\u0634\u0641 \u0627\u0633\u0645 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 [{3}] \u0648\u0645\u0639\u0644\u0648\u0645\u0627\u062a \u0623\u062e\u0631\u0649 [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = \u0642\u0645 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0628\u0631\u0648\u062a\u0648\u0643\u0648\u0644 \u0627\u0644\u062a\u0634\u0641\u064a\u0631 (HTTPS)\u060c \u0628\u0627\u0644\u0625\u0636\u0627\u0641\u0629 \u0625\u0644\u0649 \u0622\u0644\u064a\u0629 \u0622\u0645\u0646\u0629 \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0647\u0648\u064a\u0629 \u0648\u0627\u0644\u062a\u064a \u0644\u0627\u062a\u0642\u0648\u0645 \u0628\u0625\u0631\u0633\u0627\u0644 \u0627\u0633\u0645 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 \u0648\u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0628\u0637\u0631\u064a\u0642\u0629 \u063a\u064a\u0631 \u0645\u0634\u0641\u0631\u0629. \u0648\u0628\u0627\u0644\u0623\u062e\u0635\u060c \u0644\u0627\u062a\u0642\u0645 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0622\u0644\u064a\u0629 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0647\u0648\u064a\u0629 \u0627\u0644\u0628\u0633\u064a\u0637 (Basic Authentication)\u060c \u062d\u064a\u062b \u0623\u0646\u0647 \u0645\u0646 \u0627\u0644\u0633\u0647\u0644 \u0643\u0633\u0631 \u0647\u0630\u0627 \u0627\u0644\u0623\u0633\u0644\u0648\u0628 \u0627\u0644\u0636\u0639\u064a\u0641 \u0645\u0646 \u0627\u0644\u062a\u0634\u0648\u064a\u0634. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0647\u0648\u064a\u0629 \u0627\u0644\u0628\u0633\u064a\u0637\u0629 \u0648\u0627\u0644\u0645\u0648\u062c\u0632\u0629 \u0639\u0628\u0631 \u0628\u0631\u0648\u062a\u0648\u0643\u0648\u0644 (HTTP) \u062a\u0645\u062a \u0639\u0628\u0631 \u0642\u0646\u0627\u0629 \u0627\u062a\u0635\u0627\u0644 \u063a\u064a\u0631 \u0622\u0645\u0646\u0629. \u064a\u0645\u0643\u0646 \u0642\u0631\u0627\u0621\u0629 \u0627\u0633\u0645 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645 \u0648\u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631 \u0648\u0645\u0646 \u062b\u0645 \u0625\u0639\u0627\u062f\u0629 \u0625\u0633\u062a\u062e\u062f\u0627\u0645\u0647\u0627 \u0645\u0631\u0629 \u0623\u062e\u0631\u0649 \u0645\u0646 \u0642\u0650\u0628\u0644 \u0623\u064a \u0634\u062e\u0635 \u0644\u0647 \u0635\u0644\u0627\u062d\u064a\u0629 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0634\u0628\u0643\u0629. pscanrules.insecureauthentication.name = \u0623\u0633\u0644\u0648\u0628 \u0636\u0639\u064a\u0641 \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0647\u0648\u064a\u0629 pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = \u0642\u0645 \u0628\u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0627\u062a\u0635\u0627\u0644 \u0628\u0627\u0633\u062a\u062e\u062f\u0645 \u0628\u0631\u0648\u062a\u0648\u0643\u0648\u0644 (HTTPS) \u0623\u0648 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0622\u0644\u064a\u0629 \u0642\u0648\u064a\u0629 \u0644\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 \u0627\u0644\u0647\u0648\u064a\u0629 +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs=[empty string] pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs=[empty string] pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = \u0627\u0644\u0631\u062f \u0627\u0644\u0642\u0627\u062f\u0645 \u0645\u0646 \u0639\u0646\u0648\u0627\u0646 \u0627\u0644\u0635\u0641\u062d\u0629 \u0627\u0644\u062a\u0627\u0644\u064a\u0629 \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0642\u064a\u0645\u0629 ViewState \u0644\u0627\u062a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u062d\u0645\u0627\u064a\u0629 \u062a\u0634\u0641\u064a\u0631. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = (JSF ViewState) \u063a\u064a\u0631 \u0622\u0645\u0646\u0629 pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = \u0642\u0645 \u0628\u062d\u0645\u0627\u064a\u0629 (VIEWSTATE) \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 (MAC) \u0645\u062e\u0635\u0635\u0629 \u0644\u0628\u064a\u0626\u0629 \u0627\u0644\u0639\u0645\u0644 \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0643 +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs=[empty string] pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo=[empty string] pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs=[empty string] pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo=[empty string] pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_az_AZ.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_az_AZ.properties index 0828d1c8236..44c05bf523a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_az_AZ.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_az_AZ.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_bn_BD.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_bn_BD.properties index 67d49fb3a47..d2b02514c84 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_bn_BD.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_bn_BD.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}][{1}]\u0985\u09b8\u09c1\u09b0\u0995\u09cd\u09b7\u09bf\u09a4 \u09aa\u09cd\u09b0\u09ae\u09be\u09a3\u09c0\u0995\u09b0\u09a3 \u09aa\u09cd\u09b0\u0995\u09cd\u09b0\u09bf\u09af\u09bc\u09be [{2}] \u09ac\u09cd\u09af\u09ac\u09b9\u09be\u09b0 \u0995\u09b0\u09c7 \u09ac\u09cd\u09af\u09be\u09ac\u09b9\u09be\u09b0\u0995\u09be\u09b0\u09c0\u09b0 \u09a8\u09be\u09ae [{3}] \u098f\u09ac\u0982 \u09aa\u09be\u09b8\u0993\u09df\u09be\u09b0\u09cd\u09a1 \u09aa\u09cd\u09b0\u0995\u09be\u09b6 \u0964[{4}] pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = \u0985\u09b8\u09c1\u09b0\u0995\u09cd\u09b7\u09bf\u09a4 \u09aa\u09cd\u09b0\u09ae\u09be\u09a3\u09c0\u0995\u09b0\u09a3 \u09aa\u09cd\u09b0\u0995\u09cd\u09b0\u09bf\u09af\u09bc\u09be \u09ac\u09cd\u09af\u09ac\u09b9\u09be\u09b0 \u0995\u09b0\u09c7 \u09ac\u09cd\u09af\u09be\u09ac\u09b9\u09be\u09b0\u0995\u09be\u09b0\u09c0\u09b0 \u09a8\u09be\u09ae \u098f\u09ac\u0982 \u0985\u09a4\u09bf\u09b0\u09bf\u0995\u09cd\u09a4 \u09a4\u09a5\u09cd\u09af \u09aa\u09cd\u09b0\u0995\u09be\u09b6\u0964 -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = \u0985\u09a8\u09c1\u09ae\u09cb\u09a6\u09a8\u09c7\u09b0 \u09aa\u09b0\u09bf\u099a\u09df\u09aa\u09a4\u09cd\u09b0 \u09ac\u09a8\u09cd\u09a6\u09bf\u0995\u09b0\u09be \u09b9\u09df\u09c7\u099b\u09c7\u0964 pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = HTTPS \u09ac\u09cd\u09af\u09ac\u09b9\u09be\u09b0 \u0995\u09b0\u09c1\u09a8, \u098f\u09ac\u0982 \u098f\u0995\u099f\u09bf \u09a8\u09bf\u09b0\u09be\u09aa\u09a6 \u09aa\u09cd\u09b0\u09ae\u09be\u09a3\u09c0\u0995\u09b0\u09a3 \u09aa\u09cd\u09b0\u0995\u09cd\u09b0\u09bf\u09af\u09bc\u09be \u09ac\u09cd\u09af\u09ac\u09b9\u09be\u09b0 \u0995\u09b0\u09c1\u09a8 \u09af\u09be \u098f\u0995\u099f\u09bf \u0987\u0989\u09a8\u09bf\u0995-\u098f\u09a8\u0995\u09cd\u09b0\u09bf\u09aa\u09cd\u099f\u09c7\u09a1 \u09ab\u09cd\u09af\u09be\u09b6\u09a8 \u0987\u0989\u099c\u09be\u09b0 \u0986\u0987\u09a1\u09bf \u09ac\u09be \u09aa\u09be\u09b8\u0993\u09af\u09bc\u09be\u09b0\u09cd\u09a1 \u09aa\u09cd\u09b0\u09c7\u09b0\u09a3 \u0995\u09b0\u09c7 \u09a8\u09be . +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = \u0995\u09c1\u0995\u09bf\u099c \u09a1\u09cb\u09ae\u09c7\u09a8 \u09ac\u09be \u09aa\u09a5 \u09a6\u09cd\u09ac\u09be\u09b0\u09be \u09ac\u09cd\u09af\u09be\u09aa\u09cd\u09a4 \u0995\u09b0\u09be \u09af\u09c7\u09a4\u09c7 \u09aa\u09be\u09b0\u09c7\u0964 \u0964 \u098f\u0987 \u099a\u09c7\u0995 \u09b6\u09c1\u09a7\u09c1\u09ae\u09be\u09a4\u09cd\u09b0 \u09a1\u09cb\u09ae\u09c7\u0987\u09a8 \u09ac\u09cd\u09af\u09aa\u09cd\u09a4\u09bf\u09b0 \u09b8\u0999\u09cd\u0997\u09c7 \u09b8\u0982\u09b6\u09cd\u09b2\u09bf\u09b7\u09cd\u099f\u0964 \u09a1\u09cb\u09ae\u09c7\u0987\u09a8 \u09ac\u09cd\u09af\u09be\u09aa\u09cd\u09a4\u09bf \u0986\u09ac\u09c7\u09a6\u09a8 \u0995\u09b0\u09be \u09b9\u09df \u098f\u0995\u099f\u09bf \u0995\u09c1\u0995\u09bf \u09a8\u09bf\u09b0\u09cd\u09a7\u09be\u09b0\u09a3 \u0995\u09b0\u09a4\u09c7 \u09af\u09be \u09a1\u09cb\u09ae\u09c7\u09a8\u09c7 \u0985\u09cd\u09af\u09be\u0995\u09cd\u09b8\u09c7\u09b8 \u0995\u09b0\u09a4\u09c7 \u09aa\u09be\u09b0\u09c7\u0964\u0989\u09a6\u09be\u09b9\u09b0\u09a3\u09b8\u09cd\u09ac\u09b0\u09c2\u09aa, \u098f\u0995\u099f\u09bf \u0995\u09c1\u0995\u09bf \u0995\u09a0\u09cb\u09b0\u09ad\u09be\u09ac\u09c7 \u098f\u0995\u099f\u09bf \u09b8\u09be\u09ac\u09a1\u09cb\u09ae\u09c7\u0987\u09a8\u09c7 \u09ac\u09cd\u09af\u09be\u09aa\u09cd\u09a4 \u0995\u09b0\u09be \u09af\u09be\u09ac\u09c7 \u09af\u09c7\u09ae\u09a8 www.nottrusted.com \u0985\u09a5\u09ac\u09be \u09b8\u09cd\u09ac\u09be\u09ad\u09be\u09ac\u09bf\u0995\u09ad\u09be\u09ac\u09c7 \u098f\u0995\u099f\u09bf \u0985\u09ad\u09bf\u09ad\u09be\u09ac\u0995 \u09a1\u09cb\u09ae\u09c7\u0987\u09a8\u09c7 \u09ac\u09cd\u09af\u09be\u09aa\u09cd\u09a4 \u09b9\u09a4\u09c7 \u09aa\u09be\u09b0\u09c7 \u09af\u09c7\u09ae\u09a8 nottrusted.com \u0964\u09aa\u09b0\u09c7\u09b0\u099f\u09bf\u09b0 \u0995\u09cd\u09b7\u09c7\u09a4\u09cd\u09b0\u09c7 nottrusted.com \u098f\u09b0 \u0995\u09cb\u09a8\u09cb \u0989\u09aa\u09a1\u09cb\u09ae\u09c7\u0987\u09a8 \u0985\u09cd\u09af\u09be\u0995\u09cd\u09b8\u09c7\u09b8 \u0995\u09b0\u09a4\u09c7 \u09aa\u09be\u09b0\u09c7\u0964\u09a7\u09c0\u09b0\u09c7 \u09a7\u09c0\u09b0\u09c7 \u0995\u09c1\u0995\u09bf\u0997\u09c1\u09b2\u09bf \u09ac\u09cd\u09af\u09be\u09aa\u09cd\u09a4\u09bf\u0995\u09b0\u09be\u09a8\u09cb \u09b8\u09be\u09a7\u09be\u09b0\u09a8 \u09ae\u09c7\u0997\u09be-\u0985\u09cd\u09af\u09be\u09aa\u09cd\u09b2\u09bf\u0995\u09c7\u09b6\u09a8\u09c7 \u09af\u09c7\u09ae\u09a8 google.com \u098f\u09ac\u0982 live.com l \u0995\u09c1\u0995\u09bf\u099c \u09b8\u09c7\u099f \u0995\u09b0\u09be \u09b9\u09df \u098f\u0995\u099f\u09bf \u0989\u09aa\u09a1\u09cb\u09ae\u09c7\u0987\u09a8 \u098f \u09af\u09c7\u09ae\u09a8 like.foo.bar \u09af\u09be \u09b6\u09c1\u09a7\u09c1\u09ae\u09be\u09a4\u09cd\u09b0 \u09ac\u09cd\u09b0\u09be\u0989\u099c\u09be\u09b0 \u09a6\u09cd\u09ac\u09be\u09b0\u09be \u0986\u09a6\u09be\u09a8 \u09aa\u09cd\u09b0\u09a6\u09be\u09a8 \u09b9\u09df\u0964\u09af\u09be\u0987 \u09b9\u09cb\u0995,\u0995\u09c1\u0995\u09bf \u0985\u09ad\u09bf\u09ad\u09be\u09ac\u0995\u098f\u09b0 \u09ae\u09a4\u09cb \u09a1\u09cb\u09ae\u09c7\u0987\u09a8\u09c7 \u09ac\u09cd\u09af\u09be\u09aa\u09cd\u09a4 \u09b9\u09df \u09af\u09be \u09b9\u09df\u09a4\u09cb \u0985\u09ad\u09bf\u09ad\u09be\u09ac\u0995 \u0995\u09c7\u0987 \u09a6\u09c7\u09df\u09be \u0985\u09a5\u09ac\u09be \u0985\u09ad\u09bf\u09ad\u09be\u09ac\u0995\u09c7\u09b0 \u0989\u09aa\u09a1\u09cb\u09ae\u09c7\u0987\u09a8\u0995\u09c7\u0964 -pscanrules.cookielooselyscoped.extrainfo = \u09a4\u09c1\u09b2\u09a8\u09be\u09b0 \u099c\u09a8\u09cd\u09af \u09ae\u09c2\u09b2 \u09a1\u09cb\u09ae\u09c7\u0987\u09a8\u099f\u09be \u09ac\u09cd\u09af\u09be\u09ac\u09b9\u09c3\u09a4 \u09b9\u09df\u09c7\u099b\u09bf\u09b2 {0}{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0\u0981}\n pscanrules.cookielooselyscoped.name = \u09b8\u09cd\u09ac\u09be\u09a7\u09c0\u09a8\u09ad\u09be\u09ac\u09c7 \u0995\u09c1\u0995\u09bf \u09ac\u09cd\u09af\u09be\u09aa\u09cd\u09a4 \u09b9\u09df pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = \u09aa\u09cd\u09b0\u09a4\u09bf\u0995\u09cd\u09b0\u09bf\u09af\u09bc\u09be\u09df \u09b8\u09be\u09a7\u09be\u09b0\u09a3 \u09a4\u09cd\u09b0\u09c1\u099f\u09bf \u09ac\u09be\u09b0\u09cd\u09a4\u09be \u09a8\u09bf\u09df\u09c7 \u09b9\u09be\u099c\u09bf\u09b0 \u09b9\u09df \u09af\u09be \u0985\u09cd\u09af\u09be\u09aa\u09be\u099a\u09bf\u098f\u09b0 \u09ae\u09a4\u09cb \u09aa\u09cd\u09b2\u09cd\u09af\u09be\u099f\u09ab\u09b0\u09cd\u09ae \u09a6\u09cd\u09ac\u09be\u09b0\u09be \u09ab\u09bf\u09b0\u09c7 \u0986\u09b8\u09c7 \u09af\u09c7\u09ae\u09a8 ASP.NET \u098f\u09ac\u0982 \u0993\u09af\u09bc\u09c7\u09ac \u09b8\u09be\u09b0\u09cd\u09ad\u09be\u09b0 ,\u0986\u0987\u0986\u0987\u098f\u09b8\u0964 pscanrules.informationdisclosuredebugerrors.name = \u09a4\u09cd\u09b0\u09c1\u099f\u09bf\u09af\u09c1\u0995\u09cd\u09a4 \u09ac\u09be\u09b0\u09cd\u09a4\u09be\u09df \u09ad\u09c1\u09b2 \u0996\u09c1\u099c\u09a4\u09c7-\u09a4\u09a5\u09cd\u09af \u09aa\u09cd\u09b0\u0995\u09be\u09b6 \u0995\u09b0\u09be \u09b9\u09df\u0964 @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = Url-\u099f\u09bf \u0995\u09cd\u09b0\u09c7\u09a1\u09bf\u099f \u0995\u09be\u09b0\u09cd\u09a1\u09c7\u09b0 \u09a4\u09a5\u09cd\u09af \u09a7\u09be\u09b0\u09a3 \u0995\u09b0\u09a4\u09c7 \u09a6\u09c7\u0996\u09be \u09af\u09be\u09df\u0964 pscanrules.informationdisclosureinurl.otherinfo.email = Url-\u099f\u09bf \u0987-\u09ae\u09c7\u0987\u09b2 \u09a0\u09bf\u0995\u09be\u09a8\u09be\u0997\u09c1\u09b2\u09cb \u09a7\u09be\u09b0\u09a3 \u0995\u09b0\u09c7\u0964 pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = Url-\u099f\u09bf \u09ae\u09a8\u09c7 \u09b9\u09af\u09bc \u0986\u09ae\u09be\u09a6\u09c7\u09b0 \u09b8\u09be\u09ae\u09be\u099c\u09bf\u0995 \u09a8\u09bf\u09b0\u09be\u09aa\u09a4\u09cd\u09a4\u09be\u09b0 \u09b8\u0982\u0996\u09cd\u09af\u09be\u09a7\u09be\u09b0\u09a8 \u0995\u09b0\u09c7 +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = URIs \u098f \u09b8\u0982\u09ac\u09c7\u09a6\u09a8\u09b6\u09c0\u09b2 \u09a4\u09a5\u09cd\u09af \u098f\u09b0\u09bf\u0993\u09a8\u09be\u0964 pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = \u098f\u0995\u099f\u09bf \u0985\u09a8\u09bf\u09b0\u09be\u09aa\u09a6 \u09b8\u0982\u09af\u09cb\u0997\u09c7 HTTP \u09aa\u09cd\u09b0\u09be\u09a5\u09ae\u09bf\u0995 \u0985\u09a5\u09ac\u09be \u09aa\u09b0\u09bf\u09aa\u0995\u09cd\u0995 \u09b8\u09a8\u09be\u0995\u09cd\u09a4\u0995\u09b0\u09a8 \u09ac\u09cd\u09af\u09be\u09ac\u09b9\u09c3\u09a4 \u09b9\u09df\u09c7\u099b\u09bf\u09b2\u0964\u09aa\u09b0\u09bf\u099a\u09df \u09aa\u09a4\u09cd\u09b0\u0997\u09c1\u09b2\u09cb \u0995\u09c7\u0989 \u09ac\u09cd\u09af\u09be\u09ac\u09b9\u09be\u09b0 \u098f\u09ac\u0982 \u09aa\u09a1\u09bc\u09a4\u09c7 \u09aa\u09be\u09b0\u09ac\u09c7 \u098f\u0987 \u09a8\u09c7\u099f\u0993\u09df\u09be\u09b0\u09cd\u0995 \u098f \u0985\u09cd\u09af\u09be\u0995\u09cd\u09b8\u09c7\u09b8 \u09a8\u09bf\u09df\u09c7\u0964 pscanrules.insecureauthentication.name = \u09a6\u09c1\u09b0\u09cd\u09ac\u09b2 \u09b6\u09a8\u09be\u0995\u09cd\u09a4\u0995\u09b0\u09a3 \u09aa\u09a6\u09cd\u09a7\u09a4\u09bf pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = \ \u09b8\u0982\u09af\u09cb\u0997 \u09b0\u0995\u09cd\u09b7\u09be \u0995\u09b0\u09cb \u098f\u0987\u099a\u099f\u09bf\u099f\u09bf\u09aa\u09bf \u0985\u09a5\u09ac\u09be \u09b6\u0995\u09cd\u09a4\u09bf\u09b6\u09be\u09b2\u09c0 \u09b6\u09a8\u09be\u0995\u09cd\u09a4\u0995\u09b0\u09a8 \u09aa\u09a6\u09cd\u09a7\u09a4\u09bf \u09ac\u09cd\u09af\u09ac\u09b9\u09be\u09b0 \u0995\u09b0\u09c7\u0964 +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = \u098f\u0987 URL \u099f\u09bf\u09b0 \u09aa\u09cd\u09b0\u09a4\u09bf\u0995\u09cd\u09b0\u09bf\u09df\u09be \u098f\u0995\u099f\u09bf viewstate \u09a7\u09be\u09b0\u09a8 \u0995\u09b0\u09c7 \u09af\u09be\u09b0 \u0995\u09cb\u09a8\u09cb \u0995\u09cd\u09b0\u09bf\u09aa\u09cd\u099f\u09cb\u0997\u09cd\u09b0\u09be\u09ab\u09bf\u0995 \u09a8\u09bf\u09b0\u09be\u09aa\u09a4\u09cd\u09a4\u09be \u09a8\u09c7\u0987\u0964 -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] \u0985\u09a8\u09bf\u09b0\u09be\u09aa\u09a6\u0964 +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = \u0985\u09a8\u09bf\u09b0\u09be\u09aa\u09a6 JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Viewstate \u0995\u09c7 \u09a8\u09bf\u09b0\u09be\u09aa\u09a6 \u0995\u09b0\u09cb Maac \u098f\u09b0\u09b8\u09be\u09a5\u09c7 \u09af\u09be \u0986\u09aa\u09a8\u09be\u09b0 \u09aa\u09b0\u09bf\u09ac\u09c7\u09b6\u09c7\u09b0 \u099c\u09a8\u09cd\u09af \u09a8\u09bf\u09b0\u09cd\u09a6\u09bf\u09b7\u09cd\u099f\u0964 +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = \u09a8\u09bf\u09ae\u09cd\u09a8\u09ac\u09b0\u09cd\u09a3\u09bf\u09a4 IP \u09a0\u09bf\u0995\u09be\u09a8\u09be\u0997\u09c1\u09b2\u09cb \u09b8\u09ae\u09cd\u09ad\u09be\u09ac\u09cd\u09af viewstate \u09ae\u09be\u09a0\u09c7 \u09a7\u09be\u09b0\u09be\u09ac\u09be\u09b9\u09bf\u0995\u09ad\u09be\u09ac\u09c7 \u0996\u09c1\u0981\u099c\u09c7 \u09aa\u09be\u0993\u09af\u09bc\u09be \u09af\u09be\u099a\u09cd\u099b\u09c7\u0964 pscanrules.viewstate.content.email.name = \u0987-\u09ae\u09c7\u0987\u09b2 Viewstate \u098f\u09aa\u09be\u0993\u09af\u09bc\u09be \u09af\u09be\u09af\u09bc\u0964 @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_bs_BA.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_bs_BA.properties index ceac13a7b37..6f9deaf51b5 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_bs_BA.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_bs_BA.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] koristi nesigurni autentikacijski mehanizam [{2}], otkriva korisni\u010dko ime [{3}] i lozinku [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] koristi nesigurni autentikacijski mehanizam [{2}], otkriva korisni\u010dko ime [{3}] i dodatne informacije [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Koristi HTTPS, i koristi siguran autentikacijski mehanizam koji ne \u0161alje kostisni\u010dkiid ili lozinku u nekriptovanom obliku. Posebno, izbjegnike kori\u0161tenje Basic Authentication mehanizma, budu\u0107i da je ovaj trivijalni mehanizam lako razbiti.\u00a0 +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic ili digest autentikacija se koristi preko nesigurne veze. Kredencijali se mogu pre\u010ditati i koristiti od nekog drugog za pristup mre\u017ei. pscanrules.insecureauthentication.name = Slab Autentikacijski Metod pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Za\u0161titite vezu koriste\u0107i HTTPS ili koristiti ja\u010di autentikacijski mehanizam +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = Odgovor na sljede\u0107em URL-u sadr\u017ei ViewState vrijednost koja nema svoje kriptografske za\u0161tite. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] nije siguran +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Nesiguran JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Sigurni VIEWSTATE s MAC-om specifi\u010dnim za va\u0161e okru\u017eenje +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ceb_PH.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ceb_PH.properties index 9dfb0609c2a..90c6300a61a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ceb_PH.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ceb_PH.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] naggamit sa dili segurado nga mekanismo sa pagmatuod [{2}], pagpadayag sa username [{3}] ug password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] naggamit sa dili segurado nga mekanismo sa pagmatuod [{2}], pagpadayag sa username [{3}] ug dugang nga kasayuran [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Ang pagkumpirma sa mga kredensyal nga nakuha pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Ang gamita ang HTTPS, ug gamita ang usa ka luwas nga mekanismo sa pag-ila nga wala magpadala sa userid o password sa wala ma-encrypt nga paagi. Ilabi na, likayi ang paggamit sa mekanismo sa Sukaran nga Pagpamatuod, tungod kay kini nga gamay nga mekanismo nga pagpugong sa dali dali masulbad. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Ang mga cookie mahimong masikop sa domain o dalan. Kini nga tseke mao lamang ang pagkabalaka sa domain scope. Ang domain nga kasangkaran nga gigamit sa usa ka cookie nagtino kung asa nga mga domain ang maka-access niini. Pananglitan, ang usa ka cookie mahimo nga hugot nga gitakpan ngadto sa usa ka subdomain e.g. www.nottrusted.com, o wala'y mahimo sa usa ka domain sa ginikanan e.g. nottrusted.com. Sa ulahing kaso, ang bisan unsang subdomain sa nottrusted.com maka-access sa cookie. Ang yano nga pagsikod sa mga cookie kay kasagaran sa mga mega-mga aplikasyon sama sa google.com ug live.com. Ang mga cookie gikan sa usa ka subdomain sama sa app.foo.bar gipadala lamang sa maong domain sa browser. Bisan pa, ang mga cookies nga gisukip ngadto sa usa ka parent-level domain mahimong ipasa ngadto sa ginikanan, o bisan unsang subdomain sa ginikanan. -pscanrules.cookielooselyscoped.extrainfo = Ang gigikanan nga domain nga gigamit alang sa pagtandi mao ang\:\n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Maayong pagsikop sa Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = Ang tubag nga nagpakita sa naglangkob na kasagarang mga mensahe sa sayop nga nahibalik sa mga plataporma sama sa ASP.NET, ug Web-server sama sa IIS ug Apache. Mahimo nimong i-configure ang lista sa mga komon nga mga mensahe sa pag--debug. pscanrules.informationdisclosuredebugerrors.name = Pagbutyag sa Impormasyon - Mga Mensahe sa Pag-debug sa Sayup @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = Ang URL makita nga adunay impormasyon sa kredit kard. pscanrules.informationdisclosureinurl.otherinfo.email = Ang URL naglangkob ug email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = Ang URL makita nga naglangkob sa US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Ayaw pagpasa ug sensitibong impormasyon sa URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = Ang sukaranan sa HTTP o pagmatuod sa digest gigamit sa usa ka dili sigurado nga koneksyon. Ang mga kredensyal mabasa ug dayon gamiton sa usa nga adunay access sa network. pscanrules.insecureauthentication.name = Ang huyang na pamaagi sa pagpamatuod pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Gipanalipdan ang koneksyon gamit ang HTTPS o mogamit sa usa ka mas lig-on nga mekanismo sa pagmatuod +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = Ang tubag sa mosunod nga URL naglangkob sa usa ka bili sa ViewState nga wala panalipdi sa cryptographic. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] kay dili luwas +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Dili segurado nga JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Ang luwas nga VIEWSTATE nga adunay espesipiko nga MAC sa imong palibot +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = Ang mosunod nga mga email nakit-an nga gi-serialize sa field nga viewstate\: pscanrules.viewstate.content.email.name = Nakit. an ang mga Email sa Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_da_DK.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_da_DK.properties index dee52941c67..a73de27fa45 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_da_DK.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_da_DK.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] bruger en usikker identifikations metode [{2}], som viser brugernavn [{3}] og kodeord [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] bruger en usikker identifikations metode [{2}], som viser brugernavn [{3}] og anden information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Brug HTTPS, og brug en sikker identifikations mekanisme som ikke sender bruger id eller kodeord over en ukrypteret forbindelse. Undg\u00e5 at bruge "Basic Authentication" da denne identifikations mekanisme let kan dekrypteres. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = "HTTP Basic" eller "Digest Authentication" er brugt over en usikker forbindelse. Identifikationsoplysningerne kan l\u00e6ses og blive genbrugt af en som har adgang til netv\u00e6rket. pscanrules.insecureauthentication.name = D\u00e5rlig Identifikations Metode pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Beskyt forbindelse vha. HTTPS eller brug en st\u00e6rkere identifikations mekanisme +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = Svaret fra f\u00f8lgende URL indeholder en ViewState v\u00e6rdi som ikke har nogen kryptografisk beskyttelse. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] er usikker +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Usikker JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Sikker ViewState med en MAC som er specifik for dit milj\u00f8 +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_de_DE.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_de_DE.properties index bea2b41879a..6df217f7e0a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_de_DE.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_de_DE.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Schwache Authentisierungsmethode pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Sichere die Verbindung in dem du HTTPS oder eine andere st\u00e4rkere Authentifizierungsmethode verwendest +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs=\ pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs=\ pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = Die HTTP-Response der folgenden URL enth\u00e4lt einen ViewState-Wert, der keinen kryptografischen Schutz aufweist. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] ist sicher +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Unsichere JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs=\ pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo=\ pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs=\ pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo=\ pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_el_GR.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_el_GR.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_el_GR.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_el_GR.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_es_ES.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_es_ES.properties index fd4a6381563..717bbbdcf36 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_es_ES.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_es_ES.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = Una cabecera X-Frame-Option est\u00e1 presente en la repuesta pero su valor configurado no es correcto. pscanrules.anticlickjacking.compliance.malformed.setting.name = Configuraci\u00f3n X-Frame-Options mal formada pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Aseg\u00farese de que se utilice una configuraci\u00f3n v\u00e1lida en todas las p\u00e1ginas web devueltas por su sitio (si espera que la p\u00e1gina est\u00e9 enmarcada solo por p\u00e1ginas en su servidor (por ejemplo, es parte de un FRAMESET), querr\u00e1 usar SAMEORIGIN; de lo contrario, si nunca espera que la p\u00e1gina est\u00e9 enmarcada, debe usar DENY. Alternativamente, considere implementar la directiva "frame-ancestors" de la pol\u00edtica de seguridad de contenido (CSP). +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = Se encontr\u00f3 una etiqueta META de X-Frame-Options (XFO), la especificaci\u00f3n (RFC 7034) no admite expl\u00edcitamente la definici\u00f3n de XFO a trav\u00e9s de una etiqueta META. pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options definidaas a trav\u00e9s de META (No conformes con las especificaciones) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Aseg\u00farese de que X-Frame-Options est\u00e9 configurado a trav\u00e9s de un campo de encabezado de respuesta. Alternativamente, considere implementar la directiva "frame-ancestors" en la pol\u00edtica CSP (Content Security Policy). -pscanrules.anticlickjacking.incInCsp = La pol\u00edtica de seguridad de contenido (CSP) incluye el elemento ''frame-ancestors'''' que tiene prioridad sobre la cabecera X-Frame-Options, por lo que se ha planteado con un riesgo BAJO. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = La respuesta no incluye Content-Security-Policy con la directiva 'frame-ancestors' ni X-Frame-Options para proteger contra ataques de 'ClickJacking'. pscanrules.anticlickjacking.missing.name = Falta de cabecera Anti-Clickjacking pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Revisar el c\u00f3digo de fuente de esta p\u pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] utiliza el mecanismo de autenticaci\u00f3n inseguro [{2}], revelando el nombre de usuario [{3}] y contrase\u00f1a [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] utiliza el mecanismo de autenticaci\u00f3n inseguro [{2}], revelando el nombre de usuario [{3}] e informaci\u00f3n adicional [{4}]. -pscanrules.authenticationcredentialscaptured.desc = Se est\u00e1 utilizando un mecanismo de autenticaci\u00f3n no seguro. Esto permite que un atacante en la red acceda al ID de usuario y la contrase\u00f1a del usuario autenticado. Para la autenticaci\u00f3n b\u00e1sica, el atacante simplemente debe monitorizar el tr\u00e1fico de la red hasta que se reciba una solicitud de autenticaci\u00f3n b\u00e1sica y luego decodificar en base64 el nombre de usuario y la contrase\u00f1a. Para la autenticaci\u00f3n Digest, el atacante tiene acceso al nombre de usuario y posiblemente tambi\u00e9n a la contrase\u00f1a, si el hash (incluido un nonce) se puede descifrar con \u00e9xito o si se monta un ataque Man-In-The-Middle.\nEl atacante escucha a escondidas la red hasta que se completa una autenticaci\u00f3n. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Credenciales de autenticaci\u00f3n capturadas pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Utilice HTTPS y un mecanismo de autenticaci\u00f3n segura que no transmita el ID de usuario o la contrase\u00f1a sin cifrarlos. En particular, evite el uso del mecanismo HTTP de autenticaci\u00f3n b\u00e1sica ya que este utiliza un mecanismo de ofuscaci\u00f3n trivial, que se rompe f\u00e1cilmente. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = El servidor ha respondido con una redirecci\u00f3n que parece proporcionar una respuesta larga. Esto puede indicar que aunque el servidor envi\u00f3 una redirecci\u00f3n, tambi\u00e9n respondi\u00f3 con el contenido del cuerpo (que puede incluir detalles confidenciales, PII, etc.). pscanrules.bigredirects.extrainfo = Longitud del URI de la cabecera Location\: {0} [{1}].\nTama\u00f1o de respuesta previsto\: {2}.\nLongitud del cuerpo de respuesta\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Las Cookies pueden ser delimitadas por dominio o ruta. Esta comprobaci\u00f3n solo se considera con \u00e1mbito de dominio. El \u00e1mbito de dominio aplicado a una cookie determina cuales dominios lo pueden acceder. Por ejemplo, una cookie puede ser delimitada estrictamente a un subdominio por ejemplo, www.nottrusted.com, o libremente delimitada a un dominio padre por ejemplo, nottrusted.com. En el \u00faltimo caso, cualquier subdominio de nottrusted.com puede acceder a la cookie. Las cookies libremente delimitadas son comunes en mega-aplicaciones como google.com y live.com. las cookies establecidas desde un subdominio como app.foo.bar son transmitidas solo al dominio del navegador. Sin embargo, las cookies delimitadas a un dominio de nivel de padre podr\u00eda ser transmitida al padre, o cualquier subdominio del padre. -pscanrules.cookielooselyscoped.extrainfo = El dominio de origen usado para comparaciones era\:\n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Amplia gama de Cookies pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Descargas de datos del navegador web podr\u00eda ser posible, debido a una desconfiguraci\u00f3n del intercambio de recursos cruzados de origen (CORS) en el servidor web +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = La desconfiguraci\u00f3n CORS en el servidor web permite a dominios cruzados leer peticiones de dominios de terceros arbitrariamente, usando APIs sin autenticaci\u00f3n en este dominio. Las implementaciones de navegador web no permiten a terceros arbitrarios leer la respuesta de APIs autenticados, de todas formas. Esto reduce el riesgo de alguna forma. Esta desconfiguraci\u00f3n podr\u00eda ser usada por un atacante para acceder a datos que est\u00e1 disponible en una manera sin autenticaci\u00f3n, pero que usa otra forma de seguridad, tal como la direcci\u00f3n IP lista-blanca. pscanrules.crossdomain.name = Configuraci\u00f3n Incorrecta Cross-Domain pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Estado de versiones de las reglas pasivas +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = El servidor web revel\u00f3 un hash. pscanrules.hashdisclosure.name = Divulgaci\u00f3n de hash pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Aseg\u00farese de que el servidor web o la base de datos no revele los hashes que se utilizan para proteger las credenciales u otros recursos. Por lo general, no existe ning\u00fan requisito para que los hashes de contrase\u00f1as sean accesibles para el navegador web. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = Las implementaciones de TLS y DTLS en OpenSSL 1.0.1 antes de 1.0.1g no gestionan correctamente los paquetes de Heartbeat Extension, lo que permite a los atacantes remotos obtener informaci\u00f3n confidencial de la memoria del proceso a trav\u00e9s de paquetes manipulados que provocan una sobrelectura del b\u00fafer, lo que podr\u00eda revelar informaci\u00f3n confidencial. +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} est\u00e1 en uso. Sin embargo, tenga en cuenta que la versi\u00f3n informada podr\u00eda contener correcciones de seguridad antiguas (back-ported) , por lo que el problema podr\u00eda ser un falso positivo. Esto es com\u00fan en Red Hat, por ejemplo. pscanrules.heartbleed.name = Vulnerabilidad de OpenSSL de Heartbleed (indicativo) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Actualice a OpenSSL 1.0.1g o superior. Vuelva a emi pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = La respuesta parec\u00eda contener mensajes de errores comunes devueltos por plataformas como ASP.NET, y los servidores web tales como ISS y Apache. Usted puede configurar la lista de mensajes comunes de depuraci\u00f3n. pscanrules.informationdisclosuredebugerrors.name = Divulgaci\u00f3n de informaci\u00f3n - Mensajes de error de depuraci\u00f3n @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Divulgaci\u00f3n de Informaci\u00f3 pscanrules.informationdisclosureinurl.otherinfo.cc = El URL aparente contener informaci\u00f3n de tarjetas de cr\u00e9dito. pscanrules.informationdisclosureinurl.otherinfo.email = El URL contiene direcci\u00f3n(es) de correo electr\u00f3nico. pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = La URL contiene informaci\u00f3n potencialmente confidencial. Se encontr\u00f3 la siguiente cadena a trav\u00e9s del patr\u00f3n\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = El URL parece contener N\u00famero(s) de Seguridad Social de Estados Unidos +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = No pase informaci\u00f3n sensible en URIs. pscanrules.informationdisclosurereferrer.bin.field = N\u00famero de identificaci\u00f3n bancaria\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = M\u00e9todo HTTP de autenticaci\u00f3n b\u00e1sica o por compendio (hash) ha sido utilizado sobre una conexi\u00f3n no segura. Las credenciales pueden ser le\u00eddas y luego reutilizadas por alguien con acceso a la red. pscanrules.insecureauthentication.name = M\u00e9todo de autenticaci\u00f3n d\u00e9bil pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protege la conexi\u00f3n usando el protocolo HTTPS o alg\u00fan mecanismo de autenticaci\u00f3n fuerte +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs=[cadena vac\u00eda] pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs=[cadena vac\u00eda] pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = La respuesta a la siguiente direcci\u00f3n URL contiene un valor ViewState que no posee ninguna protecci\u00f3n criptogr\u00e1fica. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] es inseguro +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = JSF ViewState inseguro pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = VIEWSTATE seguro utilizando un MAC espec\u00edfico a tu entorno +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Editor\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validar que la respuesta no contenga informaci\u00f3n sensible, personal o espec\u00edfica del usuario. Si es as\u00ed, considere el uso de los siguientes encabezados de respuesta HTTP para limitar o evitar que otro usuario almacene y recupere el contenido de la memoria cach\u00e9\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nEsta configuraci\u00f3n indica a los servidores de almacenamiento en cach\u00e9 compatibles con HTTP 1.0 y HTTP 1.1 que no almacenen la respuesta y que no recuperen la respuesta (sin validaci\u00f3n) del cach\u00e9, en respuesta a una solicitud similar. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Cabecera Strict-Transport-Security Content Mal formado (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = Se encontr\u00f3 una cabecera HTTP Strict Transport Security (HSTS), pero contiene comillas que preceden a la directiva de edad m\u00e1xima (el valor de edad m\u00e1xima se puede citar, pero la directiva en s\u00ed no). Consulte RFC 6797 para obtener m\u00e1s detalles.\nHTTP Strict Transport Security (HSTS) es un mecanismo de pol\u00edtica de seguridad web mediante el cual un servidor web declara que los agentes de usuario que cumplen (como un navegador web) deben interactuar con \u00e9l utilizando s\u00f3lo conexiones HTTPS seguras (es decir, HTTP en capas sobre TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Cabecera Strict-Transport-Security Max-Age Mal formado (No cumple con las especificaciones) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = Una marca de tiempo ha sido divulgada por el servidor de la aplicaci\u00f3n/el navegador -pscanrules.timestampdisclosure.extrainfo = {0}, que eval\u00faa a\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Divulgaci\u00f3n de la marca de hora pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Confirmar manualmente que los datos de marca de hora no son sensibles, y que los datos no pueden ser agregados a patrones explotables de divulgaci\u00f3n. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Confirmar manualmente que los datos de mar pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = Juego de caracteres controlado por el usuario -pscanrules.usercontrolledcharset.refs=[cadena vac\u00eda] pscanrules.usercontrolledcharset.soln = Fuerza UTF-8 en todas las declaraciones de conjuntos de caracteres. Si se requiere la entrada del usuario para decidir una declaraci\u00f3n de juego de caracteres, aseg\u00farese de que s\u00f3lo se use una lista permitida. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Envenenamiento de Cookie pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = Un hash de un nombre usuario ({0}) fue encontrado en la respuesta. Esto podr\u00eda indicar que la aplicaci\u00f3n esta sujeta a una vulnerabilidad Insecure Direct Object Reference (IDOR). Pruebas manuales ser\u00e1n requeridas para ver si este descubrimiento puede ser abusado. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = Los siguientes correos electr\u00f3nicos fueron encontrados siendo enumerados por serie en el campo de Viewstate\: pscanrules.viewstate.content.email.name = Se han encontrado correos electr\u00f3nicos en el Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo=[cadena vac\u00eda] pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs=[cadena vac\u00eda] pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://Symfony.com/doc/Current/Cookbook/Profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = El servidor de la web/aplicaci\u00f3n est\u00e1 divulgando informaci\u00f3n mediante uno o m\u00e1s encabezados de respuesta HTTP ''''X-Powered-By''''. El acceso a tal informaci\u00f3n podr\u00eda facilitarle a los atacantes la identificaci\u00f3n de otros marcos/componentes de los que su aplicaci\u00f3n web depende y las vulnerabilidades a las que pueden estar sujetos tales componentes. -pscanrules.xpoweredbyheaderinfoleak.extrainfo=[cadena vac\u00eda] pscanrules.xpoweredbyheaderinfoleak.name = El servidor divulga informaci\u00f3n mediante un campo(s) de encabezado de respuesta HTTP ''''X-Powered-By'''' pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = Los siguientes encabezados X-Powered-By tambi\u00e9n han sido encontrados\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_fa_IR.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_fa_IR.properties index 8ad329f1be7..51bdf131b3d 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_fa_IR.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_fa_IR.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}][{1}] \u0627\u0632 \u0645\u06a9\u0627\u0646\u06cc\u0632\u0645 \u0627\u062d\u0631\u0627\u0632 \u0647\u0648\u06cc\u062a \u0646\u0627 \u0627\u0645\u0646 \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u0645\u06cc\u06a9\u0646\u062f [{2}]\u060c \u0646\u0627\u0645 \u06a9\u0627\u0631\u0628\u0631\u06cc [{3}] \u0648 \u0631\u0645\u0632 \u0639\u0628\u0648\u0631 [{4}] \u0631\u0627 \u0622\u0634\u06a9\u0627\u0631 \u0645\u06cc\u06a9\u0646\u062f. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}][{1}] \u0627\u0632 \u0645\u06a9\u0627\u0646\u06cc\u0632\u0645 \u0627\u062d\u0631\u0627\u0632 \u0647\u0648\u06cc\u062a \u0646\u0627 \u0627\u0645\u0646 \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u0645\u06cc\u06a9\u0646\u062f [{2}]\u060c \u0646\u0627\u0645 \u06a9\u0627\u0631\u0628\u0631\u06cc [{3}] \u0648 \u0627\u0637\u0644\u0627\u0639\u0627\u062a \u0627\u0636\u0627\u0641\u06cc \u062f\u06cc\u06af\u0631 [{4}] \u0631\u0627 \u0622\u0634\u06a9\u0627\u0631 \u0645\u06cc\u06a9\u0646\u062f. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = \u0627\u0632 HTTPS \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u06a9\u0646\u06cc\u062f \u0648 \u0627\u0632 \u06cc\u06a9 \u0645\u06a9\u0627\u0646\u06cc\u0632\u0645 \u0627\u062d\u0631\u0627\u0632 \u0647\u0648\u06cc\u062a \u0627\u0645\u0646 \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u06a9\u0646\u06cc\u062f \u06a9\u0647 \u0646\u0627\u0645 \u06a9\u0627\u0631\u0628\u0631\u06cc \u0648 \u0631\u0645\u0632 \u0639\u0628\u0648\u0631 \u0631\u0627 \u0628\u0635\u0648\u0631\u062a \u0631\u0645\u0632 \u06af\u0630\u0627\u0631\u06cc \u0646\u0634\u062f\u0647 \u0627\u0646\u062a\u0642\u0627\u0644 \u0646\u062f\u0647\u062f. \u0628\u0647 \u0637\u0648\u0631 \u0645\u0634\u062e\u0635\u060c \u0627\u0632 \u0627\u0633\u062a\u0641\u0627\u062f\u0647 \u0627\u0632 \u0645\u06a9\u0627\u0646\u06cc\u0632\u0645 Basic Authentication \u062e\u0648\u062f\u062f\u0627\u0631\u06cc \u06a9\u0646\u06cc\u062f\u060c \u0686\u0631\u0627 \u06a9\u0647 \u0627\u06cc\u0646 \u0645\u06a9\u0627\u0646\u06cc\u0632\u0645 \u062f\u0631\u0647\u0645 \u0633\u0627\u0632\u06cc \u0645\u0642\u062f\u0645\u0627\u062a\u06cc \u0628\u0647 \u0631\u0627\u062d\u062a\u06cc \u0634\u06a9\u0633\u062a\u0647 \u0645\u06cc\u0634\u0648\u062f. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = \u067e\u06cc\u06a9\u0631\u0628\u0646\u062f\u06cc \u0646\u0627\u062f\u0631\u0633\u062a Cross-Domain pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_fil_PH.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_fil_PH.properties index 05aec5850b1..23dd786df90 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_fil_PH.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_fil_PH.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] gumagamit ng insecure authentication mechanism [{2}], inilalantad ang username [{3}] at password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] gumagamit ng insecure authentication mechanism [{2}], inilalantad ang username [{3}] at karagdagang impormasyon [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Nakuha ang mga Kredensyal ng Pagkakakilanlan pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Gumamit ng HTTPS, at gumamit ng secure na mekanismo ng pagpapatunay na hindi nagpapadala ng userid o password sa isang naka-naka-encrypt na paraan. Sa partikular, iwasan ang paggamit ng mekanismo ng Basic Authentication, dahil ang napakaliit na mekanismo ng pagkapaso na ito ay madaling sira. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Ang mga cookie ay maaaring ma-scoped ng domain o landas. Ang tseke na ito ay nag-aalala lamang sa sakop ng domain. Ang saklaw ng domain na inilapat sa isang cookie ay tumutukoy kung aling mga domain ang maaaring ma-access ito. Halimbawa, ang isang cookie ay mahigpit na ma-scoped sa isang subdomain hal. Halimbawa. www.nottrusted.com, o maluwag na naka-iskop sa isang domain ng magulang e.g. nottrusted.com. Sa huling kaso, ang anumang subdomain ng nottrusted.com ay maaaring ma-access ang cookie. Ang maluwag na scoped cookies ay karaniwang sa mega-mga application tulad ng google.com at live.com. Ang mga cookie na itinakda mula sa isang subdomain tulad ng app.foo.bar ay ipinapadala lamang sa domain na iyon ng browser. Gayunpaman, ang mga cookies na may scoped sa isang domain sa antas ng magulang ay maaaring ipadala sa magulang, o anumang subdomain ng magulang. -pscanrules.cookielooselyscoped.extrainfo = Ang orihinal na domain na ginamit sa paghahambing ay\:\n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0} \n pscanrules.cookielooselyscoped.name = Maluwag na Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Maaaring posible ang pag-load ng data ng browser ng web, dahil sa misconfiguration ng Cross Origin Resource Sharing (CORS) sa web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = Pinapayagan ng maling pag-configure ng CORS sa web server ang mga hiling na cross-domain na nabasa mula sa mga arbitrary na mga domain ng ikatlong partido, gamit ang mga hindi awtorisadong API sa domain na ito. Gayunpaman, hindi pinapahintulutan ng mga pagpapatupad ng web browser ang mga arbitrary na third party na basahin ang tugon mula sa napatotohanan na mga API. Binabawasan nito ang panganib. Ang misconfiguration na ito ay maaaring gamitin ng isang magsasalakay upang ma-access ang data na magagamit sa isang unauthenticated paraan, ngunit na gumagamit ng ilang iba pang paraan ng seguridad, tulad ng IP address white-listing. pscanrules.crossdomain.name = Pag-configure ng Cross-Domain pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = I-update sa OpenSSL 1.0.1g o mas bago. Muling na-is pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = Ang sagot ay nag pakita na naglalaman ng karaniwang mga mensahe ng mali na ibinalik ng mga platform tulad ng ASP.NET, at Web-server tulad ng IIS at Apache. Maaari mong i-ayos ang listahan ng mga karaniwang mga mensahe ng debug. pscanrules.informationdisclosuredebugerrors.name = Pagbubunyag ng impormasyon - pag debug ng mali sa mga mensahe @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = Ang URL ay lilitaw na nalalaman ng mga inpormasyon sa credit card. pscanrules.informationdisclosureinurl.otherinfo.email = Ang URL ay naglalaman ng mga email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = Lumilitaw ang URL na naglalaman ng (mga) Numero ng Social Security ng US +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Huwag ipasa ang sensitibong impormasyon sa URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = Ang pangunahing HTTP o digest authentication ay ginamit sa isang hindi ligtas na koneksyon. Ang mga kredensyal ay maaaring basahin at pagkatapos ay magamit muli ng isang taong may access sa network. pscanrules.insecureauthentication.name = Mahinang Paraan ng Pagpapatunay pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protektahan ang koneksyon gamit ang HTTPS o gumamit ng mas malakas na mekanismo ng pagpapatunay +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = Ang sagot sa mga sumusunod na URL ay naglalaman ng isang ViewState na halaga na walang cryptographic proteksiyon. -pscanrules.insecurejsfviewstate.extrainfo = SF ViewState [{0}] ay hindi matatag +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Hindi matatag na mga JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Siguruhin ang VIEWSTATE na may partikular na MAC sa iyong kapaligiran +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Ang taga issue\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = Ang isang timestamp ay isiwalat ng application / web server -pscanrules.timestampdisclosure.extrainfo = {0}, na sinusuri sa\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Ang pagbubunyag ng Timestamp pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Isa isahing kumpirmahin ang datod ng timestamp ay hindi sensitibo, at ang data ay hindi maaaring pagsamahin upang ibunyag ang mga magagamit na mga pattern. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Isa isahing kumpirmahin ang datod ng times pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = Ang username ng hash ({0}) ay natagpuan ang kasagutan. maaari itong magpahiwatig na ang application ay napapailalim sa isang Insecure Direct Object Reference (IDOR) kahinaan. Kinakailangan ang manu-manong pagsusuri upang makita kung ang pagtuklas na ito ay maaaring abusuhin. pscanrules.usernameidor.name = Ang username ng hash ay natagpuan -pscanrules.usernameidor.otherinfo = Ang hash ay isang {0}, na may halaga\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Gamitin ang bawat taga-gamit o hindi direktang sanggunian ng session (lgumawa ng isang pansamantalang pagma-map sa oras ng paggamit). O kaya, tiyakin na ang bawat paggamit ng direktang sanggunian sa bagay ay nakatali sa pag-susuri ng awtorisasyon upang matiyak na awtorisado ang gumagamit para sa hiniling na bagay. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = Ang mga sumusunod na email ay natagpuan na inilalathala nang baha-bahagi sa field ng viewstate\: pscanrules.viewstate.content.email.name = Natagpuan ang mga email sa Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = I-saayos ang server upang hindi maibabalik ang mga header na iyon. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = Ang server ng web / application ay pumapasok ng impormasyon sa pamamagitan ng isa o higit pang mga header ng tugon ng "X-Powered-By" HTTP. Ang pag-access sa naturang impormasyon ay maaaring mapadali ang mga mang-aatake na tumutukoy sa iba pang mga framework / component na nakasalalay sa iyong web application at ang mga kahinaan ng mga nasabing bahagi ay maaaring sumailalim. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Ang Server leaks na impormasyon sa pamamagitan ng "X-Powered-By" na HTTP Response Header na mga Patlang pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = Ang mga sumusunod na X-Powered-By na mga header ay natagpuan din\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_fr_FR.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_fr_FR.properties index 3d811548027..c3e13e75ba8 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_fr_FR.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_fr_FR.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = Un en-t\u00eate X-Frame-Options \u00e9tait pr\u00e9sent dans la r\u00e9ponse, mais la valeur n\u2019\u00e9tait pas correctement d\u00e9finie. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] utilise un m\u00e9canisme d''authentification vuln\u00e9rable [{2}], r\u00e9v\u00e9lant le nom d''utilisateur [{3}] et le mot de passe [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] utilise un m\u00e9canisme d''authentification vuln\u00e9rable [{2}], r\u00e9v\u00e9lant le nom d''utilisateur [{3}] et des informations suppl\u00e9mentaires [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Informations d'authentification captur\u00e9es pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Utilisez HTTPS, et utilisez un m\u00e9canisme d'authentification s\u00e9curis\u00e9 qui ne transmette pas le nom d'utilisateur ou le mot de passe de mani\u00e8re non-encrypt\u00e9e. En particulier, \u00e9vitez l'utilisation de m\u00e9canisme basique d'authentification, \u00e9tant donn\u00e9 que ce m\u00e9canisme d'obfuscation trivial est facilement cassable. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Les cookies peuvent \u00eatre limit\u00e9s par le domaine ou le chemin d'acc\u00e8s. Cette v\u00e9rification ne concerne que le p\u00e9rim\u00e8tre de domaine. Le p\u00e9rim\u00e8tre de domaine appliqu\u00e9 \u00e0 un cookie d\u00e9termine quels domaines peuvent acc\u00e9der \u00e0 ce cookie. Par exemple, un cookie peut \u00eatre limit\u00e9 strictement \u00e0 un sous-domaine, p.ex. www.nottrusted.com, ou faiblement limit\u00e9 \u00e0 un domaine parent, p.ex. nottrusted.com. Dans ce dernier cas, n'importe quel sous-domaine de nottrusted.com peut acc\u00e9der au cookie. Des cookies faiblement limit\u00e9s sont fr\u00e9quents dans les m\u00e9ga-applications, comme google.com et live.com. -pscanrules.cookielooselyscoped.extrainfo = Le domaine d''origine utilis\u00e9 pour la comparaison \u00e9tait \:\n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n\n pscanrules.cookielooselyscoped.name = Cookie faiblement coupl\u00e9 pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Navigateur Web chargement de donn\u00e9es peut \u00eatre possible, en raison d'une Origine de la Croix de Partage de Ressources (CORS) mauvaise configuration sur le serveur web +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = De la CORS mauvaise configuration sur le serveur web permet \u00e0 la croix-domaine de demandes de lecture de l'arbitraire tiers domaines, non authentifi\u00e9 \u00e0 l'aide d'Api sur ce domaine. Navigateur Web impl\u00e9mentations ne permettent pas de l'arbitraire des tiers pour lire la r\u00e9ponse d'authentification APIs, cependant. Cela r\u00e9duit quelque peu le risque. Cette erreur de configuration peut \u00eatre utilis\u00e9 par un attaquant d'acc\u00e9der \u00e0 des donn\u00e9es qui sont disponibles dans un non authentifi\u00e9 de mani\u00e8re, mais qui utilise une autre forme de s\u00e9curit\u00e9, telles que l'adresse IP de liste-blanche. pscanrules.crossdomain.name = Mauvaise configuration inter-domaines pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Mettez \u00e0 jour OpenSSL avec la version 1.0.1g o pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = L\u2019URL semble contenir des informations de carte de cr\u00e9dit. pscanrules.informationdisclosureinurl.otherinfo.email = L\u2019URL contient une/des adresse(s) e-mail. pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Ne transmettez pas d'informations sensibles dans les URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = Du HTTP basique ou de l'authentification simple a \u00e9t\u00e9 utilis\u00e9 sur une connexion non-s\u00e9curis\u00e9e. Les informations de s\u00e9curit\u00e9 ont pu \u00eatre lue et r\u00e9utilis\u00e9e par une personne ayant acc\u00e8s au r\u00e9seau. pscanrules.insecureauthentication.name = M\u00e9thode d'Authentification Faible pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Prot\u00e9gez la connexion en utilisant HTTPS ou utilisez un m\u00e9canisme d'authenfication plus fort +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs=\ pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs=\ pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = La r\u00e9ponse \u00e0 l'URL suivante contient une valeur ViewState qui n'a aucune protection cryptographique. -pscanrules.insecurejsfviewstate.extrainfo = Le JSF ViewState [{0}] n''est pas s\u00e9curis\u00e9 +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = JSF ViewState non-s\u00e9curis\u00e9 pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = S\u00e9curisez VIEWSTATE avec un MAC sp\u00e9cifique \u00e0 votre environnement +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = \u00c9metteur\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = V\u00e9rifier manuellement que l'horodatage des donn\u00e9es n'est pas sensible, et que les donn\u00e9es ne peuvent pas \u00eatre agr\u00e9g\u00e9s \u00e0 divulguer des mod\u00e8les exploitables. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = V\u00e9rifier manuellement que l'horodatag pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs=\ pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = D'utilisation par utilisateur ou de la session indirects r\u00e9f\u00e9rences de l'objet (cr\u00e9er un mappage temporaire au moment de l'utilisation). Ou, s'assurer que chaque utilisation d'un objet direct de r\u00e9f\u00e9rence est li\u00e9e \u00e0 une demande d'autorisation pour s'assurer que l'utilisateur est autoris\u00e9 pour l'objet demand\u00e9. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo=\ pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs=\ pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = Le web/serveur d'application est une fuite de l'information, via un ou plusieurs "X-Powered-By" t\u00eates de r\u00e9ponse HTTP. L'acc\u00e8s \u00e0 ces informations peut faciliter les attaquants d'identifier d'autres frameworks/composants de votre application web est tributaire et les vuln\u00e9rabilit\u00e9s de tels composants peuvent \u00eatre soumis. -pscanrules.xpoweredbyheaderinfoleak.extrainfo=\ pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ha_HG.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ha_HG.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ha_HG.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ha_HG.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_he_IL.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_he_IL.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_he_IL.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_he_IL.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_hi_IN.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_hi_IN.properties index 5f2467009ae..26348af1f0e 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_hi_IN.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_hi_IN.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] \u0905\u0938\u0941\u0930\u0915\u094d\u0937\u093f\u0924 \u092a\u094d\u0930\u092e\u093e\u0923\u0940\u0915\u0930\u0923 \u0924\u0902\u0924\u094d\u0930 [{2}] \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0924\u093e \u0939\u0948\u0964 \u0909\u092a\u092f\u094b\u0917\u0915\u0930\u094d\u0924\u093e \u0928\u093e\u092e [{3}] \u0914\u0930 \u092a\u093e\u0938\u0935\u0930\u094d\u0921 [{4}] \u0916\u0941\u0932\u093e\u0938\u093e \u0915\u0930\u0924\u093e \u0939\u0948\u0964 pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] \u0905\u0938\u0941\u0930\u0915\u094d\u0937\u093f\u0924 \u092a\u094d\u0930\u092e\u093e\u0923\u0940\u0915\u0930\u0923 \u0924\u0902\u0924\u094d\u0930 [{2}] \u0915\u093e \u0909\u092a\u092f\u094b\u0917 \u0915\u0930\u0924\u093e \u0939\u0948\u0964 \u0909\u092a\u092f\u094b\u0917\u0915\u0930\u094d\u0924\u093e \u0928\u093e\u092e [{3}] \u0914\u0930 \u0905\u0924\u093f\u0930\u093f\u0915\u094d\u0924 \u091c\u093e\u0928\u0915\u093e\u0930\u0940 [{4}] \u0915\u093e \u0916\u0941\u0932\u093e\u0938\u093e \u0915\u0930\u0924\u093e \u0939\u0948\u0964 -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = \u092a\u094d\u0930\u092e\u093e\u0923\u0940\u0915\u0930\u0923 \u0915\u094d\u0930\u0947\u0921\u0947\u0902\u0936\u093f\u092f\u0932\u094d\u0938 \u092a\u0930 \u0915\u092c\u094d\u091c\u093e \u0915\u0930 \u0932\u093f\u092f\u093e pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = \u0915\u094d\u0930\u0949\u0938-\u0921\u094b\u092e\u0947\u0928 Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = \u0913\u092a\u0928\u090f\u0938\u090f\u0938\u090f\u0 pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = \u0915\u092e\u091c\u094b\u0930 \u092a\u094d\u0930\u092e\u093e\u0923\u0940\u0915\u0930\u0923 \u0935\u093f\u0927\u093f pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_hr_HR.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_hr_HR.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_hr_HR.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_hr_HR.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_hu_HU.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_hu_HU.properties index 36cba68d8ca..f4fb1f9b87b 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_hu_HU.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_hu_HU.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_id_ID.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_id_ID.properties index c3a0445027a..698dc500c09 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_id_ID.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_id_ID.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] menggunakan mekanisme autentikasi yang tidak aman [{2}], mengungkapkan nama pengguna [{3}] dan kata sandi [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] menggunakan mekanisme autentikasi yang tidak aman [{2}], mengungkapkan nama pengguna [{3}] dan informasi tambahan [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Kredensial Otentikasi Ditangkap pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Gunakan HTTPS, dan gunakan mekanisme otentikasi aman yang tidak mentransmisikan kata sandi pengguna atau kata sandi dengan cara yang tidak dienkripsi. Secara khusus, hindari penggunaan mekanisme Otentikasi Dasar, karena mekanisme obfuscasi sepele ini mudah rusak. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookie bisa di scoped oleh domain atau path. Cek ini hanya berkaitan dengan cakupan domain. Lingkup domain yang diterapkan pada cookie menentukan domain mana yang dapat mengaksesnya. Misalnya, cookie dapat dicolokkan secara ketat ke subdomain mis. www.nottrusted.com, atau dicambuk secara longgar ke domain induk mis. nottrusted.com Dalam kasus terakhir, subdomain dari nottrusted.com dapat mengakses cookie. Kue scoped longgar sering ditemukan di mega-aplikasi seperti google.com dan live.com. Cookie yang ditetapkan dari subdomain seperti app.foo.bar dikirim hanya ke domain itu oleh browser. Namun, cookie yang dicolokkan ke domain tingkat orang tua dapat dikirim ke orang tua, atau subdomain orang tua manapun. -pscanrules.cookielooselyscoped.extrainfo = Domain asal yang digunakan untuk perbandingan adalah\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Loading data browser web dimungkinkan, karena kesalahan konfigurasi Cross Origin Resource Sharing (CORS) pada server web +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = Kesalahan konfigurasi CORS pada server web mengizinkan permintaan baca lintas domain dari domain pihak ketiga yang sewenang-wenang, menggunakan API yang tidak diautentikasi pada domain ini. Implementasi browser web tidak mengizinkan pihak ketiga yang sewenang-wenang untuk membaca tanggapan dari API yang diautentikasi. Hal ini mengurangi risikonya. Kesalahan konfigurasi ini dapat digunakan oleh penyerang untuk mengakses data yang tersedia dengan cara yang tidak berkepentingan, namun menggunakan beberapa bentuk keamanan lainnya, seperti daftar putih alamat IP. pscanrules.crossdomain.name = Kesalahan konfigurasi lintas domain pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update ke OpenSSL 1.0.1g atau yang lebih baru. Re-i pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = Respon tersebut tampaknya mengandung pesan kesalahan umum yang dikembalikan oleh platform seperti ASP.NET, dan Web-server seperti IIS dan Apache. Anda dapat mengkonfigurasi daftar pesan debug umum. pscanrules.informationdisclosuredebugerrors.name = Pengungkapan Informasi - Pesan Kesalahan Debug @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = URL tampaknya berisi informasi kartu kredit. pscanrules.informationdisclosureinurl.otherinfo.email = URL berisi alamat email(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = URL tersebut tampaknya berisi Nomor Jaminan Sosial AS (s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Jangan melewati informasi sensitif di URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = Otentikasi dasar atau ringkasan HTTP telah digunakan selama koneksi tanpa jaminan. Kredensial dapat dibaca dan kemudian digunakan kembali oleh seseorang yang memiliki akses ke jaringan. pscanrules.insecureauthentication.name = Metode Otentikasi Lemah pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Lindungi koneksi menggunakan HTTPS atau gunakan mekanisme otentikasi yang lebih kuat +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = Tanggapan pada URL berikut berisi nilai ViewState yang tidak memiliki perlindungan kriptografi. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] tidak aman +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Tidak aman JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE dengan MAC yang spesifik untuk lingkungan Anda +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Penerbit\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = Sebuah timestamp telah diungkapkan oleh aplikasi/server web -pscanrules.timestampdisclosure.extrainfo = {0}, yang mengevaluasi ke\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Pengungkapan Timestamp pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Secara manual konfirmasikan bahwa data timestamp tidak sensitif, dan data tersebut tidak dapat digabungkan untuk mengungkapkan pola yang dapat dieksploitasi. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Secara manual konfirmasikan bahwa data tim pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = Hash dari nama pengguna ({0}) ditemukan dalam tanggapan. Ini mungkin menunjukkan bahwa aplikasi tunduk pada kerentanan Reference Object Oriented (IDOR) yang tidak aman. Pengujian manual akan diperlukan untuk melihat apakah penemuan ini dapat disalahgunakan. pscanrules.usernameidor.name = Username Hash Ditemukan -pscanrules.usernameidor.otherinfo = Hash adalah {0}, dengan nilai\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Gunakan per pengguna atau referensi objek tidak langsung sesi (buat pemetaan sementara pada saat penggunaan). Atau, pastikan bahwa setiap penggunaan referensi objek langsung terkait dengan pemeriksaan otorisasi untuk memastikan pengguna diberi wewenang untuk objek yang diminta. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = Email berikut ditemukan diserialkan di bidang tampilan lapangan\: pscanrules.viewstate.content.email.name = Email Ditemukan di kondisi tampilan belakang @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Konfigurasi server sehingga tidak akan mengembalikan header tersebut. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = Server web/aplikasi membocorkan informasi melalui satu atau lebih header respon HTTP "X-Powered-By". Akses terhadap informasi semacam itu dapat mempermudah penyerang untuk mengidentifikasi kerangka/komponen lain yang bergantung pada aplikasi web Anda dan kerentanan komponen semacam itu dapat dikenai. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Informasi Server Leaks via "X-Powered-By" Header Respon HTTP Field (s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = Header X-Powered-By berikut juga ditemukan\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_it_IT.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_it_IT.properties index 83105afa211..7e4a1a0450f 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_it_IT.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_it_IT.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] utilizza un meccanismo di autenticazione insicuro [{2}], rivelando username [{3}] e password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] utilizza il meccanismo di autenticazione insicuro [{2}], rivelando username [{4}] ed informazioni aggiuntive [{3}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Credenziali di autenticazione catturate pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Utilizza HTTPS e un meccanismo di autenticazione sicura che non invia la userid o la password in modo non crittografato. In particolare, evita l'uso del meccanismo di autenticazione di base, poich\u00e9 questo banale meccanismo di offuscamento \u00e8 facilmente decifrabile. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Cookie con ambito non stringente pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Configurazione errata multi dominio pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Aggiornare ad OpenSSL 1.0.1g o versione successiva. pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP di base o autenticazione digest sono state utilizzate su una connessione non sicura. Le credenziali possono essere lette e successivamente riutilizzate da qualcuno che ha accesso alla rete. pscanrules.insecureauthentication.name = Metodo di Autenticazione Debole pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Proteggi la connessione utilizzando HTTPS oppure utilizzando un meccanismo di autenticazione forte +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = La risposta alla seguente URL contiene un valore di ViewState che non ha protezioni crittografiche. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] \u00e8 insicuro +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = JSF ViewState non sicuro pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Proteggi VIEWSTATE con un MAC specifico per il tuo ambiente +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ja_JP.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ja_JP.properties index 8b0608ba0f3..24f0ce610e7 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ja_JP.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ja_JP.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] \u306f\u5b89\u5168\u3067\u306a\u3044\u8a8d\u8a3c\u65b9\u5f0f [{2}] \u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u305f\u3081\u3001\u30e6\u30fc\u30b6\u30fc\u540d [{3}] \u3068\u30d1\u30b9\u30ef\u30fc\u30c9 [{4}] \u304c\u508d\u53d7\u53ef\u80fd\u3067\u3059\u3002 pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] \u306f\u5b89\u5168\u3067\u306a\u3044\u8a8d\u8a3c\u65b9\u5f0f [{2}] \u3092\u4f7f\u7528\u3057\u3066\u3044\u308b\u305f\u3081\u3001\u30e6\u30fc\u30b6\u30fc\u540d [{3}] \u3068\u8ffd\u52a0\u60c5\u5831 [{4}] \u304c\u508d\u53d7\u53ef\u80fd\u3067\u3059\u3002 -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = HTTPS\u3092\u4f7f\u7528\u3057\u3001\u30e6\u30fc\u30b6ID\u3084\u30d1\u30b9\u30ef\u30fc\u30c9\u3092\u5e73\u6587\u3067\u9001\u4fe1\u3057\u306a\u3044\u30bb\u30ad\u30e5\u30a2\u306a\u8a8d\u8a3c\u65b9\u5f0f\u3092\u4f7f\u7528\u3057\u3066\u4e0b\u3055\u3044\u3002\n\u7279\u306b\u3001\u7c21\u5358\u306b\u6697\u53f7\u3092\u89e3\u304b\u308c\u3066\u3057\u307e\u3046\u306e\u3067\u3001BASIC\u8a8d\u8a3c\u306e\u4f7f\u7528\u306f\u907f\u3051\u3066\u4e0b\u3055\u3044\u3002 +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = \u30af\u30c3\u30ad\u30fc\u306f\u3001\u30c9\u30e1\u30a4\u30f3\u307e\u305f\u306f\u30d1\u30b9\u3092\u6307\u5b9a\u3059\u308b\u3053\u3068\u3067\u30b9\u30b3\u30fc\u30d7\u3092\u9650\u5b9a\u3059\u308b\u4e8b\u304c\u3067\u304d\u307e\u3059\u3002\n\u3053\u306e\u691c\u67fb\u306f\u3001\u30b9\u30b3\u30fc\u30d7\u306b\u30c9\u30e1\u30a4\u30f3\u304c\u6307\u5b9a\u3055\u308c\u3066\u3044\u308b\u5834\u5408\u306e\u307f\u3092\u5bfe\u8c61\u3068\u3057\u3066\u3044\u307e\u3059\u3002\u30af\u30c3\u30ad\u30fc\u306b\u8a2d\u5b9a\u3055\u308c\u305f\u30c9\u30e1\u30a4\u30f3\u30b9\u30b3\u30fc\u30d7\u306f\u3001\u3069\u306e\u30c9\u30e1\u30a4\u30f3\u304b\u3089\u30af\u30c3\u30ad\u30fc\u306b\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u304b\u3092\u6c7a\u5b9a\u3057\u307e\u3059\u3002\n\u30c9\u30e1\u30a4\u30f3\u30b9\u30b3\u30fc\u30d7\u306f\u3001\u4f8b\u3048\u3070\u3001 "www.nottrusted.com" \u306e\u3088\u3046\u306b\u3001\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3\u307e\u3067\u53b3\u5bc6\u306b\u6307\u5b9a\u3059\u308b\u3053\u3068\u3082\u3067\u304d\u3001 "nottrusted.com" \u306e\u3088\u3046\u306b\u4e0a\u4f4d\u306e\u30c9\u30e1\u30a4\u30f3\u3092\u6307\u5b9a\u3057\u3066\u5e83\u3044\u30b9\u30b3\u30fc\u30d7\u3068\u3059\u308b\u3053\u3068\u3082\u3067\u304d\u307e\u3059\u3002\u5f8c\u8005\u306e\u5834\u5408\u3001 "nottrusted.com" \u306e\u3044\u305a\u308c\u306e\u30b5\u30d6\u30c9\u30e1\u30a4\u30f3\u306b\u304a\u3044\u3066\u3082\u3001\u30af\u30c3\u30ad\u30fc\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\n"google.com" \u3084 "live.com" \u306e\u3088\u3046\u306a\u5de8\u5927\u306a\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306b\u304a\u3044\u3066\u306f\u3001\u5927\u62b5\u30af\u30c3\u30ad\u30fc\u306e\u30b9\u30b3\u30fc\u30d7\u306f\u5e83\u304f\u8a2d\u5b9a\u3055\u308c\u3066\u3044\u307e\u3059\u3002 -pscanrules.cookielooselyscoped.extrainfo = \u6bd4\u8f03\u306b\u4f7f\u7528\u3057\u305f\u5143\u306e\u30c9\u30e1\u30a4\u30f3\:\n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0} pscanrules.cookielooselyscoped.name = \u30b9\u30b3\u30fc\u30d7\u304c\u5e83\u3044\u30af\u30c3\u30ad\u30fc pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = \u30af\u30ed\u30b9 \u30c9\u30e1\u30a4\u30f3\u306e\u8a2d\u5b9a\u30df\u30b9 pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = OpenSSL \u3092 1.0.1g \u307e\u305f\u306f\u305d\u308 pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u4fdd\u8b77\u3055\u308c\u3066\u3044\u306a\u3044\u63a5\u7d9a\u3092\u4ecb\u3057\u3066 HTTP \u306eBASIC\u8a8d\u8a3c\u307e\u305f\u306f\u30c0\u30a4\u30b8\u30a7\u30b9\u30c8\u8a8d\u8a3c\u304c\u4f7f\u7528\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3078\u30a2\u30af\u30bb\u30b9\u53ef\u80fd\u306a\u30e6\u30fc\u30b6\u30fc\u306b\u3088\u3063\u3066\u8a8d\u8a3c\u60c5\u5831\u304c\u508d\u53d7\u3055\u308c\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002 pscanrules.insecureauthentication.name = \u8106\u5f31\u306a\u8a8d\u8a3c\u65b9\u6cd5 pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = HTTPS \u3092\u4f7f\u7528\u3057\u3066\u63a5\u7d9a\u3092\u4fdd\u8b77\u3057\u305f\u308a\u3001\u5f37\u529b\u306a\u8a8d\u8a3c\u30e1\u30ab\u30cb\u30ba\u30e0\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002 +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = \u6b21\u306e URL \u306e\u30ec\u30b9\u30dd\u30f3\u30b9\u306b\u306f\u6697\u53f7\u5316\u4fdd\u8b77\u3092\u6301\u305f\u306a\u3044 ViewState \u5024\u304c\u542b\u307e\u308c\u3066\u3044\u307e\u3059\u3002 -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] \u306f\u5b89\u5168\u3067\u306f\u3042\u308a\u307e\u305b\u3093\u3002 +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = \u5b89\u5168\u3067\u306a\u3044JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = \u3042\u306a\u305f\u306e\u74b0\u5883\u56fa\u6709\u306e MAC \u30a2\u30c9\u30ec\u30b9\u3092\u4f7f\u3063\u3066\u30bb\u30ad\u30e5\u30a2\u306aVIEWSTATE\u306b\u3057\u3066\u4e0b\u3055\u3044\u3002 +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = \u30bf\u30a4\u30e0\u30b9\u30bf\u30f3\u30d7\u306e\u9732\u898b pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ko_KR.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ko_KR.properties index c05edc97872..fee480001fd 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ko_KR.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ko_KR.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = \uc57d\ud55c \uc778\uc99d \ubc29\ubc95 pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = \uc544\ub798 URL\uc758 \uc751\ub2f5 \ub0b4\uc6a9 \uc911 \uc554\ud638\ud654 \ubcf4\ud638\ub418\uc9c0 \uc54a\uc740 ViewState \uac12\uc774 \ud3ec\ud568\ub418\uc5b4 \uc788\uc2b5\ub2c8\ub2e4. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = \uc548\uc804 \ud558\uc9c0 \uc54a\uc740 JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_mk_MK.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_mk_MK.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_mk_MK.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_mk_MK.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ms_MY.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ms_MY.properties index 213c4aa804c..76861a20a03 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ms_MY.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ms_MY.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_nb_NO.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_nb_NO.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_nb_NO.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_nb_NO.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_nl_NL.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_nl_NL.properties index 35611571e95..ddd4bf25ff2 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_nl_NL.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_nl_NL.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authenticatie gegevens vastgelegd pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domein Misconfiguratie pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update naar OpenSSL 1.0.1g of hoger. Geef HTTPS cer pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Geef gevoelige informatie niet door aan URI's. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pcm_NG.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pcm_NG.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pcm_NG.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pcm_NG.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pl_PL.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pl_PL.properties index dd91ef8854b..644be91b957 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pl_PL.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pl_PL.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pt_BR.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pt_BR.properties index d8960563773..e588fec3382 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pt_BR.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pt_BR.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uso de mecanismo inseguro de autentica\u00e7\u00e3o [{2}], revelando o nome de usu\u00e1rio [{3}] e a senha [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uso de mecanismo inseguro de autentica\u00e7\u00e3o [{2}], revelando o nome de usu\u00e1rio [{3}] e a informa\u00e7\u00f5es adicionais [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Credenciais de Autentica\u00e7\u00e3o Capturadas pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS e um mecanismo seguro que n\u00e3o transmita o identificador de usu\u00e1rio e a senha sem criptografia. Em particular, evite o uso de autentica\u00e7\u00e3o b\u00e1sica, visto que \u00e9 uma ofusca\u00e7\u00e3o trivial e facilmente quebr\u00e1vel. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Os cookies podem ser atribu\u00eddos por dom\u00ednio ou caminho. Essa verifica\u00e7\u00e3o se refere apenas ao escopo do dom\u00ednio. O escopo do dom\u00ednio aplicado a um cookie determina quais dom\u00ednios podem acess\u00e1-lo. Por exemplo, um cookie pode ter seu escopo definido estritamente para um subdom\u00ednio, por exemplo, www.naoconfiavel.com.br, ou vagamente para um dom\u00ednio pai, por exemplo, naoconfiavel.com.br. No \u00faltimo caso, qualquer subdom\u00ednio de naoconfiavel.com.br pode acessar o cookie. Cookies de escopo mais fraco s\u00e3o comuns em megaaplicativos como google.com e live.com. Os cookies definidos a partir de um subdom\u00ednio como app.foo.bar s\u00e3o transmitidos apenas para esse dom\u00ednio pelo navegador. No entanto, os cookies com escopo para um dom\u00ednio de n\u00edvel pai podem ser transmitidos ao pai ou a qualquer subdom\u00ednio do pai. -pscanrules.cookielooselyscoped.extrainfo = O dom\u00ednio de origem usado para compara\u00e7\u00e3o foi\: {0} {1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Cookie com Escopo Fraco pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = O carregamento de dados do navegador da web pode ser poss\u00edvel, devido a uma configura\u00e7\u00e3o incorreta do Cross Origin Resource Sharing (CORS) no servidor web +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = A configura\u00e7\u00e3o incorreta do CORS no servidor da web permite solicita\u00e7\u00f5es de leitura entre dom\u00ednios de dom\u00ednios arbitr\u00e1rios de terceiros, usando APIs n\u00e3o autenticadas neste dom\u00ednio. No entanto, as implementa\u00e7\u00f5es do navegador da Web n\u00e3o permitem que terceiros arbitr\u00e1rios leiam a resposta de APIs autenticadas. Isso reduz o risco um pouco. Essa configura\u00e7\u00e3o incorreta pode ser usada por um invasor para acessar dados que est\u00e3o dispon\u00edveis de maneira n\u00e3o autenticada, mas que usam alguma outra forma de seguran\u00e7a, como lista de permiss\u00f5es de endere\u00e7os IP. pscanrules.crossdomain.name = Configura\u00e7\u00e3o Incorreta Entre Dom\u00ednios pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Atualize para OpenSSL 1.0.1g ou posterior. Emita no pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = A resposta parecia conter mensagens de erro comuns retornadas por plataformas como ASP.NET e servidores da Web como IIS e Apache. Voc\u00ea pode configurar a lista de mensagens de depura\u00e7\u00e3o comuns. pscanrules.informationdisclosuredebugerrors.name = Divulga\u00e7\u00e3o de informa\u00e7\u00f5es - Mensagens de Erro de Depura\u00e7\u00e3o @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = A URL parece conter informa\u00e7\u00f5es de cart\u00e3o de cr\u00e9dito. pscanrules.informationdisclosureinurl.otherinfo.email = A URL cont\u00e9m endere\u00e7os de e-mail. pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = A URL parece conter o(s) n\u00famero(s) de Seguro Social dos EUA +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = N\u00e3o passe informa\u00e7\u00f5es confidenciais em URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = O m\u00e9todo b\u00e1sico de autentica\u00e7\u00e3o ou digest tem sido utilizado em uma conex\u00e3o insegura. As credenciais podem ser lidas e reutilizadas por algu\u00e9m com acesso a rede. pscanrules.insecureauthentication.name = M\u00e9todo Fraco de Autentica\u00e7\u00e3o pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Proteja a conex\u00e3o utilizando HTTPS ou um m\u00e9todo forte de autentica\u00e7\u00e3o +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = A resposta \u00e0 seguinte URL cont\u00e9m um valor de Viewstate que n\u00e3o tem prote\u00e7\u00e3o criptogr\u00e1fica. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] \u00e9 Inseguro +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Viewstate JSF Inseguro pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Torne o VIEWSTATE seguro com um MAC espec\u00edfico em seu ambiente +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Emitente\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = Um carimbo de data/hora foi divulgado pela aplica\u00e7\u00e3o/servidor web -pscanrules.timestampdisclosure.extrainfo = {0}, que avalia\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Divulga\u00e7\u00e3o de Data e Hora pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Confirme manualmente se os dados do carimbo de data/hora n\u00e3o s\u00e3o confidenciais e se os dados n\u00e3o podem ser agregados para divulgar padr\u00f5es explor\u00e1veis. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Confirme manualmente se os dados do carimb pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = Um hash de um nome de usu\u00e1rio ({0}) foi encontrado na resposta. Isso pode indicar que a aplica\u00e7\u00e3o est\u00e1 sujeita a uma vulnerabilidade Insecure Direct Object Reference (IDOR). O teste manual ser\u00e1 necess\u00e1rio para ver se essa descoberta pode ser abusada. pscanrules.usernameidor.name = Hash de Nome de Usu\u00e1rio Encontrado -pscanrules.usernameidor.otherinfo = O hash era um {0}, com valor\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use refer\u00eancias de objeto indireto por usu\u00e1rio ou sess\u00e3o (crie um mapeamento tempor\u00e1rio no momento do uso). Ou certifique-se de que cada uso de uma refer\u00eancia direta ao objeto esteja vinculado a uma verifica\u00e7\u00e3o de autoriza\u00e7\u00e3o para garantir que o usu\u00e1rio esteja autorizado para o objeto solicitado. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = Os seguintes e-mails foram encontrados em s\u00e9rie no campo viewstate\: pscanrules.viewstate.content.email.name = E-mails encontrados no Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure o servidor para que ele n\u00e3o retorne esses cabe\u00e7alhos. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = O servidor da web/aplicativo est\u00e1 vazando informa\u00e7\u00f5es por meio de um ou mais cabe\u00e7alhos de resposta HTTP "X-Powered-By". O acesso a essas informa\u00e7\u00f5es pode facilitar que os invasores identifiquem outras estruturas/componentes dos quais seu aplicativo da web depende e as vulnerabilidades \u00e0s quais esses componentes podem estar sujeitos. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = O servidor vaza informa\u00e7\u00f5es por meio dos campos de cabe\u00e7alho de resposta HTTP "X-Powered-By" pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = Os seguintes cabe\u00e7alhos X-Powered-By tamb\u00e9m foram encontrados\: pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pt_PT.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pt_PT.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pt_PT.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_pt_PT.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ro_RO.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ro_RO.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ro_RO.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ro_RO.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ru_RU.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ru_RU.properties index 1665b0bcfd3..218445f4afa 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ru_RU.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ru_RU.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = \u0417\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a X-Frame-Options \u043f\u0440\u0438\u0441\u0443\u0442\u0441\u0442\u0432\u043e\u0432\u0430\u043b \u0432 \u043e\u0442\u0432\u0435\u0442\u0435, \u043d\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u0431\u044b\u043b\u043e \u0437\u0430\u0434\u0430\u043d\u043e \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e. pscanrules.anticlickjacking.compliance.malformed.setting.name = \u041f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 X-Frame-Options \u0438\u0441\u043a\u0430\u0436\u0435\u043d pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = \u0423\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u043d\u0430 \u0432\u0441\u0435\u0445 \u0432\u0435\u0431-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430\u0445, \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u043c\u044b\u0445 \u0432\u0430\u0448\u0438\u043c \u0441\u0430\u0439\u0442\u043e\u043c, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0434\u043e\u043f\u0443\u0441\u0442\u0438\u043c\u0430\u044f \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430 (\u0435\u0441\u043b\u0438 \u0432\u044b \u043e\u0436\u0438\u0434\u0430\u0435\u0442\u0435, \u0447\u0442\u043e \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430 \u0431\u0443\u0434\u0435\u0442 \u043e\u0431\u0440\u0430\u043c\u043b\u044f\u0442\u044c\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430\u043c\u0438 \u043d\u0430 \u0432\u0430\u0448\u0435\u043c \u0441\u0435\u0440\u0432\u0435\u0440\u0435 (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u043e\u043d\u0430 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0447\u0430\u0441\u0442\u044c\u044e FRAMESET), \u0432\u0430\u043c \u0441\u043b\u0435\u0434\u0443\u0435\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c SAMEORIGIN, \u0432 \u043f\u0440\u043e\u0442\u0438\u0432\u043d\u043e\u043c \u0441\u043b\u0443\u0447\u0430\u0435, \u0435\u0441\u043b\u0438 \u0432\u044b \u043d\u0438\u043a\u043e\u0433\u0434\u0430 \u043d\u0435 \u043e\u0436\u0438\u0434\u0430\u0439\u0442\u0435, \u0447\u0442\u043e \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430 \u0431\u0443\u0434\u0435\u0442 \u0432\u043e \u0444\u0440\u0435\u0439\u043c\u0435, \u0432\u044b \u0434\u043e\u043b\u0436\u043d\u044b \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c DENY.\u0412 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u0430\u043b\u044c\u0442\u0435\u0440\u043d\u0430\u0442\u0438\u0432\u044b \u0440\u0430\u0441\u0441\u043c\u043e\u0442\u0440\u0438\u0442\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u044b \u00abframe-ancestors\u00bb \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u043a\u043e\u043d\u0442\u0435\u043d\u0442\u0430. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = \u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d META-\u0442\u0435\u0433 X-Frame-Options (XFO), \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435 XFO \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e META-\u0442\u0435\u0433\u0430 \u044f\u0432\u043d\u043e \u043d\u0435 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u0441\u043f\u0435\u0446\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0435\u0439 (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options, \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u044b\u0435 \u0447\u0435\u0440\u0435\u0437 META (\u043d\u0435 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u0435\u0442 \u0441\u043f\u0435\u0446\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4\n -pscanrules.anticlickjacking.compliance.meta.soln = \u0423\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b X-Frame-Options \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u044b \u0432 \u043f\u043e\u043b\u0435 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 \u043e\u0442\u0432\u0435\u0442\u0430. \u0412 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u0430\u043b\u044c\u0442\u0435\u0440\u043d\u0430\u0442\u0438\u0432\u044b \u0440\u0430\u0441\u0441\u043c\u043e\u0442\u0440\u0438\u0442\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u044b Content Security Policy \u00abframe-ancestors\u00bb. -pscanrules.anticlickjacking.incInCsp = Content-Security-Policy \u0432\u043a\u043b\u044e\u0447\u0430\u0435\u0442 \u0432 \u0441\u0435\u0431\u044f \u044d\u043b\u0435\u043c\u0435\u043d\u0442 \u00ab\u043f\u0440\u0435\u0434\u043a\u0438 \u0444\u0440\u0435\u0439\u043c\u043e\u0432\u00bb ( 'frame-ancestors'), \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0438\u043c\u0435\u0435\u0442 \u043f\u0440\u0438\u043e\u0440\u0438\u0442\u0435\u0442 \u043d\u0430\u0434 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u043e\u043c X-Frame-Options, \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u043e\u043d \u0431\u044b\u043b \u043f\u043e\u0434\u043d\u044f\u0442 \u0441 \u041d\u0418\u0417\u041a\u0418\u041c \u0440\u0438\u0441\u043a\u043e\u043c. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = \n\u041e\u0442\u0432\u0435\u0442 \u043d\u0435 \u0432\u043a\u043b\u044e\u0447\u0430\u0435\u0442 Content-Security-Policy \u0441 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u043e\u0439 \u00abframe-ancestors\u00bb \u0438\u043b\u0438 X-Frame-Options \u0434\u043b\u044f \u0437\u0430\u0449\u0438\u0442\u044b \u043e\u0442 \u0430\u0442\u0430\u043a \u00abClickJacking\u00bb. pscanrules.anticlickjacking.missing.name = \u041e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0443\u0435\u0442 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a (Header) \u0434\u043b\u044f \u0437\u0430\u0449\u0438\u0442\u044b \u043e\u0442 \u043a\u043b\u0438\u043a\u0434\u0436\u0435\u043a\u0438\u043d\u0433\u0430 pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = \u041f\u0440\u043e\u0441\u043c\u043e\u0442\u pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 [{2}], \u0440\u0430\u0441\u043a\u0440\u044b\u0432\u0430\u044f \u0438\u043c\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f [{3}] \u0438 \u043f\u0430\u0440\u043e\u043b\u044c [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 [{2}], \u0440\u0430\u0441\u043a\u0440\u044b\u0432\u0430\u044f \u0438\u043c\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f [{3}] \u0438 \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e [{4}]. -pscanrules.authenticationcredentialscaptured.desc = \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438. \u042d\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0443 \u0432 \u0441\u0435\u0442\u0438 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u0443 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0438 \u043f\u0430\u0440\u043e\u043b\u044e \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f. \u0414\u043b\u044f \u0431\u0430\u0437\u043e\u0432\u043e\u0439 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u0434\u043e\u043b\u0436\u0435\u043d \u043f\u0440\u043e\u0441\u0442\u043e \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u0442\u044c \u0441\u0435\u0442\u0435\u0432\u043e\u0439 \u0442\u0440\u0430\u0444\u0438\u043a \u0434\u043e \u0442\u0435\u0445 \u043f\u043e\u0440, \u043f\u043e\u043a\u0430 \u043d\u0435 \u0431\u0443\u0434\u0435\u0442 \u043f\u043e\u043b\u0443\u0447\u0435\u043d \u0437\u0430\u043f\u0440\u043e\u0441 \u0431\u0430\u0437\u043e\u0432\u043e\u0439 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438, \u0430 \u0437\u0430\u0442\u0435\u043c base64 \u0434\u0435\u043a\u043e\u0434\u0438\u0440\u0443\u0435\u0442 \u0438\u043c\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0438 \u043f\u0430\u0440\u043e\u043b\u044c. \u0414\u043b\u044f \u0434\u0430\u0439\u0434\u0436\u0435\u0441\u0442-\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u0438\u043c\u0435\u0435\u0442 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0438\u043c\u0435\u043d\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0438, \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e, \u0442\u0430\u043a\u0436\u0435 \u043a \u043f\u0430\u0440\u043e\u043b\u044e, \u0435\u0441\u043b\u0438 \u0445\u044d\u0448 (\u0432\u043a\u043b\u044e\u0447\u0430\u044f \u043e\u0434\u043d\u043e\u0440\u0430\u0437\u043e\u0432\u044b\u0439 \u043d\u043e\u043c\u0435\u0440) \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0443\u0441\u043f\u0435\u0448\u043d\u043e \u0432\u0437\u043b\u043e\u043c\u0430\u043d \u0438\u043b\u0438 \u0435\u0441\u043b\u0438 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0430 \u0430\u0442\u0430\u043a\u0430 Man-In-The-Middle.\n\u0417\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043f\u043e\u0434\u0441\u043b\u0443\u0448\u0438\u0432\u0430\u0435\u0442 \u0441\u0435\u0442\u044c \u0434\u043e \u0437\u0430\u0432\u0435\u0440\u0448\u0435\u043d\u0438\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = \u0423\u0447\u0435\u0442\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0434\u043b\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0437\u0430\u043f\u0438\u0441\u0430\u043d\u044b pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b HTTPS, \u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043d\u0435 \u043f\u0435\u0440\u0435\u0434\u0430\u0435\u0442 \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0438\u043b\u0438 \u043f\u0430\u0440\u043e\u043b\u044c \u0432 \u043d\u0435\u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043e\u043c \u0432\u0438\u0434\u0435. \u0412 \u0447\u0430\u0441\u0442\u043d\u043e\u0441\u0442\u0438, \u043d\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 Basic Authentication, \u0442\u0430\u043a \u043a\u0430\u043a \u044d\u0442\u043e\u0442 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c \u043b\u0435\u0433\u043a\u043e \u0432\u0437\u043b\u043e\u043c\u0430\u0442\u044c. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = \u0421\u0435\u0440\u0432\u0435\u0440 \u043e\u0442\u0432\u0435\u0442\u0438\u043b \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c\n\u044d\u0442\u043e, \u043a\u0430\u0436\u0435\u0442\u0441\u044f, \u0434\u0430\u0435\u0442 \u0431\u043e\u043b\u044c\u0448\u043e\u0439 \u043e\u0442\u043a\u043b\u0438\u043a.\n\u042d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u043e\u0437\u043d\u0430\u0447\u0430\u0442\u044c, \u0447\u0442\u043e, \u0445\u043e\u0442\u044f \u0441\u0435\u0440\u0432\u0435\u0440 \u043e\u0442\u043f\u0440\u0430\u0432\u0438\u043b \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435, \n\u043e\u043d \u0442\u0430\u043a\u0436\u0435 \u043e\u0442\u0432\u0435\u0442\u0438\u043b \u043e\u0441\u043d\u043e\u0432\u043d\u044b\u043c \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u044b\u043c (\u043a\u043e\u0442\u043e\u0440\u043e\u0435 \u043c\u043e\u0436\u0435\u0442 \u0432\u043a\u043b\u044e\u0447\u0430\u0442\u044c \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435, PII \u0438 \u0442. \u0434.) pscanrules.bigredirects.extrainfo = \u0414\u043b\u0438\u043d\u0430 URI \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 \u043c\u0435\u0441\u0442\u043e\u043f\u043e\u043b\u043e\u0436\u0435\u043d\u0438\u044f\: {0} [{1}].\n\u041f\u0440\u043e\u0433\u043d\u043e\u0437\u0438\u0440\u0443\u0435\u043c\u044b\u0439 \u0440\u0430\u0437\u043c\u0435\u0440 \u043e\u0442\u0432\u0435\u0442\u0430\: {2}.\n\u0414\u043b\u0438\u043d\u0430 \u0442\u0435\u043b\u0430 \u043e\u0442\u0432\u0435\u0442\u0430\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = \u0423\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0434\u043b\u044f \u0432\u0441\u0435\u0445 \u0444\u0430\u0439\u043b\u043e\u0432 cookie \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d \u0444\u043b\u0430\u0433 HttpOnly. pscanrules.cookielooselyscoped.desc = \u0424\u0430\u0439\u043b\u044b cookie \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u044b \u0434\u043e\u043c\u0435\u043d\u043e\u043c \u0438\u043b\u0438 \u043f\u0443\u0442\u0435\u043c. \n\u042d\u0442\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u043a\u0430\u0441\u0430\u0435\u0442\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043e\u0431\u043b\u0430\u0441\u0442\u0438 \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f \u0434\u043e\u043c\u0435\u043d\u0430. \n\u041e\u0431\u043b\u0430\u0441\u0442\u044c \u043f\u0440\u0438\u043c\u0435\u043d\u0435\u043d\u0438\u044f \u0444\u0430\u0439\u043b\u0430 cookie \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u044f\u0435\u0442, \u043a\u0430\u043a\u0438\u0435 \u0434\u043e\u043c\u0435\u043d\u044b \u043c\u043e\u0433\u0443\u0442 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043a \u043d\u0435\u043c\u0443 \u0434\u043e\u0441\u0442\u0443\u043f. \n\u041d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, cookie \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u043f\u0440\u0438\u0432\u044f\u0437\u0430\u043d \u0441\u0442\u0440\u043e\u0433\u043e \u043a \u0441\u0443\u0431\u0434\u043e\u043c\u0435\u043d\u0443, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440 www.nottrusted.com \n\u0438\u043b\u0438 \u0441 \u043f\u0440\u0438\u0432\u044f\u0437\u043a\u043e\u0439 \u043a \u0440\u043e\u0434\u0438\u0442\u0435\u043b\u044c\u0441\u043a\u043e\u043c\u0443 \u0434\u043e\u043c\u0435\u043d\u0443, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440 nottrusted.com. \n\u0412 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u043c \u0441\u043b\u0443\u0447\u0430\u0435 \u043b\u044e\u0431\u043e\u0439 \u043f\u043e\u0434\u0434\u043e\u043c\u0435\u043d nottrusted.com \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a cookie. \n\u0424\u0430\u0439\u043b\u044b cookie \u0441 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u043c \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435\u043c \u0440\u0430\u0441\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u044b \u0432 \u043c\u0435\u0433\u0430\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u0445, \u0442\u0430\u043a\u0438\u0445 \u043a\u0430\u043a google.com \u0438 live.com. \n\u0424\u0430\u0439\u043b\u044b cookie, \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u0441 \u0441\u0443\u0431\u0434\u043e\u043c\u0435\u043d\u0430, \u0442\u0430\u043a\u043e\u0433\u043e \u043a\u0430\u043a app.foo.bar, \u043f\u0435\u0440\u0435\u0434\u0430\u044e\u0442\u0441\u044f \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u043c \u0442\u043e\u043b\u044c\u043a\u043e \u0432 \u044d\u0442\u043e\u0442 \u0434\u043e\u043c\u0435\u043d. \n\u041e\u0434\u043d\u0430\u043a\u043e \u0444\u0430\u0439\u043b\u044b cookie, \u043e\u0442\u043d\u043e\u0441\u044f\u0449\u0438\u0435\u0441\u044f \u043a \u0434\u043e\u043c\u0435\u043d\u0443 \u0440\u043e\u0434\u0438\u0442\u0435\u043b\u044c\u0441\u043a\u043e\u0433\u043e \u0443\u0440\u043e\u0432\u043d\u044f, \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c \u043f\u0435\u0440\u0435\u0434\u0430\u043d\u044b \u0440\u043e\u0434\u0438\u0442\u0435\u043b\u044c\u0441\u043a\u043e\u043c\u0443 \u0434\u043e\u043c\u0435\u043d\u0443 \n\u0438\u043b\u0438 \u043b\u044e\u0431\u043e\u043c\u0443 \u043f\u043e\u0434\u0434\u043e\u043c\u0435\u043d\u0443 \u0440\u043e\u0434\u0438\u0442\u0435\u043b\u044c\u0441\u043a\u043e\u0433\u043e \u0434\u043e\u043c\u0435\u043d\u0430. -pscanrules.cookielooselyscoped.extrainfo = \u0414\u043e\u043c\u0435\u043d \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0436\u0434\u0435\u043d\u0438\u044f, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043b\u044f \u0441\u0440\u0430\u0432\u043d\u0435\u043d\u0438\u044f\:\n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0} pscanrules.cookielooselyscoped.name = Cookie \u0441 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u043c \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435\u043c pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie \u0431\u0435\u0437 \u0444\u043b\u0430\ pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = \u0412\u0441\u044f\u043a\u0438\u0439 \u0440\u0430\u0437, \u043a\u043e\u0433\u0434\u0430 \u0444\u0430\u0439\u043b cookie \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \n\u0438\u043b\u0438 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0442\u043e\u043a\u0435\u043d\u043e\u043c \u0441\u0435\u0430\u043d\u0441\u0430, \u0435\u0433\u043e \u0432\u0441\u0435\u0433\u0434\u0430 \u0441\u043b\u0435\u0434\u0443\u0435\u0442 \u043f\u0435\u0440\u0435\u0434\u0430\u0432\u0430\u0442\u044c \u043f\u043e \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u043a\u0430\u043d\u0430\u043b\u0443. \n\u0423\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0434\u043b\u044f \u0444\u0430\u0439\u043b\u043e\u0432 cookie, \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0449\u0438\u0445 \u0442\u0430\u043a\u0443\u044e \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e, \n\u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d \u0444\u043b\u0430\u0433 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438. -pscanrules.crossdomain.desc = \u0417\u0430\u0433\u0440\u0443\u0437\u043a\u0430 \u0434\u0430\u043d\u043d\u044b\u0445 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u0430 \u0438\u0437-\u0437\u0430 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0439 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 Cross Origin Resource Sharing (CORS) \n\u043d\u0430 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0435. +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = \u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f CORS \u043d\u0430 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0435 \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u0435\u0442 \u043c\u0435\u0436\u0434\u043e\u043c\u0435\u043d\u043d\u044b\u0435 \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u0447\u0442\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0445 \u0441\u0442\u043e\u0440\u043e\u043d\u043d\u0438\u0445 \u0434\u043e\u043c\u0435\u043d\u043e\u0432 \n\u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c \u043d\u0435\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 API \u0432 \u044d\u0442\u043e\u043c \u0434\u043e\u043c\u0435\u043d\u0435. \n\u041e\u0434\u043d\u0430\u043a\u043e \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430 \u043d\u0435 \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u044e\u0442 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u043c \u0442\u0440\u0435\u0442\u044c\u0438\u043c \u0441\u0442\u043e\u0440\u043e\u043d\u0430\u043c \u0447\u0438\u0442\u0430\u0442\u044c \u043e\u0442\u0432\u0435\u0442 \u043e\u0442 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 API. \n\u042d\u0442\u043e \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0441\u043d\u0438\u0436\u0430\u0435\u0442 \u0440\u0438\u0441\u043a. \n\u042d\u0442\u0430 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0430 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u043e\u043c \u0434\u043b\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0434\u0430\u043d\u043d\u044b\u043c, \n\u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b \u0431\u0435\u0437 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438, \u043d\u043e \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044e\u0442 \u0434\u0440\u0443\u0433\u0443\u044e \u0444\u043e\u0440\u043c\u0443 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \n\u0442\u0430\u043a\u0443\u044e \u043a\u0430\u043a \u0431\u0435\u043b\u044b\u0439 \u0441\u043f\u0438\u0441\u043e\u043a IP-\u0430\u0434\u0440\u0435\u0441\u043e\u0432. pscanrules.crossdomain.name = \u041c\u0435\u0436\u0434\u043e\u043c\u0435\u043d\u043d\u0430\u044f \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439 \u0432\u0441\u0442\u0440\u043e\u0435\u043d\u043d\u044b\u0439 pscanrules.csp.stylesrc.unsafe.otherinfo = style-src \u0432\u043a\u043b\u044e\u0447\u0430\u0435\u0442 unsafe-inline. pscanrules.csp.wildcard.name = \u0414\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0430 \u043f\u043e\u0434\u0441\u0442\u0430\u043d\u043e\u0432\u043e\u0447\u043d\u043e\u0433\u043e \u0437\u043d\u0430\u043a\u0430 -pscanrules.csp.wildcard.otherinfo = \u0421\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0435 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u044b \u043b\u0438\u0431\u043e \u0440\u0430\u0437\u0440\u0435\u0448\u0430\u044e\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043f\u043e\u0434\u0441\u0442\u0430\u043d\u043e\u0432\u043e\u0447\u043d\u044b\u0445 \u0437\u043d\u0430\u043a\u043e\u0432 (\u0438\u043b\u0438 \u043f\u0440\u0435\u0434\u043a\u043e\u0432), \u043b\u0438\u0431\u043e \u043d\u0435 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u044b, \u043b\u0438\u0431\u043e \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u044b \u0441\u043b\u0438\u0448\u043a\u043e\u043c \u0448\u0438\u0440\u043e\u043a\u043e\: +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = \u0412 \u044d\u0442\u043e\u043c \u043e\u0442\u0432\u0435\u0442\u0435 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a X-Content-Security-Policy. \u0425\u043e\u0442\u044f \u044d\u0442\u043e \u0445\u043e\u0440\u043e\u0448\u0438\u0439 \u043f\u0440\u0438\u0437\u043d\u0430\u043a \u0442\u043e\u0433\u043e, \u0447\u0442\u043e CSP \u0432 \u043a\u0430\u043a\u043e\u0439-\u0442\u043e \u0441\u0442\u0435\u043f\u0435\u043d\u0438 \u0440\u0435\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u043d, \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0430, \u0443\u043a\u0430\u0437\u0430\u043d\u043d\u0430\u044f \u0432 \u044d\u0442\u043e\u043c \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0435, \u043d\u0435 \u0431\u044b\u043b\u0430 \u043f\u0440\u043e\u0430\u043d\u0430\u043b\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u043d\u0430 ZAP. \u0427\u0442\u043e\u0431\u044b \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0442\u044c \u043f\u043e\u043b\u043d\u0443\u044e \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0443 \u0441\u043e\u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u043c\u0438 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430\u043c\u0438, \u0443\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a Content-Security-Policy \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d \u0438 \u043f\u0440\u0438\u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d \u043a \u043e\u0442\u0432\u0435\u0442\u0430\u043c. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = \u0412 \u044d\u0442\u043e\u043c \u043e\u0442\u0432\u0435\u0442\u0435 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a X-WebKit-CSP. \u0425\u043e\u0442\u044f \u044d\u0442\u043e \u0445\u043e\u0440\u043e\u0448\u0438\u0439 \u043f\u0440\u0438\u0437\u043d\u0430\u043a \u0442\u043e\u0433\u043e, \u0447\u0442\u043e CSP \u0432 \u043a\u0430\u043a\u043e\u0439-\u0442\u043e \u0441\u0442\u0435\u043f\u0435\u043d\u0438 \u0440\u0435\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u043d, \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0430, \u0443\u043a\u0430\u0437\u0430\u043d\u043d\u0430\u044f \u0432 \u044d\u0442\u043e\u043c \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0435, \u043d\u0435 \u0431\u044b\u043b\u0430 \u043f\u0440\u043e\u0430\u043d\u0430\u043b\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u043d\u0430 ZAP. \u0427\u0442\u043e\u0431\u044b \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0442\u044c \u043f\u043e\u043b\u043d\u0443\u044e \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0443 \u0441\u043e\u0432\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u043c\u0438 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430\u043c\u0438, \u0443\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a Content-Security-Policy \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d \u0438 \u043f\u0440\u0438\u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d \u043a \u043e\u0442\u0432\u0435\u0442\u0430\u043c. -pscanrules.desc = \u041f\u0440\u0430\u0432\u0438\u043b\u0430 \u043f\u0430\u0441\u0441\u0438\u0432\u043d\u043e\u0433\u043e \u0441\u043a\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u044f \u0432\u044b\u043f\u0443\u0441\u043a\u0430 +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = \u0412\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0438\u043b \u0445\u0435\u0448-\u043a\u043e\u0434. pscanrules.hashdisclosure.name = \u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u0445\u044d\u0448\u0430 pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = \u0423\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0445\u044d\u0448\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0435 \u0434\u043b\u044f \u0437\u0430\u0449\u0438\u0442\u044b \u0443\u0447\u0435\u0442\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 \u0438\u043b\u0438 \u0434\u0440\u0443\u0433\u0438\u0445 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432, \u043d\u0435 \u043f\u043e\u043f\u0430\u0434\u0430\u044e\u0442 \u043d\u0430 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 \u0438\u043b\u0438 \u0431\u0430\u0437\u0443 \u0434\u0430\u043d\u043d\u044b\u0445. \u041e\u0431\u044b\u0447\u043d\u043e \u043d\u0435 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f, \u0447\u0442\u043e\u0431\u044b \u0445\u044d\u0448\u0438 \u043f\u0430\u0440\u043e\u043b\u0435\u0439 \u0431\u044b\u043b\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b \u0434\u043b\u044f \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = \u0420\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 TLS \u0438 DTLS \u0432 OpenSSL 1.0.1 \u0434\u043e 1.0.1g \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043e\u0431\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u044e\u0442 \u043f\u0430\u043a\u0435\u0442\u044b Heartbeat Extension, \n\u0447\u0442\u043e \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u044b\u043c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u043f\u043e\u043b\u0443\u0447\u0430\u0442\u044c \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u0438\u0437 \u043f\u0430\u043c\u044f\u0442\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430 \u0447\u0435\u0440\u0435\u0437 \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0432\u044b\u0437\u044b\u0432\u0430\u044e\u0442 \u043f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0431\u0443\u0444\u0435\u0440\u0430, \n\u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0440\u0430\u0441\u043a\u0440\u044b\u0432\u0430\u044f \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e. +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} \u0443\u0436\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f.\n\u041e\u0431\u0440\u0430\u0442\u0438\u0442\u0435 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435, \u043e\u0434\u043d\u0430\u043a\u043e, \u0447\u0442\u043e \u0441\u043e\u043e\u0431\u0449\u0430\u0435\u043c\u0430\u044f \u0432\u0435\u0440\u0441\u0438\u044f \u043c\u043e\u0436\u0435\u0442 \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442\u044c \u0438\u0441\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \n\u043f\u0435\u0440\u0435\u043d\u0435\u0441\u0435\u043d\u043d\u044b\u0435 \u043d\u0430 \u043f\u0440\u0435\u0434\u044b\u0434\u0443\u0449\u0443\u044e \u0432\u0435\u0440\u0441\u0438\u044e,\n\u0438 \u043f\u043e\u044d\u0442\u043e\u043c\u0443 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u043b\u043e\u0436\u043d\u044b\u043c \u0441\u0440\u0430\u0431\u0430\u0442\u044b\u0432\u0430\u043d\u0438\u0435\u043c.\n\u041d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u044d\u0442\u043e \u0440\u0430\u0441\u043f\u0440\u043e\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u043e \u0432 Red Hat. pscanrules.heartbleed.name = \u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c Heartbleed OpenSSL (\u043e\u0440\u0438\u0435\u043d\u0442\u0438\u0440\u043e\u0432\u043e\u0447\u043d\u0430\u044f) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = \u041e\u0431\u043d\u043e\u0432\u0438\u0442\u0435 Op pscanrules.infoprivateaddressdisclosure.desc = \u0412 \u0442\u0435\u043b\u0435 \u043e\u0442\u0432\u0435\u0442\u0430 HTTP \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d \u0447\u0430\u0441\u0442\u043d\u044b\u0439 IP-\u0430\u0434\u0440\u0435\u0441 (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, 10.x.x.x, 172.x.x.x, 192.168.x.x) \n\u0438\u043b\u0438 \u0447\u0430\u0441\u0442\u043d\u043e\u0435 \u0438\u043c\u044f \u0445\u043e\u0441\u0442\u0430 Amazon EC2 (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, ip-10-0-56-78). \n\u042d\u0442\u0430 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u043f\u043e\u043b\u0435\u0437\u043d\u0430 \u0434\u043b\u044f \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0438\u0445 \u0430\u0442\u0430\u043a \u043d\u0430 \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c\u044b. pscanrules.infoprivateaddressdisclosure.name = \u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u0447\u0430\u0441\u0442\u043d\u043e\u0439 \u0418\u0421 pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = \u0423\u0434\u0430\u043b\u0438\u0442\u0435 \u0447\u0430\u0441\u0442\u043d\u044b\u0439 IP-\u0430\u0434\u0440\u0435\u0441 \u0438\u0437 \u0442\u0435\u043b\u0430 \u043e\u0442\u0432\u0435\u0442\u0430 HTTP. \n\u0414\u043b\u044f \u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0430\u0440\u0438\u0435\u0432 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0430\u0440\u0438\u0439 JSP / ASP / PHP \u0432\u043c\u0435\u0441\u0442\u043e \u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0430\u0440\u0438\u044f HTML / JavaScript, \n\u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043c\u043e\u0433\u0443\u0442 \u0432\u0438\u0434\u0435\u0442\u044c \u043a\u043b\u0438\u0435\u043d\u0442\u0441\u043a\u0438\u0435 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u044b. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = \u041e\u0442\u0432\u0435\u0442, \u043f\u043e-\u0432\u0438\u0434\u0438\u043c\u043e\u043c\u0443, \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u043b \u0442\u0438\u043f\u0438\u0447\u043d\u044b\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f \u043e\u0431 \u043e\u0448\u0438\u0431\u043a\u0430\u0445, \n\u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u043c\u044b\u0435 \u0442\u0430\u043a\u0438\u043c\u0438 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430\u043c\u0438, \u043a\u0430\u043a ASP.NET, \u0438 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0430\u043c\u0438, \u0442\u0430\u043a\u0438\u043c\u0438 \u043a\u0430\u043a IIS \u0438 Apache. \n\u0412\u044b \u043c\u043e\u0436\u0435\u0442\u0435 \u043d\u0430\u0441\u0442\u0440\u043e\u0438\u0442\u044c \u0441\u043f\u0438\u0441\u043e\u043a \u043e\u0431\u0449\u0438\u0445 \u043e\u0442\u043b\u0430\u0434\u043e\u0447\u043d\u044b\u0445 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0439. pscanrules.informationdisclosuredebugerrors.name = \u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 - \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f \u043e\u0431 \u043e\u0448\u0438\u0431\u043a\u0430\u0445 \u043e\u0442\u043b\u0430\u0434\u043a\u0438 @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = \u0420\u0430\u0441\u043a\u0440\u044 pscanrules.informationdisclosureinurl.otherinfo.cc = \u041f\u043e\u0445\u043e\u0436\u0435, \u0447\u0442\u043e URL-\u0430\u0434\u0440\u0435\u0441 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u043e \u043a\u0440\u0435\u0434\u0438\u0442\u043d\u043e\u0439 \u043a\u0430\u0440\u0442\u0435. pscanrules.informationdisclosureinurl.otherinfo.email = URL-\u0430\u0434\u0440\u0435\u0441 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u0430\u0434\u0440\u0435\u0441 (\u0430) \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0439 \u043f\u043e\u0447\u0442\u044b. pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = URL-\u0430\u0434\u0440\u0435\u0441 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e. \u041f\u043e \u0448\u0430\u0431\u043b\u043e\u043d\u0443 \u0431\u044b\u043b\u0430 \u043d\u0430\u0439\u0434\u0435\u043d\u0430 \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0430\u044f \u0441\u0442\u0440\u043e\u043a\u0430\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = URL-\u0430\u0434\u0440\u0435\u0441 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043d\u043e\u043c\u0435\u0440\u0430 \u0441\u043e\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u0441\u0442\u0440\u0430\u0445\u043e\u0432\u0430\u043d\u0438\u044f \u0421\u0428\u0410. +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = \u041d\u0435 \u043f\u0435\u0440\u0435\u0434\u0430\u0432\u0430\u0439\u0442\u0435 \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u0443\u044e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u0432 URI. pscanrules.informationdisclosurereferrer.bin.field = \u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0439 \u043d\u043e\u043c\u0435\u0440 \u0431\u0430\u043d\u043a\u0430\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = \u0414\u043b\u044f \u0431\u0435\u0437\u043e\u pscanrules.insecureauthentication.desc = \u0411\u0430\u0437\u043e\u0432\u0430\u044f \u0438\u043b\u0438 \u0434\u0430\u0439\u0434\u0436\u0435\u0441\u0442-\u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f \u0432 HTTP \u043f\u0440\u043e\u0432\u043e\u0434\u0438\u0442\u0441\u044f \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u043e\u0435 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0435. \u0414\u0430\u043d\u043d\u044b\u0435 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c \u043f\u0440\u043e\u0447\u0438\u0442\u0430\u043d\u044b \u0438 \u0437\u0430\u0442\u0435\u043c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u044b \u043b\u044e\u0431\u044b\u043c \u043b\u0438\u0446\u043e\u043c \u0441 \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c \u043a \u0441\u0435\u0442\u0438. pscanrules.insecureauthentication.name = \u0421\u043b\u0430\u0431\u044b\u0439 \u043c\u0435\u0442\u043e\u0434 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = \u0417\u0430\u0449\u0438\u0442\u0438\u0442\u0435 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u0435 \u0441 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435\u043c HTTPS, \u0438\u043b\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u0431\u043e\u043b\u0435\u0435 \u0437\u0430\u0449\u0438\u0449\u0451\u043d\u043d\u044b\u0439 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = \u042d\u0442\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0438\u0449\u0435\u0442 \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0435 HTTP-\u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b, \u043d\u0430 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0440\u0430\u0437\u043c\u0435\u0449\u0435\u043d\u044b HTTPS-\u0444\u043e\u0440\u043c\u044b.\n\u041f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0432 \u0442\u043e\u043c, \u0447\u0442\u043e \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u0430\u044f \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430 HTTP \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u043b\u0435\u0433\u043a\u043e \u0432\u0437\u043b\u043e\u043c\u0430\u043d\u0430 \u0447\u0435\u0440\u0435\u0437 MITM, \n\u0430 \u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u0430\u044f \u0444\u043e\u0440\u043c\u0430 HTTPS \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0437\u0430\u043c\u0435\u043d\u0435\u043d\u0430 \u0438\u043b\u0438 \u043f\u043e\u0434\u0434\u0435\u043b\u0430\u043d\u0430. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = \u041d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439 \u043f\u0435\u0440\u0435\u0445\u043e\u0434 HTTP \u043d\u0430 HTTPS \u0432 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0438 \u0444\u043e\u0440\u043c\u044b (Form Post) -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 HTTPS \u0434\u043b\u044f \u0446\u0435\u043b\u0435\u0432\u044b\u0445 \u0441\u0442\u0440\u0430\u043d\u0438\u0446, \u043d\u0430 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0440\u0430\u0437\u043c\u0435\u0449\u0435\u043d\u044b \u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u044b\u0435 \u0444\u043e\u0440\u043c\u044b. pscanrules.insecureformpost.desc = \u042d\u0442\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u044f\u0435\u0442 \u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u044b\u0435 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b HTTPS, \u043d\u0430 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0440\u0430\u0437\u043c\u0435\u0449\u0435\u043d\u044b \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0435 \u0444\u043e\u0440\u043c\u044b HTTP.\n\n\u041f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0432 \u0442\u043e\u043c, \u0447\u0442\u043e \u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u0430\u044f \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0430 \u043f\u0435\u0440\u0435\u0445\u043e\u0434\u0438\u0442 \u043d\u0430 \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u0443\u044e \u043f\u0440\u0438 \u0437\u0430\u0433\u0440\u0443\u0437\u043a\u0435 \u0434\u0430\u043d\u043d\u044b\u0445 \u0447\u0435\u0440\u0435\u0437 \u0444\u043e\u0440\u043c\u0443.\n\n\u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0434\u0443\u043c\u0430\u0442\u044c, \u0447\u0442\u043e \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u0442 \u0434\u0430\u043d\u043d\u044b\u0435 \u043d\u0430 \u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u0443\u044e \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0443, \u0445\u043e\u0442\u044f \u043d\u0430 \u0441\u0430\u043c\u043e\u043c \u0434\u0435\u043b\u0435 \u044d\u0442\u043e \u043d\u0435 \u0442\u0430\u043a. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = \u041d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439 \u043f\u0435\u0440\u0435\u0445\u043e\u0434 \u0441 HTTPS \u043d\u0430 HTTP \u0432 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u0438 \u0444\u043e\u0440\u043c\u044b (Form Post) -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = \u0423\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u043e\u0442\u043f\u0440\u0430\u0432\u043b\u044f\u044e\u0442\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u043f\u043e \u0437\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u044b\u043c \u043a\u0430\u043d\u0430\u043b\u0430\u043c HTTPS. pscanrules.insecurejsfviewstate.desc = \u041e\u0442\u0432\u0435\u0442, \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u043d\u044b\u0439 \u0434\u043b\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u0433\u043e URL, \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 ViewState, \u043d\u0435 \u0437\u0430\u0449\u0438\u0449\u0451\u043d\u043d\u043e\u0435 \u043a\u0440\u0438\u043f\u0442\u043e\u0433\u0440\u0430\u0444\u0438\u0447\u0435\u0441\u043a\u0438\u043c\u0438 \u043c\u0435\u0442\u043e\u0434\u0430\u043c\u0438. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u043c +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = \u041d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0439 JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = \u0417\u0430\u0449\u0438\u0442\u0438\u0442\u0435 VIEWSTATE \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e MAC, \u0441\u043f\u0435\u0446\u0438\u0444\u0438\u0447\u043d\u044b\u043c \u0434\u043b\u044f \u0432\u0430\u0448\u0435\u0439 \u0441\u0440\u0435\u0434\u044b +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = \u041f\u043e \u043a\u0440\u0430\u0439\u043d\u0435\u0439 \u043c\u0435\u0440\u0435 \u043e\u0434\u043d\u0430 \u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u044d\u0442\u043e\u0439 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u0430 \u0434\u043b\u044f \u043e\u0431\u0440\u0430\u0442\u043d\u043e\u0439 \u0442\u0430\u0431\u0443\u043b\u044f\u0446\u0438\u0438, \n\u0442\u0430\u043a \u043a\u0430\u043a \u043e\u043d\u0430 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u0430\u0442\u0440\u0438\u0431\u0443\u0442 \u0431\u0435\u0437 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u043e\u0431\u043e\u0438\u0445 "noopener"\n\u0438 \u043a\u043b\u044e\u0447\u0435\u0432\u044b\u0435 \u0441\u043b\u043e\u0432\u0430 "noreferrer" \u0432 \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u0435 "rel", \n\u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0446\u0435\u043b\u0435\u0432\u043e\u0439 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435 \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u044d\u0442\u043e\u0439 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0435\u0439. pscanrules.linktarget.name = \u041e\u0431\u0440\u0430\u0442\u043d\u044b\u0439 \u0442\u0430\u0431\u043d\u0430\u0431\u0431\u0438\u043d\u0433 (Tabnabbing) @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = \u0421\u0442\u0440\u0430\u043d\u0438\u0446\u0430 pscanrules.mixedcontent.name = \u0417\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u044b\u0435 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442 \u0441\u043c\u0435\u0448\u0430\u043d\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0435\u043d\u0442 pscanrules.mixedcontent.name.inclscripts = \u0417\u0430\u0449\u0438\u0449\u0435\u043d\u043d\u044b\u0435 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u044b \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442 \u0441\u043c\u0435\u0448\u0430\u043d\u043d\u043e\u0435 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 (\u0432\u043a\u043b\u044e\u0447\u0430\u044f \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0438) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = \u0421\u0442\u0440\u0430\u043d\u0438\u0446\u0430, \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0430\u044f \u0447\u0435\u0440\u0435\u0437 SSL / TLS, \u0434\u043e\u043b\u0436\u043d\u0430 \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u0441\u043e\u0441\u0442\u043e\u044f\u0442\u044c \u0438\u0437 \u043a\u043e\u043d\u0442\u0435\u043d\u0442\u0430, \n\u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u0435\u0440\u0435\u0434\u0430\u0435\u0442\u0441\u044f \u0447\u0435\u0440\u0435\u0437 SSL / TLS.\n\u0421\u0442\u0440\u0430\u043d\u0438\u0446\u0430 \u043d\u0435 \u0434\u043e\u043b\u0436\u043d\u0430 \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442\u044c \u043d\u0438\u043a\u0430\u043a\u043e\u0433\u043e \u043a\u043e\u043d\u0442\u0435\u043d\u0442\u0430, \n\u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u0435\u0440\u0435\u0434\u0430\u0435\u0442\u0441\u044f \u043f\u043e \u043d\u0435\u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u043c\u0443 \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b\u0443 HTTP.\n \u0421\u044e\u0434\u0430 \u0432\u0445\u043e\u0434\u0438\u0442 \u043a\u043e\u043d\u0442\u0435\u043d\u0442 \u0441\u043e \u0441\u0442\u043e\u0440\u043e\u043d\u043d\u0438\u0445 \u0441\u0430\u0439\u0442\u043e\u0432. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = \u041f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u0432\u044b\u0433\u043b\u044f\u0434\u0438\u0442 \u043a\u0430\u043a \u0441\u043e\u0432\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0435 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435. \n\u0415\u0441\u043b\u0438 \u0432\u0430\u043c \u043d\u0443\u0436\u043d\u043e \u0438\u0437\u0443\u0447\u0438\u0442\u044c \u0435\u0433\u043e \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u0435\u0441\u043a\u0438, \n\u0442\u043e Ajax Spider \u043c\u043e\u0436\u0435\u0442 \u043e\u043a\u0430\u0437\u0430\u0442\u044c\u0441\u044f \u0431\u043e\u043b\u0435\u0435 \u044d\u0444\u0444\u0435\u043a\u0442\u0438\u0432\u043d\u044b\u043c, \u0447\u0435\u043c \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0439. pscanrules.modernapp.name = \u0421\u043e\u0432\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0435 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435 @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = \u042d\u043c\u0438\u0442\u0435\u043d\u0442\: pscanrules.pii.name = \u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 PII pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = \u041a\u043e\u043d\u0442\u0435\u043d\u0442 \u0431\u044b\u043b \u043f\u043e\u043b\u0443\u0447\u0435\u043d \u0438\u0437 \u043e\u0431\u0449\u0435\u0433\u043e \u043a\u0435\u0448\u0430. \n\u0415\u0441\u043b\u0438 \u0434\u0430\u043d\u043d\u044b\u0435 \u043e\u0442\u0432\u0435\u0442\u0430 \u044f\u0432\u043b\u044f\u044e\u0442\u0441\u044f \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c\u0438, \u043b\u0438\u0447\u043d\u044b\u043c\u0438 \u0438\u043b\u0438 \u0441\u043f\u0435\u0446\u0438\u0444\u0438\u0447\u043d\u044b\u043c\u0438 \u0434\u043b\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \n\u044d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u0443\u0442\u0435\u0447\u043a\u0435 \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438. \n\u0412 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0441\u043b\u0443\u0447\u0430\u044f\u0445 \u044d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u0434\u0430\u0436\u0435 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u0442\u043e\u043c\u0443, \u0447\u0442\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u043f\u043e\u043b\u0443\u0447\u0438\u0442 \u043f\u043e\u043b\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u043d\u0430\u0434 \u0441\u0435\u0430\u043d\u0441\u043e\u043c \u0434\u0440\u0443\u0433\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \u0432 \u0437\u0430\u0432\u0438\u0441\u0438\u043c\u043e\u0441\u0442\u0438 \u043e\u0442 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u0438 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u043e\u0432 \u043a\u044d\u0448\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0445 \u0432 \u0438\u0445 \u0441\u0440\u0435\u0434\u0435. \n\u042d\u0442\u043e \u0432 \u043f\u0435\u0440\u0432\u0443\u044e \u043e\u0447\u0435\u0440\u0435\u0434\u044c \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430, \u043a\u043e\u0433\u0434\u0430 \u043a\u044d\u0448\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u0441\u0435\u0440\u0432\u0435\u0440\u044b, \u0442\u0430\u043a\u0438\u0435 \u043a\u0430\u043a \u043a\u0435\u0448\u0438 \u00ab\u043f\u0440\u043e\u043a\u0441\u0438\u00bb, \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043d\u044b \u0432 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0435\u0442\u0438. \n\u042d\u0442\u0430 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f \u043e\u0431\u044b\u0447\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0432 \u043a\u043e\u0440\u043f\u043e\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0439 \u0438\u043b\u0438 \u043e\u0431\u0440\u0430\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u043d\u043e\u0439 \u0441\u0440\u0435\u0434\u0435. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = \u041f\u043e\u043b\u0443\u0447\u0435\u043d\u043e \u0438\u0437 \u043a\u0435\u0448\u0430 pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = \u0423\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u043e\u0442\u0432\u0435\u0442 \u043d\u0435 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e\u0439, \u043b\u0438\u0447\u043d\u043e\u0439 \u0438\u043b\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438. \n\u0415\u0441\u043b\u0438 \u044d\u0442\u043e \u0442\u0430\u043a, \u0440\u0430\u0441\u0441\u043c\u043e\u0442\u0440\u0438\u0442\u0435 \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u044c \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0445 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u043e\u0432 HTTP-\u043e\u0442\u0432\u0435\u0442\u0430 \u0434\u043b\u044f \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \n\u0438\u043b\u0438 \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0449\u0435\u043d\u0438\u044f \u0441\u043e\u0445\u0440\u0430\u043d\u0435\u043d\u0438\u044f \u0438 \u0438\u0437\u0432\u043b\u0435\u0447\u0435\u043d\u0438\u044f \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e \u0438\u0437 \u043a\u0435\u0448\u0430 \u0434\u0440\u0443\u0433\u0438\u043c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c\:\nCache-Control\: \u0431\u0435\u0437 \u043a\u0435\u0448\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f, \u0431\u0435\u0437 \u0445\u0440\u0430\u043d\u0435\u043d\u0438\u044f, \u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u0430\u044f \u043f\u043e\u0432\u0442\u043e\u0440\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430, \u0447\u0430\u0441\u0442\u043d\u044b\u0439\n\u041f\u0440\u0430\u0433\u043c\u0430\: \u0431\u0435\u0437 \u043a\u0435\u0448\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f\n\u0421\u0440\u043e\u043a \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u044f\: 0\n\u042d\u0442\u0430 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044f \u043f\u0440\u0435\u0434\u043f\u0438\u0441\u044b\u0432\u0430\u0435\u0442 \u043a\u044d\u0448\u0438\u0440\u0443\u044e\u0449\u0438\u043c \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u043c, \u0441\u043e\u0432\u043c\u0435\u0441\u0442\u0438\u043c\u044b\u043c \u0441 HTTP 1.0 \u0438 HTTP 1.1, \n\u043d\u0435 \u0441\u043e\u0445\u0440\u0430\u043d\u044f\u0442\u044c \u043e\u0442\u0432\u0435\u0442 \u0438 \u043d\u0435 \u0438\u0437\u0432\u043b\u0435\u043a\u0430\u0442\u044c \u043e\u0442\u0432\u0435\u0442 (\u0431\u0435\u0437 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438) \u0438\u0437 \u043a\u0435\u0448\u0430 \u0432 \u043e\u0442\u0432\u0435\u0442 \u043d\u0430 \u0430\u043d\u0430\u043b\u043e\u0433\u0438\u0447\u043d\u044b\u0439 \u0437\u0430\u043f\u0440\u043e\u0441. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = \u0417\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a \u043e\u0442\u0432\u0435\u0442\u0430 HTTP-\u0441\u0435\u0440\u0432\u0435\u0440\u0430 @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = \u0421\u0435\u0440\u0432\u0435\u04 pscanrules.stricttransportsecurity.compliance.malformed.content.desc = \u0417\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a HTTP Strict Transport Security (HSTS) \u0431\u044b\u043b \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d, \u043d\u043e \u043e\u043d \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u043e\u0435 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435, \n\u043a\u043e\u0442\u043e\u0440\u043e\u0435 \u043d\u0435 \u043e\u0436\u0438\u0434\u0430\u043b\u043e\u0441\u044c (\u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e, \u0444\u0438\u0433\u0443\u0440\u043d\u044b\u0435 \u043a\u0430\u0432\u044b\u0447\u043a\u0438), \u043e\u0436\u0438\u0434\u0430\u0435\u0442\u0441\u044f, \n\u0447\u0442\u043e \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u0431\u0443\u0434\u0435\u0442 \u0441\u043e\u0434\u0435\u0440\u0436\u0430\u0442\u044c \u0441\u0438\u043c\u0432\u043e\u043b\u044b ASCII \u0434\u043b\u044f \u043f\u0435\u0447\u0430\u0442\u0438. pscanrules.stricttransportsecurity.compliance.malformed.content.name = \u0418\u0441\u043a\u0430\u0436\u0435\u043d\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0435\u043d\u0442 \u0441\u043e \u0441\u0442\u0440\u043e\u0433\u043e\u0439 \u0442\u0440\u0430\u043d\u0441\u043f\u043e\u0440\u0442\u043d\u043e\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u044c\u044e (\u043d\u0435 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u0435\u0442 \u0441\u043f\u0435\u0446\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = \u041f\u0440\u043e\u0441\u043c\u043e\u0442\u0440\u0438\u0442\u0435 \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e \u044d\u0442\u043e\u0433\u043e \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u0430 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f. \u0423\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0432\u0430\u0448 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440, \u0441\u0435\u0440\u0432\u0435\u0440 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439, \u0431\u0430\u043b\u0430\u043d\u0441\u0438\u0440\u043e\u0432\u0449\u0438\u043a \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0438 \u0438 \u0442. \u0434. \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043d\u044b \u0434\u043b\u044f \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0438 Strict-Transport-Security \u0441 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u043c \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u044b\u043c. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = \u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a HTTP Strict Transport Security (HSTS), \n\u043d\u043e \u043e\u043d \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u0442 \u043a\u0430\u0432\u044b\u0447\u043a\u0438, \u043f\u0440\u0435\u0434\u0448\u0435\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0435 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0435 max-age \n(\u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 max-age \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0443\u043a\u0430\u0437\u0430\u043d\u043e \u0432 \u043a\u0430\u0432\u044b\u0447\u043a\u0430\u0445, \u043d\u043e \u0441\u0430\u043c\u0430 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0430 \u043d\u0435 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c). \u0421\u043c. RFC 6797 \u0434\u043b\u044f \u043f\u043e\u043b\u0443\u0447\u0435\u043d\u0438\u044f \u0434\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438.\nHTTP Strict Transport Security (HSTS) - \u044d\u0442\u043e \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438 \u0432\u0435\u0431-\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c \u043a\u043e\u0442\u043e\u0440\u043e\u0433\u043e \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 \u043e\u0431\u044a\u044f\u0432\u043b\u044f\u0435\u0442, \u0447\u0442\u043e \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u044e\u0449\u0438\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0435 \u0430\u0433\u0435\u043d\u0442\u044b (\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0432\u0435\u0431-\u0431\u0440\u0430\u0443\u0437\u0435\u0440) \u0434\u043e\u043b\u0436\u043d\u044b \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u043e\u0432\u0430\u0442\u044c \u0441 \u043d\u0438\u043c, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u044b\u0435 \u0441\u043e\u0435\u0434\u0438\u043d\u0435\u043d\u0438\u044f HTTPS (\u0442. \u0415. HTTP \u043d\u0430 \u0443\u0440\u043e\u0432\u043d\u0435 TLS / SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (\u043d\u0435 \u0441\u043e\u043e\u0442\u0432\u0435\u0442\u0441\u0442\u0432\u0443\u0435\u0442 \u0441\u043f\u0435\u0446\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = \u0417\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a \u0441\u0442\u0440\u043e\u0433\u043e\u0439 \u0442\u0440\u0430\u043d\u0441\u043f\u043e\u0440\u0442\u043d\u043e\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 pscanrules.stricttransportsecurity.soln = \u0423\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0432\u0430\u0448 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440, \u0441\u0435\u0440\u0432\u0435\u0440 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439, \u0431\u0430\u043b\u0430\u043d\u0441\u0438\u0440\u043e\u0432\u0449\u0438\u043a \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0438 \u0438 \u0442. \u043d. \u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043d\u044b \u0434\u043b\u044f \u043f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u0440\u0438\u043c\u0435\u043d\u0435\u043d\u0438\u044f Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = \u041e\u0442\u043c\u0435\u0442\u043a\u0430 \u0432\u0440\u0435\u043c\u0435\u043d\u0438 \u0431\u044b\u043b\u0430 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0430 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435\u043c / \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c -pscanrules.timestampdisclosure.extrainfo = {0}, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043e\u0446\u0435\u043d\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u043a\u0430\u043a\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = \u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u043e\u0442\u043c\u0435\u0442\u043a\u0438 \u0432\u0440\u0435\u043c\u0435\u043d\u0438 pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = \u0412\u0440\u0443\u0447\u043d\u0443\u044e \u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0434\u0438\u0442\u0435, \u0447\u0442\u043e \u0434\u0430\u043d\u043d\u044b\u0435 \u043e\u0442\u043c\u0435\u0442\u043a\u0438 \u0432\u0440\u0435\u043c\u0435\u043d\u0438 \u043d\u0435 \u044f\u0432\u043b\u044f\u044e\u0442\u0441\u044f \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c\u0438 \n\u0438 \u0447\u0442\u043e \u0434\u0430\u043d\u043d\u044b\u0435 \u043d\u0435 \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c \u0430\u0433\u0440\u0435\u0433\u0438\u0440\u043e\u0432\u0430\u043d\u044b \u0434\u043b\u044f \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f \u0448\u0430\u0431\u043b\u043e\u043d\u043e\u0432, \n\u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043c\u043e\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = \u0412\u0440\u0443\u0447\u043d\u0443\u044e pscanrules.usercontrolledcharset.desc = \u042d\u0442\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u0434\u0430\u043d\u043d\u044b\u0435 \u0432 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\u0445 \u0441\u0442\u0440\u043e\u043a\u0438 \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u0438 \u0434\u0430\u043d\u043d\u044b\u0445 POST, \u0447\u0442\u043e\u0431\u044b \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c, \u0433\u0434\u0435 \u043e\u0431\u044a\u044f\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u0438 Content-Type \u0438\u043b\u0438 \u043c\u0435\u0442\u0430\u0442\u0435\u0433\u0430 \u043c\u043e\u0433\u0443\u0442 \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c\u0441\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c.\n\n\n\u0422\u0430\u043a\u0438\u0435 \u043e\u0431\u044a\u044f\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u0438 \u0432\u0441\u0435\u0433\u0434\u0430 \u0434\u043e\u043b\u0436\u043d\u044b \u043e\u0431\u044a\u044f\u0432\u043b\u044f\u0442\u044c\u0441\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435\u043c.\n\n\u0415\u0441\u043b\u0438 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u043e\u0439 \u043e\u0442\u0432\u0435\u0442\u0430, \u043e\u043d \u043c\u043e\u0436\u0435\u0442 \u043c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u0442\u044c HTML \n\u0434\u043b\u044f \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f XSS \u0438\u043b\u0438 \u0434\u0440\u0443\u0433\u0438\u0445 \u0430\u0442\u0430\u043a.\n\n\u041d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a, \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u044e\u0449\u0438\u0439 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u0438 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u0430 , \u043c\u043e\u0436\u0435\u0442 \u043e\u0431\u044a\u044f\u0432\u0438\u0442\u044c UTF-7, \n\u0430 \u0442\u0430\u043a\u0436\u0435 \u043c\u043e\u0436\u0435\u0442 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u044c \u0432 HTML-\u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442 \u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u044b\u0445 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u043f\u043e\u043b\u0435\u0437\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \n\u0447\u0442\u043e\u0431\u044b \u0438\u0445 \u043c\u043e\u0436\u043d\u043e \u0431\u044b\u043b\u043e \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043a\u0430\u043a UTF-7.\n\n\u041a\u043e\u0434\u0438\u0440\u0443\u044f \u0441\u0432\u043e\u0438 \u043f\u043e\u043b\u0435\u0437\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e UTF-7, \n\u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u043e\u0431\u043e\u0439\u0442\u0438 \u043b\u044e\u0431\u0443\u044e \u0441\u0435\u0440\u0432\u0435\u0440\u043d\u0443\u044e \u0437\u0430\u0449\u0438\u0442\u0443 XSS \u0438 \u0432\u0441\u0442\u0440\u043e\u0438\u0442\u044c \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0439 \u043d\u0430 \u0441\u0442\u0440\u0430\u043d\u0438\u0446\u0443. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] \u0430\u0442\u0440\u0438\u0431\u0443\u0442\n\n\u041d\u0430\u0439\u0434\u0435\u043d \u0432\u0432\u043e\u0434 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\:\n{2}\={3}\n\n\u0417\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u0438, \u043a\u043e\u0442\u043e\u0440\u043e\u0435 \u043e\u043d \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u043e\u0432\u0430\u043b, \u0431\u044b\u043b\u043e\:\n{4} pscanrules.usercontrolledcharset.name = \u041a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u0430, \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u0430\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c UTF-8 \u0432\u043e \u0432\u0441\u0435\u0445 \u043e\u0431\u044a\u044f\u0432\u043b\u0435\u043d\u0438\u044f\u0445 \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u0438. \n\u0415\u0441\u043b\u0438 \u0434\u043b\u044f \u043f\u0440\u0438\u043d\u044f\u0442\u0438\u044f \u0440\u0435\u0448\u0435\u043d\u0438\u044f \u043e\u0431 \u043e\u0431\u044a\u044f\u0432\u043b\u0435\u043d\u0438\u0438 \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u0438 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0432\u0432\u043e\u0434 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f, \u0443\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \n\u0447\u0442\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0442\u043e\u043b\u044c\u043a\u043e \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u043d\u044b\u0439 \u0441\u043f\u0438\u0441\u043e\u043a. pscanrules.usercontrolledcookie.desc = \u042d\u0442\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u0434\u0430\u043d\u043d\u044b\u0435 \u0432 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\u0445 \u0441\u0442\u0440\u043e\u043a\u0438 \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u0438 \u0434\u0430\u043d\u043d\u044b\u0435 POST, \u0447\u0442\u043e\u0431\u044b \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c, \u0433\u0434\u0435 \u043c\u043e\u0436\u043d\u043e \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\u043c\u0438 \u0444\u0430\u0439\u043b\u043e\u0432 cookie.\n\n\u042d\u0442\u043e \u043d\u0430\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0430\u0442\u0430\u043a\u043e\u0439 \u043e\u0442\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043a\u0443\u043a\u0438-\u0444\u0430\u0439\u043b\u043e\u0432 \u0438 \u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u0441\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u043e\u0439 \u0434\u043b\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f, \u043a\u043e\u0433\u0434\u0430 \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u043c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043a\u0443\u043a\u0438-\u0444\u0430\u0439\u043b\u0430\u043c\u0438 \u0440\u0430\u0437\u043b\u0438\u0447\u043d\u044b\u043c\u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u0430\u043c\u0438.\n\n\u0412 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0441\u043b\u0443\u0447\u0430\u044f\u0445 \u044d\u0442\u043e \u043d\u0435\u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c, \u043e\u0434\u043d\u0430\u043a\u043e \u0440\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\u043c URL \u0443\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0442\u044c \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f \u0444\u0430\u0439\u043b\u043e\u0432 cookie \u043e\u0431\u044b\u0447\u043d\u043e \u0441\u0447\u0438\u0442\u0430\u0435\u0442\u0441\u044f \u043e\u0448\u0438\u0431\u043a\u043e\u0439. pscanrules.usercontrolledcookie.extrainfo = {0} \u042d\u0442\u043e \u0431\u044b\u043b\u043e \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u0446\u0438\u0440\u043e\u0432\u0430\u043d\u043e \u043f\u043e \u0430\u0434\u0440\u0435\u0441\u0443\:\n\n{1}\n\n\u0412\u0432\u0435\u0434\u0435\u043d\u043d\u044b\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u0434\u0430\u043d\u043d\u044b\u0435 \u0431\u044b\u043b\u0438 \u043d\u0430\u0439\u0434\u0435\u043d\u044b \u0432 \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u043c \u0444\u0430\u0439\u043b\u0435 cookie\:\n{2}\n\n\u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0439 \u0432\u0432\u043e\u0434 \u0431\u044b\u043b\:\n{3} \= {4} -pscanrules.usercontrolledcookie.extrainfo.get = \u0417\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u043e\u0442\u0440\u0430\u0432\u0438\u0442\u044c \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f \u0444\u0430\u0439\u043b\u043e\u0432 cookie \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u0432 URL. \u041f\u043e\u043f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u0432\u0432\u0435\u0441\u0442\u0438 \u0442\u043e\u0447\u043a\u0443 \u0441 \u0437\u0430\u043f\u044f\u0442\u043e\u0439, \u0447\u0442\u043e\u0431\u044b \u0443\u0437\u043d\u0430\u0442\u044c, \u043c\u043e\u0436\u0435\u0442\u0435 \u043b\u0438 \u0432\u044b \u0434\u043e\u0431\u0430\u0432\u0438\u0442\u044c \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f \u0444\u0430\u0439\u043b\u043e\u0432 cookie \n(\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, name \= managedValue; name \= anotherValue;). -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = \u041e\u0442\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435 Cookie pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = \u041d\u0435 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0439\u0442\u0435 \u0432\u0432\u043e\u0434\u0443 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u0438\u043c\u0435\u043d\u0430\u043c\u0438 \u0438 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f\u043c\u0438 \u0444\u0430\u0439\u043b\u043e\u0432 cookie. \u0415\u0441\u043b\u0438 \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u044b \u0441\u0442\u0440\u043e\u043a\u0438 \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u0434\u043e\u043b\u0436\u043d\u044b \u0431\u044b\u0442\u044c \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u044b \u0432 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f\u0445 \u0444\u0430\u0439\u043b\u043e\u0432 cookie, \u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u043e \u043e\u0442\u0444\u0438\u043b\u044c\u0442\u0440\u0443\u0439\u0442\u0435 \u0442\u043e\u0447\u043a\u0438 \u0441 \u0437\u0430\u043f\u044f\u0442\u043e\u0439, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043c\u043e\u0433\u0443\u0442 \u0441\u043b\u0443\u0436\u0438\u0442\u044c \u0440\u0430\u0437\u0434\u0435\u043b\u0438\u0442\u0435\u043b\u044f\u043c\u0438 \u043f\u0430\u0440 \u0438\u043c\u044f / \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435. pscanrules.usercontrolledhtmlattributes.desc = \u042d\u0442\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u0434\u0430\u043d\u043d\u044b\u0435 \u0432 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\u0445 \u0441\u0442\u0440\u043e\u043a\u0438 \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u0438 \u0434\u0430\u043d\u043d\u044b\u0445 POST, \u0447\u0442\u043e\u0431\u044b \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c, \u0433\u0434\u0435 \u043c\u043e\u0436\u043d\u043e \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u044b\u043c\u0438 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f\u043c\u0438 \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u043e\u0432 HTML. \u042d\u0442\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0432\u0430\u0435\u0442 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435 \u0433\u043e\u0440\u044f\u0447\u0438\u0445 \u0442\u043e\u0447\u0435\u043a \u0434\u043b\u044f XSS (\u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u044f), \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u0435\u0442 \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0435\u0433\u043e \u0438\u0437\u0443\u0447\u0435\u043d\u0438\u044f \u0430\u043d\u0430\u043b\u0438\u0442\u0438\u043a\u043e\u043c \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0434\u043b\u044f \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u044f \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f. -pscanrules.usercontrolledhtmlattributes.extrainfo = \u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u044b \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u043e\u0432 HTML, \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u044b\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c. \u041f\u043e\u043f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u0432\u0432\u0435\u0441\u0442\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0435 \u0441\u0438\u043c\u0432\u043e\u043b\u044b, \u0447\u0442\u043e\u0431\u044b \u0443\u0437\u043d\u0430\u0442\u044c, \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e \u043b\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 XSS. \u0421\u0442\u0440\u0430\u043d\u0438\u0446\u0430 \u043f\u043e \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0435\u043c\u0443 URL-\u0430\u0434\u0440\u0435\u0441\u0443\:\n\n{0}\n\n\u043f\u043e\u0445\u043e\u0436\u0435, \u0432\u043a\u043b\u044e\u0447\u0430\u0435\u0442 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0439 \u0432\u0432\u043e\u0434 \u0432\:\n\na (n) [{1}] \u0442\u0435\u0433 [{2}] \u0430\u0442\u0440\u0438\u0431\u0443\u0442\n\n\u041d\u0430\u0439\u0434\u0435\u043d \u0432\u0432\u043e\u0434 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\:\n{3} \= {4}\n\n\u0423\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u043e\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u0431\u044b\u043b\u043e\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = \u0410\u0442\u0440\u0438\u0431\u0443\u0442 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u0430 HTML, \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u044b\u0439 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c (\u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0439 XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = \u041f\u0440\u043e\u0432\u0435\u0440\u044f\u0439\u0442\u0435 \u0432\u0435\u0441\u044c \u0432\u0432\u043e\u0434 \u0438 \u043e\u0447\u0438\u0449\u0430\u0439\u0442\u0435 \u0432\u044b\u0432\u043e\u0434 \u043f\u0435\u0440\u0435\u0434 \u0437\u0430\u043f\u0438\u0441\u044c\u044e \u0432 \u043a\u0430\u043a\u0438\u0435-\u043b\u0438\u0431\u043e \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u044b HTML. pscanrules.usercontrolledjavascriptevent.desc = \u042d\u0442\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u0442 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u0434\u0430\u043d\u043d\u044b\u0435 \u0432 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\u0445 \u0441\u0442\u0440\u043e\u043a\u0438 \u0437\u0430\u043f\u0440\u043e\u0441\u0430 \u0438 \u0434\u0430\u043d\u043d\u044b\u0445 POST, \u0447\u0442\u043e\u0431\u044b \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0438\u0442\u044c, \u0433\u0434\u0435 \u043c\u043e\u0436\u043d\u043e \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0442\u044c \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u044b\u043c\u0438 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u044f\u043c\u0438 \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u043e\u0432 HTML. \u042d\u0442\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0432\u0430\u0435\u0442 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0438\u0435 \u0433\u043e\u0440\u044f\u0447\u0438\u0445 \u0442\u043e\u0447\u0435\u043a \u0434\u043b\u044f XSS (\u043c\u0435\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u043e\u0433\u043e \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u044f), \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u0435\u0442 \u0434\u0430\u043b\u044c\u043d\u0435\u0439\u0448\u0435\u0433\u043e \u0438\u0437\u0443\u0447\u0435\u043d\u0438\u044f \u0430\u043d\u0430\u043b\u0438\u0442\u0438\u043a\u043e\u043c \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0434\u043b\u044f \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u044f \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u043e\u0441\u0442\u0438 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = \u0421\u043e\u0431\u044b\u0442\u0438\u0435 JavaScript, \u0443\u043f\u0440\u0430\u0432\u043b\u044f\u0435\u043c\u043e\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = \u041f\u0440\u043e\u0432\u0435\u0440\u044f\u0439\u0442\u0435 \u0432\u0435\u0441\u044c \u0432\u0432\u043e\u0434 \u0438 \u0434\u0435\u0437\u0438\u043d\u0444\u0438\u0446\u0438\u0440\u0443\u0439\u0442\u0435 \u0432\u044b\u0432\u043e\u0434 \u043f\u0435\u0440\u0435\u0434 \u0437\u0430\u043f\u0438\u0441\u044c\u044e \u0432 \u043a\u0430\u043a\u0438\u0435-\u043b\u0438\u0431\u043e \u0441\u043e\u0431\u044b\u0442\u0438\u044f Javascript on *. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = \u0427\u0442\u043e\u0431\u044b \u04 pscanrules.usernameidor.desc = \u0412 \u043e\u0442\u0432\u0435\u0442\u0435 \u0431\u044b\u043b \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d \u0445\u044d\u0448 \u0438\u043c\u0435\u043d\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f ({0}). \n\u042d\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0442\u044c \u043d\u0430 \u0442\u043e, \u0447\u0442\u043e \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u043f\u043e\u0434\u0432\u0435\u0440\u0436\u0435\u043d\u043e \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438, \n\u0441\u0432\u044f\u0437\u0430\u043d\u043d\u043e\u0439 \u0441 \u043d\u0435\u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0439 \u043f\u0440\u044f\u043c\u043e\u0439 \u0441\u0441\u044b\u043b\u043a\u043e\u0439 \u043d\u0430 \u043e\u0431\u044a\u0435\u043a\u0442 (IDOR). \n\u0427\u0442\u043e\u0431\u044b \u0443\u0432\u0438\u0434\u0435\u0442\u044c, \u043c\u043e\u0436\u043d\u043e \u043b\u0438 \u0437\u043b\u043e\u0443\u043f\u043e\u0442\u0440\u0435\u0431\u043b\u044f\u0442\u044c \u044d\u0442\u0438\u043c \u043e\u0442\u043a\u0440\u044b\u0442\u0438\u0435\u043c, \u043f\u043e\u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f \u0440\u0443\u0447\u043d\u043e\u0435 \u0442\u0435\u0441\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435. pscanrules.usernameidor.name = \u041e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d \u0445\u0435\u0448 \u0438\u043c\u0435\u043d\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f -pscanrules.usernameidor.otherinfo = \u0425\u0435\u0448 \u0431\u044b\u043b {0} \u0441\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435\u043c\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = \u0418\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0439\u0442\u0435 \u043a\u043e\u0441\u0432\u0435\u043d\u043d\u044b\u0435 \u0441\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u043e\u0431\u044a\u0435\u043a\u0442\u044b \u0434\u043b\u044f \u043a\u0430\u0436\u0434\u043e\u0433\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f \u0438\u043b\u0438 \u0441\u0435\u0430\u043d\u0441\u0430 \n(\u0441\u043e\u0437\u0434\u0430\u0439\u0442\u0435 \u0432\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0435 \u0441\u043e\u043f\u043e\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0432\u043e \u0432\u0440\u0435\u043c\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f). \n\u0418\u043b\u0438 \u0443\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u043a\u0430\u0436\u0434\u043e\u0435 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u043f\u0440\u044f\u043c\u043e\u0439 \u0441\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u043e\u0431\u044a\u0435\u043a\u0442 \u0441\u0432\u044f\u0437\u0430\u043d\u043e \u0441 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438, \n\u0447\u0442\u043e\u0431\u044b \u0443\u0431\u0435\u0434\u0438\u0442\u044c\u0441\u044f, \u0447\u0442\u043e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u043e\u0432\u0430\u043d \u0434\u043b\u044f \u0437\u0430\u043f\u0440\u043e\u0448\u0435\u043d\u043d\u043e\u0433\u043e \u043e\u0431\u044a\u0435\u043a\u0442\u0430. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = \u0421\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0435 \u044d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u044b\u0435 \u043f\u0438\u0441\u044c\u043c\u0430 \u0431\u044b\u043b\u0438 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u044b \u0441\u0435\u0440\u0438\u0430\u043b\u0438\u0437\u043e\u0432\u0430\u043d\u043d\u044b\u043c\u0438 \u0432 \u043f\u043e\u043b\u0435 viewstate\: pscanrules.viewstate.content.email.name = \u042d\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u044b\u0435 \u043f\u0438\u0441\u044c\u043c\u0430, \u043d\u0430\u0439\u0434\u0435\u043d\u043d\u044b\u0435 \u0432 Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = \u041d\u0430\u0441\u0442\u0440\u043e\u0439\u0442\u0435 \u0441\u0435\u0440\u0432\u0435\u0440 \u0442\u0430\u043a, \u0447\u0442\u043e\u0431\u044b \u043e\u043d \u043d\u0435 \u0432\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u043b \u044d\u0442\u0438 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0438. pscanrules.xbackendserver.desc = \u0421\u0435\u0440\u0432\u0435\u0440 \u043f\u0440\u043e\u043f\u0443\u0441\u043a\u0430\u0435\u0442 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e, \u043e\u0442\u043d\u043e\u0441\u044f\u0449\u0443\u044e\u0441\u044f \u043a \u0441\u0435\u0440\u0432\u0435\u0440\u043d\u044b\u043c \u0441\u0438\u0441\u0442\u0435\u043c\u0430\u043c \n(\u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0438\u043c\u0435\u043d\u0430 \u0445\u043e\u0441\u0442\u043e\u0432 \u0438\u043b\u0438 IP-\u0430\u0434\u0440\u0435\u0441\u0430). \n\u0412\u043e\u043e\u0440\u0443\u0436\u0438\u0432\u0448\u0438\u0441\u044c \u044d\u0442\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0435\u0439, \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u0430\u0442\u0430\u043a\u043e\u0432\u0430\u0442\u044c \u0434\u0440\u0443\u0433\u0438\u0435 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \n\u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u0440\u044f\u043c\u043e / \u044d\u0444\u0444\u0435\u043a\u0442\u0438\u0432\u043d\u043e \u0430\u0442\u0430\u043a\u043e\u0432\u0430\u0442\u044c \u044d\u0442\u0438 \u0441\u0438\u0441\u0442\u0435\u043c\u044b. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = \u0423\u0442\u0435\u0447\u043a\u0430 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 X-Backend-Server -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = \u0423\u0431\u0435\u0434\u0438\u0442\u0435\u0441\u044c, \u0447\u0442\u043e \u0432\u0430\u0448 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440, \u0441\u0435\u0440\u0432\u0435\u0440 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439, \u0431\u0430\u043b\u0430\u043d\u0441\u0438\u0440\u043e\u0432\u0449\u0438\u043a \u043d\u0430\u0433\u0440\u0443\u0437\u043a\u0438 \u0438 \u0442. \u0434. \n\u043d\u0430\u0441\u0442\u0440\u043e\u0435\u043d\u044b \u043d\u0430 \u043f\u043e\u0434\u0430\u0432\u043b\u0435\u043d\u0438\u0435 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u043e\u0432 X-Backend-Server. pscanrules.xchromeloggerdata.desc = \u0421\u0435\u0440\u0432\u0435\u0440 \u043f\u0440\u043e\u043f\u0443\u0441\u043a\u0430\u0435\u0442 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u0447\u0435\u0440\u0435\u0437 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a \u043e\u0442\u0432\u0435\u0442\u0430 X-ChromeLogger-Data (\u0438\u043b\u0438 X-ChromePhp-Data). \u0421\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0435 \u0442\u0430\u043a\u0438\u0445 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u043e\u0432 \u043c\u043e\u0436\u0435\u0442 \u0431\u044b\u0442\u044c \u0438\u0437\u043c\u0435\u043d\u0435\u043d\u043e \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u0447\u0438\u043a\u043e\u043c, \n\u043e\u0434\u043d\u0430\u043a\u043e \u043d\u0435\u0440\u0435\u0434\u043a\u043e \u043c\u043e\u0436\u043d\u043e \u043d\u0430\u0439\u0442\u0438\: \n\u0440\u0430\u0441\u043f\u043e\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u0444\u0430\u0439\u043b\u043e\u0432\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u043e\u0431\u044a\u044f\u0432\u043b\u0435\u043d\u0438\u044f vhost \u0438 \u0442. \u0434. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = \u041e\u0433\u0440\u0430\u043d\u0438\u0447\u044c\u0442\u0435 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043f\u0440\u043e\u0444\u0438\u043b\u0438\u0440\u043e\u0432\u0449\u0438\u043a\u0443 Symfony \u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 / \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438 \n\u0438\u043b\u0438 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u044f \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u044f \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 \u0434\u043b\u044f \u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u043d\u044b\u0445 \u043a\u043b\u0438\u0435\u043d\u0442\u043e\u0432 (\u043f\u043e IP \u0438 \u0442. \u0414.). pscanrules.xpoweredbyheaderinfoleak.desc = \u0412\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440 / \u0441\u0435\u0440\u0432\u0435\u0440 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 \u043f\u0440\u043e\u043f\u0443\u0441\u043a\u0430\u0435\u0442 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \n\u0447\u0435\u0440\u0435\u0437 \u043e\u0434\u0438\u043d \u0438\u043b\u0438 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u043e\u0432 HTTP-\u043e\u0442\u0432\u0435\u0442\u0430 \u00abX-Powered-By\u00bb. \n\u0414\u043e\u0441\u0442\u0443\u043f \u043a \u0442\u0430\u043a\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u043c\u043e\u0436\u0435\u0442 \u043e\u0431\u043b\u0435\u0433\u0447\u0438\u0442\u044c \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0430\u043c \u0438\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044e \u0434\u0440\u0443\u0433\u0438\u0445 \u0444\u0440\u0435\u0439\u043c\u0432\u043e\u0440\u043a\u043e\u0432 / \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u043e\u0432, \n\u043e\u0442 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0437\u0430\u0432\u0438\u0441\u0438\u0442 \u0432\u0430\u0448\u0435 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0435, \u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439, \n\u043a\u043e\u0442\u043e\u0440\u044b\u043c \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c \u043f\u043e\u0434\u0432\u0435\u0440\u0436\u0435\u043d\u044b \u0442\u0430\u043a\u0438\u0435 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u044b. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = \u0421\u0435\u0440\u0432\u0435\u0440 \u0443\u0442\u0435\u043a\u0430\u0435\u0442 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044e \u0447\u0435\u0440\u0435\u0437 \u043f\u043e\u043b\u044f \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 HTTP-\u043e\u0442\u0432\u0435\u0442\u0430 "X-Powered-By" pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = \u0422\u0430\u043a\u0436\u0435 \u0431\u044b\u043b\u0438 \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u044b \u0441\u043b\u0435\u0434\u0443\u044e\u0449\u0438\u0435 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0438 X-Powered-By\: pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_si_LK.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_si_LK.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_si_LK.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_si_LK.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sk_SK.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sk_SK.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sk_SK.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sk_SK.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sl_SI.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sl_SI.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sl_SI.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sl_SI.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sq_AL.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sq_AL.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sq_AL.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sq_AL.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sr_CS.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sr_CS.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sr_CS.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sr_CS.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sr_SP.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sr_SP.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sr_SP.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_sr_SP.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_tr_TR.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_tr_TR.properties index cd36c59c972..7757e44e7a5 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_tr_TR.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_tr_TR.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [ {0} ] [ {1} ] g\u00fcvensiz kimlik do\u011frulama mekanizmas\u0131 kullan\u0131r [ {2} ], ad\u0131n\u0131 if\u015fa [ {3} ] ve \u015fifre [ {4} ]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [ {0} ] [ {1} ] g\u00fcvensiz kimlik do\u011frulama mekanizmas\u0131 kullan\u0131r [ {2} ], ad\u0131n\u0131 if\u015fa [ {3} ] ve ek bilgiler [ {4} ]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Do\u011frulama Kimlik Bilgileri Yakalanan pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = HTTPS kullan\u0131n ve un-\u015fifreli bi\u00e7imde kimli\u011fi veya \u015fifre iletmez g\u00fcvenli bir kimlik do\u011frulama mekanizmas\u0131 kullan\u0131n. Bu \u00f6nemsiz \u015fa\u015f\u0131rtmaca mekanizmas\u0131 kolayca bozuldu \u00e7\u00fcnk\u00fc \u00d6zellikle, Temel Kimlik Do\u011frulama mekanizmas\u0131n\u0131n kullan\u0131m\u0131n\u0131 \u00f6nlemek. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = \u00c7erezler etki alan\u0131 veya yolu ile kapsaml\u0131 edilebilir. Bu onay, bir \u00e7erez uygulanan etki scope.The alan\u0131 kapsam\u0131 ile sadece endi\u015fe etki eri\u015febilir belirler. \u00d6rne\u011fin, bir \u00e7erez bir alt \u00f6rn www.nottrusted.com veya gev\u015fek bir \u00fcst etki, \u00f6rne\u011fin nottrusted.com i\u00e7in kapsaml\u0131 kesinlikle kapsaml\u0131 olabilir. Bu durumda, herhangi bir alt etki alan\u0131 nottrusted.com tan\u0131mlama eri\u015febilir. Gev\u015fek kapsaml\u0131 \u00e7erezler google.com ve live.com gibi mega-uygulamalar yayg\u0131nd\u0131r. -pscanrules.cookielooselyscoped.extrainfo = Kar\u015f\u0131la\u015ft\u0131rma i\u00e7in kullan\u0131lan men\u015fe alan\u0131 oldu\: {0} {1} \n\n +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Gev\u015fek Scoped \u00c7erez pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Etki Alanlar\u0131 Aras\u0131 yanl\u0131\u015f yap\u0131land\u0131r\u0131lmas\u0131 +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = Web sunucusu \u00fczerinde CORS yanl\u0131\u015f yap\u0131land\u0131rma etki alanlar\u0131 aras\u0131 bu etki kimli\u011fi do\u011frulanmam\u0131\u015f API'leri kullanarak keyfi \u00fc\u00e7\u00fcnc\u00fc taraf etki alanlar\u0131ndan istekleri, okuma verir. Web taray\u0131c\u0131s\u0131 uygulamalar\u0131, ancak kimli\u011fi do\u011frulanm\u0131\u015f API'ler yan\u0131t\u0131 okumak i\u00e7in keyfi \u00fc\u00e7\u00fcnc\u00fc taraflar\u0131n izin vermez. Bu biraz riskini azalt\u0131r. Bu yanl\u0131\u015f yap\u0131land\u0131rma do\u011frulanmam\u0131\u015f bir \u015fekilde kullan\u0131labilir verilere eri\u015fmek i\u00e7in bir sald\u0131rgan taraf\u0131ndan kullan\u0131labilir, ancak hangi IP adresinin beyaz liste olarak, g\u00fcvenlik di\u011fer baz\u0131 form kullan\u0131r. pscanrules.crossdomain.name = Etki Alanlar\u0131 Aras\u0131 yanl\u0131\u015f yap\u0131land\u0131r\u0131lmas\u0131 pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Daha sonra OpenSSL 1.0.1g veya g\u00fcncelleyin. Ye pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = Yan\u0131t, ASP.NET gibi platformlar taraf\u0131ndan d\u00f6nd\u00fcr\u00fclen genel hata iletilerini ve IIS ve Apache gibi Web sunucular\u0131n\u0131 i\u00e7eriyor gibi g\u00f6r\u00fcn\u00fcyor. S\u0131k kullan\u0131lan hata ay\u0131klama mesajlar\u0131n\u0131n bir listesini yap\u0131land\u0131rabilirsiniz. pscanrules.informationdisclosuredebugerrors.name = Bilginin A\u00e7\u0131\u011fa \u00c7\u0131kmas\u0131 - Hata Mesajlar\u0131 Hata Ay\u0131klama @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = URL, kredi kart\u0131 bilgileri i\u00e7eriyor gibi g\u00f6r\u00fcn\u00fcyor. pscanrules.informationdisclosureinurl.otherinfo.email = URL eposta adresi(ler) i\u00e7eriyor. pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = URL, ABD Sosyal G\u00fcvenlik Numaras\u0131(lar\u0131) i\u00e7eriyor gibi g\u00f6r\u00fcn\u00fcyor +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Hassas bilgileri URL'lerde ge\u00e7irmeyin. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP Temel ya da \u00f6zet kimlik do\u011frulamas\u0131 g\u00fcvenli olmayan ba\u011flant\u0131 \u00fczerinden kullan\u0131l\u0131r olmu\u015ftur. kimlik okuyun ve sonra a\u011fa eri\u015fimi olan bir ki\u015fi taraf\u0131ndan yeniden kullan\u0131labilir. pscanrules.insecureauthentication.name = Zay\u0131f Kimlik Do\u011frulama Y\u00f6ntemi pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = HTTPS kullanarak ba\u011flant\u0131y\u0131 korumak veya daha g\u00fc\u00e7l\u00fc bir kimlik do\u011frulama mekanizmas\u0131 kullan\u0131n +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = a\u015fa\u011f\u0131daki URL'den yan\u0131t\u0131 yok kriptografik koruma olan bir ViewState de\u011feri i\u00e7erir. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [ {0} ] g\u00fcvensiz +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = G\u00fcvensiz JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Ortam\u0131n\u0131za bir MAC \u00f6zg\u00fc olan G\u00fcvenli viewstate +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Yay\u0131nc\u0131\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = Bir zaman damgas\u0131 uygulama / web sunucusu taraf\u0131ndan if\u015fa edildi -pscanrules.timestampdisclosure.extrainfo = {0} , de\u011ferlendirir hangi\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Zaman Damgas\u0131 Bilgilendirme pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = El ile zaman damgas\u0131 veri duyarl\u0131 olmad\u0131\u011f\u0131n\u0131 ve veri s\u00f6m\u00fcr\u00fclebilir desenleri if\u015fa etmek toplanm\u0131\u015f olamaz teyit etmektedir. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = El ile zaman damgas\u0131 veri duyarl\u013 pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = Yan\u0131tta bir kullan\u0131c\u0131 ad\u0131 sa\u011flanmas\u0131 ({0}) bulundu. Bu, uygulaman\u0131n G\u00fcvensiz Bir Do\u011frudan Nesne Ba\u015fvurusu (IDOR) g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulundu\u011funu g\u00f6sterebilir. Bu ke\u015ffin suiistimal edilip edilemeyece\u011fini g\u00f6rmek i\u00e7in manuel test gerekecek. pscanrules.usernameidor.name = Kullan\u0131c\u0131 Ad\u0131 Anlams\u0131z Bulundu -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Kullan\u0131c\u0131 veya oturum ba\u015f\u0131na dolayl\u0131 nesne ba\u015fvurular\u0131 kullan\u0131n (kullan\u0131m s\u0131ras\u0131nda ge\u00e7ici bir e\u015fleme olu\u015fturun). Veya do\u011frudan nesne ba\u015fvurusunun her kullan\u0131m\u0131n\u0131n, kullan\u0131c\u0131n\u0131n istenen nesne i\u00e7in yetkili oldu\u011fundan emin olmak i\u00e7in bir yetkilendirme denetimine ba\u011fland\u0131\u011f\u0131ndan emin olun. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = A\u015fa\u011f\u0131daki e-postalar\u0131n g\u00f6r\u00fcn\u00fc\u015f alan\u0131nda seri hale getirilmi\u015f oldu\u011fu bulundu\: pscanrules.viewstate.content.email.name = Viewstate'te Bulunan epostalar @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Sunucuyu bu \u00fcstbilgileri d\u00f6d\u00fcrmeyecek \u015fekilde yap\u0131land\u0131r\u0131n. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = Web / uygulama sunucusu, bir veya daha fazla "X-Powered-By" HTTP cevap ba\u015fl\u0131klar\u0131n\u0131n yoluyla bilgi s\u0131zd\u0131r\u0131yor. B\u00f6yle bilgiye eri\u015fim, web uygulamas\u0131 ba\u011f\u0131ml\u0131 olan di\u011fer \u00e7er\u00e7eveler / bile\u015fenleri tan\u0131mlayan sald\u0131rganlar\u0131n kolayla\u015ft\u0131rabilir ve g\u00fcvenlik a\u00e7\u0131klar\u0131 gibi bile\u015fenler tabi olabilir. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Sunucu "X-Powered-By" \u00fczerinden bilgiler Ka\u00e7aklar HTTP yan\u0131t \u00fcstbilgisi Field (ler) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_uk_UA.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_uk_UA.properties index 147f7a051c2..ebce83929cf 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_uk_UA.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_uk_UA.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = \u0423 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 \u0431\u0443\u0432 \u043f\u0440\u0438\u0441\u0443\u0442\u043d\u0456\u0439 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a X-Frame-Options, \u0430\u043b\u0435 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0431\u0443\u043b\u043e \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043e \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e. pscanrules.anticlickjacking.compliance.malformed.setting.name = \u041d\u0430\u043b\u0430\u0448\u0442\u0443\u0432\u0430\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0456\u0432 X-Frame-Options \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u043f\u043e\u043c\u0438\u043b\u043a\u0438 pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u043d\u0430 \u0432\u0441\u0456\u0445 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0430\u0445, \u044f\u043a\u0456 \u043f\u043e\u0432\u0435\u0440\u0442\u0430\u0454 \u0432\u0430\u0448 \u0441\u0430\u0439\u0442, \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0438\u0439 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 (\u044f\u043a\u0449\u043e \u0432\u0438 \u043e\u0447\u0456\u043a\u0443\u0454\u0442\u0435, \u0449\u043e \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0430 \u0431\u0443\u0434\u0435 \u043e\u0431\u0440\u0430\u043c\u043b\u0435\u043d\u0430 \u043b\u0438\u0448\u0435 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0430\u043c\u0438 \u043d\u0430 \u0432\u0430\u0448\u043e\u043c\u0443 \u0441\u0435\u0440\u0432\u0435\u0440\u0456, \u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, \u044f\u043a\u0449\u043e \u0432\u043e\u043d\u0430 \u0454 \u0447\u0430\u0441\u0442\u0438\u043d\u043e\u044e FRAMESET, \u0432\u0430\u043c \u0441\u043b\u0456\u0434 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438 SAMEORIGIN, \u0456\u043d\u0430\u043a\u0448\u0435, \u044f\u043a\u0449\u043e \u0432\u0438 \u043d\u0456\u043a\u043e\u043b\u0438 \u043d\u0435 \u043e\u0447\u0456\u043a\u0443\u0454\u0442\u0435, \u0449\u043e \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0430 \u0431\u0443\u0434\u0435 \u043e\u0431\u0440\u0430\u043c\u043b\u0435\u043d\u0430, \u0432\u0430\u043c \u0441\u043b\u0456\u0434 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438 DENY. \u041a\u0440\u0456\u043c \u0442\u043e\u0433\u043e, \u0440\u043e\u0437\u0433\u043b\u044f\u043d\u044c\u0442\u0435 \u043c\u043e\u0436\u043b\u0438\u0432\u0456\u0441\u0442\u044c \u0437\u0430\u0441\u0442\u043e\u0441\u0443\u0432\u0430\u043d\u043d\u044f \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0438 "frame-ancestors" \u0443 \u043f\u043e\u043b\u0456\u0442\u0438\u0446\u0456 \u0431\u0435\u0437\u043f\u0435\u043a\u0438 \u0432\u043c\u0456\u0441\u0442\u0443. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = \u0417\u043d\u0430\u0439\u0434\u0435\u043d\u043e \u041c\u0415\u0422\u0410 \u0442\u0435\u0433 X-Frame-Options (XFO), \u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f XFO \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u041c\u0415\u0422\u0410 \u0442\u0435\u0433\u0443 \u044f\u0432\u043d\u043e \u043d\u0435 \u043f\u0456\u0434\u0442\u0440\u0438\u043c\u0443\u0454\u0442\u044c\u0441\u044f \u0441\u043f\u0435\u0446\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0454\u044e (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = \u041f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438 X-Frame, \u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u0456 \u0447\u0435\u0440\u0435\u0437 META (\u043d\u0435\u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u043d\u0456\u0441\u0442\u044c \u0441\u043f\u0435\u0446\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438 X-Frame-Options \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043e \u0432 \u043f\u043e\u043b\u0456 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456. \u041a\u0440\u0456\u043c \u0442\u043e\u0433\u043e, \u0440\u043e\u0437\u0433\u043b\u044f\u043d\u044c\u0442\u0435 \u043c\u043e\u0436\u043b\u0438\u0432\u0456\u0441\u0442\u044c \u0432\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0438 \u00abframe-ancestors\u00bb \u043f\u043e\u043b\u0456\u0442\u0438\u043a\u0438 \u0431\u0435\u0437\u043f\u0435\u043a\u0438 \u0432\u043c\u0456\u0441\u0442\u0443. -pscanrules.anticlickjacking.incInCsp = Content-Security-Policy \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u0435\u043b\u0435\u043c\u0435\u043d\u0442 \u00abframe-ancestors\u00bb, \u044f\u043a\u0438\u0439 \u043c\u0430\u0454 \u043f\u0435\u0440\u0435\u0432\u0430\u0433\u0443 \u043d\u0430\u0434 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u043e\u043c X-Frame-Options, \u0442\u043e\u043c\u0443 \u0446\u0435 \u0431\u0443\u043b\u043e \u043f\u0456\u0434\u043d\u044f\u0442\u043e \u0437 \u041d\u0418\u0417\u042c\u041a\u0418\u041c \u0440\u0438\u0437\u0438\u043a\u043e\u043c. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = \u0412\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c \u043d\u0435 \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u0430\u043d\u0456 Content-Security-Policy \u0437 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u043e\u044e \u00abframe-ancestors\u00bb, \u0430\u043d\u0456 X-Frame-Options \u0434\u043b\u044f \u0437\u0430\u0445\u0438\u0441\u0442\u0443 \u0432\u0456\u0434 \u0430\u0442\u0430\u043a \u00abClickJacking\u00bb. pscanrules.anticlickjacking.missing.name = \u0412\u0456\u0434\u0441\u0443\u0442\u043d\u0456\u0439 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a \u0434\u043b\u044f \u0437\u0430\u0445\u0438\u0441\u0442\u0443 \u0432\u0456\u0434 \u043a\u043b\u0456\u043a\u0434\u0436\u0435\u043a\u0456\u043d\u0433\u0443 pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = \u041f\u0435\u0440\u0435\u0433\u043b\u044f\u pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454 \u043d\u0435\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0438\u0439 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 [{2}] \u0442\u0430 \u0440\u043e\u0437\u043a\u0440\u0438\u0432\u0430\u0454 \u0456\u043c\u2019\u044f \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 [{3}] \u0456 \u043f\u0430\u0440\u043e\u043b\u044c [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454 \u043d\u0435\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0438\u0439 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 [{2}] \u0442\u0430 \u0440\u043e\u0437\u043a\u0440\u0438\u0432\u0430\u0454 \u0456\u043c\u2019\u044f \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 [{3}] \u0456 \u0434\u043e\u0434\u0430\u0442\u043a\u043e\u0432\u0443 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e [{4}]. -pscanrules.authenticationcredentialscaptured.desc = \u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f \u043d\u0435\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0438\u0439 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457. \u0426\u0435 \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u0443 \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440\u0430 \u0442\u0430 \u043f\u0430\u0440\u043e\u043b\u044f \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u043e\u0432\u0430\u043d\u043e\u0433\u043e \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430. \u0414\u043b\u044f \u0431\u0430\u0437\u043e\u0432\u043e\u0457 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a \u043f\u043e\u0432\u0438\u043d\u0435\u043d \u043f\u0440\u043e\u0441\u0442\u043e \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044e\u0432\u0430\u0442\u0438 \u043c\u0435\u0440\u0435\u0436\u0435\u0432\u0438\u0439 \u0442\u0440\u0430\u0444\u0456\u043a, \u0434\u043e\u043a\u0438 \u043d\u0435 \u0431\u0443\u0434\u0435 \u043e\u0442\u0440\u0438\u043c\u0430\u043d\u043e \u0437\u0430\u043f\u0438\u0442 \u043d\u0430 \u0431\u0430\u0437\u043e\u0432\u0443 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u044e, \u0430 \u043f\u043e\u0442\u0456\u043c \u0440\u043e\u0437\u043a\u043e\u0434\u0443\u0432\u0430\u0442\u0438 base64 \u0456\u043c\u2019\u044f \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0442\u0430 \u043f\u0430\u0440\u043e\u043b\u044c. \u0414\u043b\u044f \u0434\u0430\u0439\u0434\u0436\u0435\u0441\u0442 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a \u043c\u0430\u0454 \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u0456\u043c\u0435\u043d\u0456 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0442\u0430, \u043c\u043e\u0436\u043b\u0438\u0432\u043e, \u0442\u0430\u043a\u043e\u0436 \u0434\u043e \u043f\u0430\u0440\u043e\u043b\u044f, \u044f\u043a\u0449\u043e \u0433\u0435\u0448 (\u0432\u043a\u043b\u044e\u0447\u043d\u043e \u0437 \u043e\u0434\u043d\u043e\u0440\u0430\u0437\u043e\u0432\u0438\u043c \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440\u043e\u043c) \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0443\u0441\u043f\u0456\u0448\u043d\u043e \u0437\u043b\u0430\u043c\u0430\u043d\u0438\u0439 \u0430\u0431\u043e \u044f\u043a\u0449\u043e \u0432\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u043e \u0430\u0442\u0430\u043a\u0443 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043c \u043f\u043e\u0441\u0435\u0440\u0435\u0434\u043d\u0438\u043a\u043e\u043c.\n\u0417\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a \u0441\u043b\u0456\u0434\u043a\u0443\u0432\u0430\u0442\u0438\u043c\u0435 \u0437\u0430 \u043c\u0435\u0440\u0435\u0436\u0435\u044e, \u0434\u043e\u043a\u0438 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u044f \u043d\u0435 \u0437\u0430\u0432\u0435\u0440\u0448\u0438\u0442\u044c\u0441\u044f. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = \u0417\u0430\u0444\u0456\u043a\u0441\u043e\u0432\u0430\u043d\u043e \u043e\u0431\u043b\u0456\u043a\u043e\u0432\u0456 \u0434\u0430\u043d\u0456 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = \u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 HTTPS \u0456 \u0431\u0435\u0437\u043f\u0435\u0447\u043d\u0438\u0439 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457, \u044f\u043a\u0438\u0439 \u043d\u0435 \u043f\u0435\u0440\u0435\u0434\u0430\u0454 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0442\u043e\u0440 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0447\u0438 \u043f\u0430\u0440\u043e\u043b\u044c \u0443 \u043d\u0435\u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043e\u043c\u0443 \u0432\u0438\u0433\u043b\u044f\u0434\u0456. \u0417\u043e\u043a\u0440\u0435\u043c\u0430, \u0443\u043d\u0438\u043a\u0430\u0439\u0442\u0435 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c\u0443 \u0431\u0430\u0437\u043e\u0432\u043e\u0457 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457, \u043e\u0441\u043a\u0456\u043b\u044c\u043a\u0438 \u0446\u0435\u0439 \u0442\u0440\u0438\u0432\u0456\u0430\u043b\u044c\u043d\u0438\u0439 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c \u0437\u0430\u043f\u043b\u0443\u0442\u0443\u0432\u0430\u043d\u043d\u044f \u043b\u0435\u0433\u043a\u043e \u0437\u043b\u0430\u043c\u0430\u0442\u0438. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = \u0421\u0435\u0440\u0432\u0435\u0440 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0432 \u043f\u0435\u0440\u0435\u043d\u0430\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044f\u043c, \u044f\u043a\u0435, \u0437\u0434\u0430\u0454\u0442\u044c\u0441\u044f, \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0443\u0454 \u0432\u0435\u043b\u0438\u043a\u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c. \u0426\u0435 \u043c\u043e\u0436\u0435 \u043e\u0437\u043d\u0430\u0447\u0430\u0442\u0438, \u0449\u043e \u0445\u043e\u0447\u0430 \u0441\u0435\u0440\u0432\u0435\u0440 \u043d\u0430\u0434\u0456\u0441\u043b\u0430\u0432 \u043f\u0435\u0440\u0435\u0441\u043f\u0440\u044f\u043c\u0443\u0432\u0430\u043d\u043d\u044f, \u0432\u0456\u043d \u0442\u0430\u043a\u043e\u0436 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0432 \u043e\u0441\u043d\u043e\u0432\u043d\u0438\u043c \u0432\u043c\u0456\u0441\u0442\u043e\u043c (\u044f\u043a\u0438\u0439 \u043c\u043e\u0436\u0435 \u043c\u0456\u0441\u0442\u0438\u0442\u0438 \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0443 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e, \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0439\u043d\u0443 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e \u0442\u043e\u0449\u043e). pscanrules.bigredirects.extrainfo = \u0414\u043e\u0432\u0436\u0438\u043d\u0430 URI \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 \u0440\u043e\u0437\u0442\u0430\u0448\u0443\u0432\u0430\u043d\u043d\u044f\: {0} [{1}].\n\u041f\u0440\u043e\u0433\u043d\u043e\u0437\u043e\u0432\u0430\u043d\u0438\u0439 \u0440\u043e\u0437\u043c\u0456\u0440 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456\: {2}.\n\u0414\u043e\u0432\u0436\u0438\u043d\u0430 \u0442\u0456\u043b\u0430 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0434\u043b\u044f \u0432\u0441\u0456\u0445 \u0444\u0430\u0439\u043b\u0456\u0432 cookie \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043e \u043f\u0440\u0430\u043f\u043e\u0440\u0435\u0446\u044c HttpOnly. pscanrules.cookielooselyscoped.desc = \u0424\u0430\u0439\u043b\u0438 cookie \u043c\u043e\u0436\u043d\u0430 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u0438\u0442\u0438 \u0437\u0430 \u0434\u043e\u043c\u0435\u043d\u043e\u043c \u0430\u0431\u043e \u0448\u043b\u044f\u0445\u043e\u043c. \u0426\u044f \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0430 \u0441\u0442\u043e\u0441\u0443\u0454\u0442\u044c\u0441\u044f \u043b\u0438\u0448\u0435 \u043e\u0431\u043b\u0430\u0441\u0442\u0456 \u0434\u043e\u043c\u0435\u043d\u0443. \u041e\u0431\u043b\u0430\u0441\u0442\u044c \u0434\u043e\u043c\u0435\u043d\u0443, \u0437\u0430\u0441\u0442\u043e\u0441\u043e\u0432\u0430\u043d\u0430 \u0434\u043e \u0444\u0430\u0439\u043b\u0443 cookie, \u0432\u0438\u0437\u043d\u0430\u0447\u0430\u0454, \u044f\u043a\u0456 \u0434\u043e\u043c\u0435\u043d\u0438 \u043c\u043e\u0436\u0443\u0442\u044c \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u0434\u043e \u043d\u044c\u043e\u0433\u043e \u0434\u043e\u0441\u0442\u0443\u043f. \u041d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, \u0444\u0430\u0439\u043b cookie \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0441\u0443\u0432\u043e\u0440\u043e \u043e\u0431\u043c\u0435\u0436\u0435\u043d\u0438\u0439 \u0441\u0443\u0431\u0434\u043e\u043c\u0435\u043d\u043e\u043c, \u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, www.nottrusted.com, \u0430\u0431\u043e \u0432\u0456\u043b\u044c\u043d\u043e \u043e\u0431\u043c\u0435\u0436\u0435\u043d\u0438\u0439 \u0431\u0430\u0442\u044c\u043a\u0456\u0432\u0441\u044c\u043a\u0438\u043c \u0434\u043e\u043c\u0435\u043d\u043e\u043c, \u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, nottrusted.com. \u0412 \u043e\u0441\u0442\u0430\u043d\u043d\u044c\u043e\u043c\u0443 \u0432\u0438\u043f\u0430\u0434\u043a\u0443 \u0431\u0443\u0434\u044c-\u044f\u043a\u0438\u0439 \u0441\u0443\u0431\u0434\u043e\u043c\u0435\u043d nottrusted.com \u043c\u043e\u0436\u0435 \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u0434\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u0444\u0430\u0439\u043b\u0443 cookie. \u0424\u0430\u0439\u043b\u0438 cookie \u0437 \u0448\u0438\u0440\u043e\u043a\u043e\u044e \u0441\u0444\u0435\u0440\u043e\u044e \u0434\u0456\u0457 \u043f\u043e\u0448\u0438\u0440\u0435\u043d\u0456 \u0432 \u0442\u0430\u043a\u0438\u0445 \u043c\u0435\u0433\u0430-\u0434\u043e\u0434\u0430\u0442\u043a\u0430\u0445, \u044f\u043a google.com \u0442\u0430 live.com. \u0424\u0430\u0439\u043b\u0438 cookie, \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0456 \u0437 \u0441\u0443\u0431\u0434\u043e\u043c\u0435\u043d\u0443, \u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, app.foo.bar, \u043f\u0435\u0440\u0435\u0434\u0430\u044e\u0442\u044c\u0441\u044f \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u043e\u043c \u043b\u0438\u0448\u0435 \u0434\u043e \u0446\u044c\u043e\u0433\u043e \u0434\u043e\u043c\u0435\u043d\u0443. \u041e\u0434\u043d\u0430\u043a, \u0444\u0430\u0439\u043b\u0438 cookie, \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0456 \u0434\u043b\u044f \u0434\u043e\u043c\u0435\u043d\u0443 \u0431\u0430\u0442\u044c\u043a\u0456\u0432\u0441\u044c\u043a\u043e\u0433\u043e \u0440\u0456\u0432\u043d\u044f, \u043c\u043e\u0436\u0443\u0442\u044c \u0431\u0443\u0442\u0438 \u043f\u0435\u0440\u0435\u0434\u0430\u043d\u0456 \u0434\u043e \u0431\u0430\u0442\u044c\u043a\u0456\u0432\u0441\u044c\u043a\u043e\u0433\u043e \u0434\u043e\u043c\u0435\u043d\u0443 \u0430\u0431\u043e \u0431\u0443\u0434\u044c-\u044f\u043a\u043e\u0433\u043e \u0441\u0443\u0431\u0434\u043e\u043c\u0435\u043d\u0443 \u0431\u0430\u0442\u044c\u043a\u0456\u0432\u0441\u044c\u043a\u043e\u0433\u043e \u0434\u043e\u043c\u0435\u043d\u0443. -pscanrules.cookielooselyscoped.extrainfo = \u0414\u043e\u043c\u0435\u043d \u043f\u043e\u0445\u043e\u0434\u0436\u0435\u043d\u043d\u044f, \u044f\u043a\u0438\u0439 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0432\u0441\u044f \u0434\u043b\u044f \u043f\u043e\u0440\u0456\u0432\u043d\u044f\u043d\u043d\u044f, \u0431\u0443\u0432 \u0442\u0430\u043a\u0438\u043c\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0} pscanrules.cookielooselyscoped.name = \u0424\u0430\u0439\u043b\u0438 Cookie \u0437 \u0432\u0456\u043b\u044c\u043d\u0438\u043c\u0438 \u043c\u0435\u0436\u0430\u043c\u0438 pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = \u0424\u0430\u0439\u043b cookie \u0431\u0435\ pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = \u042f\u043a\u0449\u043e \u0444\u0430\u0439\u043b cookie \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0443 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e \u0430\u0431\u043e \u0454 \u0442\u043e\u043a\u0435\u043d\u043e\u043c \u0441\u0435\u0430\u043d\u0441\u0443, \u0439\u043e\u0433\u043e \u0437\u0430\u0432\u0436\u0434\u0438 \u0441\u043b\u0456\u0434 \u043f\u0435\u0440\u0435\u0434\u0430\u0432\u0430\u0442\u0438 \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u043e\u0433\u043e \u043a\u0430\u043d\u0430\u043b\u0443. \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0434\u043b\u044f \u0444\u0430\u0439\u043b\u0456\u0432 cookie, \u044f\u043a\u0456 \u043c\u0456\u0441\u0442\u044f\u0442\u044c \u0442\u0430\u043a\u0443 \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0443 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e, \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043e \u043f\u0440\u0430\u043f\u043e\u0440\u0435\u0446\u044c \u0431\u0435\u0437\u043f\u0435\u043a\u0438. -pscanrules.crossdomain.desc = \u0417\u0430\u0432\u0430\u043d\u0442\u0430\u0436\u0435\u043d\u043d\u044f \u0434\u0430\u043d\u0438\u0445 \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430 \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u043c\u043e\u0436\u043b\u0438\u0432\u0438\u043c \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0443 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u044e Cross Origin Resource Sharing (CORS) \u043d\u0430 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0456 +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = \u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u044f CORS \u043d\u0430 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0456 \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u043c\u0456\u0436\u0434\u043e\u043c\u0435\u043d\u043d\u0456 \u0437\u0430\u043f\u0438\u0442\u0438 \u043d\u0430 \u0447\u0438\u0442\u0430\u043d\u043d\u044f \u0432\u0456\u0434 \u0434\u043e\u0432\u0456\u043b\u044c\u043d\u0438\u0445 \u0441\u0442\u043e\u0440\u043e\u043d\u043d\u0456\u0445 \u0434\u043e\u043c\u0435\u043d\u0456\u0432 \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u043d\u0435\u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u043e\u0432\u0430\u043d\u0438\u0445 API \u0443 \u0446\u044c\u043e\u043c\u0443 \u0434\u043e\u043c\u0435\u043d\u0456. \u041e\u0434\u043d\u0430\u043a \u0440\u0435\u0430\u043b\u0456\u0437\u0430\u0446\u0456\u0457 \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430 \u043d\u0435 \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0442\u044c \u0434\u043e\u0432\u0456\u043b\u044c\u043d\u0438\u043c \u0442\u0440\u0435\u0442\u0456\u043c \u043e\u0441\u043e\u0431\u0430\u043c \u0447\u0438\u0442\u0430\u0442\u0438 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c \u0437 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u043e\u0432\u0430\u043d\u0438\u0445 API. \u0426\u0435 \u0434\u0435\u0449\u043e \u0437\u043d\u0438\u0436\u0443\u0454 \u0440\u0438\u0437\u0438\u043a. \u0426\u044f \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u044f \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u0430 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u043e\u043c \u0434\u043b\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0443 \u0434\u043e \u0434\u0430\u043d\u0438\u0445, \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0438\u0445 \u0443 \u043d\u0435\u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u043e\u0432\u0430\u043d\u0438\u0439 \u0441\u043f\u043e\u0441\u0456\u0431, \u0430\u043b\u0435 \u044f\u043a\u0456 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u044e\u0442\u044c \u0456\u043d\u0448\u0456 \u0444\u043e\u0440\u043c\u0438 \u0431\u0435\u0437\u043f\u0435\u043a\u0438, \u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434 \u0431\u0456\u043b\u0438\u0439 \u0441\u043f\u0438\u0441\u043e\u043a IP-\u0430\u0434\u0440\u0435\u0441. pscanrules.crossdomain.name = \u041c\u0456\u0436\u0434\u043e\u043c\u0435\u043d\u043d\u0430 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u044f pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src \u043c\u0456\u0441\u0442\u0438\u0442\u044c unsafe-inline pscanrules.csp.wildcard.name = \u0414\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0430 \u0441\u0438\u043c\u0432\u043e\u043b\u0456\u0432 \u0443\u0437\u0430\u0433\u0430\u043b\u044c\u043d\u0435\u043d\u043d\u044f -pscanrules.csp.wildcard.otherinfo = \u041d\u0430\u0441\u0442\u0443\u043f\u043d\u0456 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0438 \u0430\u0431\u043e \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0442\u044c \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438 \u0434\u0436\u0435\u0440\u0435\u043b\u0430 \u0441\u0438\u043c\u0432\u043e\u043b\u0456\u0432 \u0443\u0437\u0430\u0433\u0430\u043b\u044c\u043d\u0435\u043d\u043d\u044f (\u0430\u0431\u043e \u043f\u0440\u0435\u0434\u043a\u0456\u0432), \u043d\u0435 \u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u0456 \u0430\u0431\u043e \u043c\u0430\u044e\u0442\u044c \u043d\u0430\u0434\u0442\u043e \u0448\u0438\u0440\u043e\u043a\u0435 \u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f\: \n{0}\n +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = \u041f\u043e\u043b\u0456\u0442\u0438\u043a\u0430 \u0431\u0435\u0437\u043f\u0435\u043a\u0438 \u0432\u043c\u0456\u0441\u0442\u0443 X pscanrules.csp.xcsp.otherinfo = \u0423 \u0446\u0456\u0439 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 \u0437\u043d\u0430\u0439\u0434\u0435\u043d\u043e \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a X-Content-Security-Policy. \u0425\u043e\u0447\u0430 \u0446\u0435 \u0445\u043e\u0440\u043e\u0448\u0438\u0439 \u0437\u043d\u0430\u043a, \u0449\u043e CSP \u043f\u0435\u0432\u043d\u043e\u044e \u043c\u0456\u0440\u043e\u044e \u0440\u0435\u0430\u043b\u0456\u0437\u043e\u0432\u0430\u043d\u043e, \u043f\u043e\u043b\u0456\u0442\u0438\u043a\u0430, \u0443\u043a\u0430\u0437\u0430\u043d\u0430 \u0432 \u0446\u044c\u043e\u043c\u0443 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0443, \u043d\u0435 \u0431\u0443\u043b\u0430 \u043f\u0440\u043e\u0430\u043d\u0430\u043b\u0456\u0437\u043e\u0432\u0430\u043d\u0430 ZAP. \u0429\u043e\u0431 \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0438\u0442\u0438 \u043f\u043e\u0432\u043d\u0443 \u043f\u0456\u0434\u0442\u0440\u0438\u043c\u043a\u0443 \u0441\u0443\u0447\u0430\u0441\u043d\u0438\u043c\u0438 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430\u043c\u0438, \u043f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a Content-Security-Policy \u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043e \u0442\u0430 \u0434\u043e\u0434\u0430\u043d\u043e \u0434\u043e \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0435\u0439. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = \u0423 \u0446\u0456\u0439 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 \u0437\u043d\u0430\u0439\u0434\u0435\u043d\u043e \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a X-WebKit-CSP. \u0425\u043e\u0447\u0430 \u0446\u0435 \u0445\u043e\u0440\u043e\u0448\u0438\u0439 \u0437\u043d\u0430\u043a, \u0449\u043e CSP \u043f\u0435\u0432\u043d\u043e\u044e \u043c\u0456\u0440\u043e\u044e \u0440\u0435\u0430\u043b\u0456\u0437\u043e\u0432\u0430\u043d\u043e, \u043f\u043e\u043b\u0456\u0442\u0438\u043a\u0430, \u0443\u043a\u0430\u0437\u0430\u043d\u0430 \u0432 \u0446\u044c\u043e\u043c\u0443 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0443, \u043d\u0435 \u0431\u0443\u043b\u0430 \u043f\u0440\u043e\u0430\u043d\u0430\u043b\u0456\u0437\u043e\u0432\u0430\u043d\u0430 ZAP. \u0429\u043e\u0431 \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0438\u0442\u0438 \u043f\u043e\u0432\u043d\u0443 \u043f\u0456\u0434\u0442\u0440\u0438\u043c\u043a\u0443 \u0441\u0443\u0447\u0430\u0441\u043d\u0438\u043c\u0438 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0430\u043c\u0438, \u043f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a Content-Security-Policy \u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043e \u0442\u0430 \u0434\u043e\u0434\u0430\u043d\u043e \u0434\u043e \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0435\u0439. -pscanrules.desc = \u041f\u0440\u0430\u0432\u0438\u043b\u0430 \u043f\u0430\u0441\u0438\u0432\u043d\u043e\u0433\u043e \u0441\u043a\u0430\u043d\u0443\u0432\u0430\u043d\u043d\u044f \u0441\u0442\u0430\u043d\u0443 \u0432\u0438\u043f\u0443\u0441\u043a\u0443 +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = \u041c\u043e\u0436\u043d\u0430 \u043f\u0435\u0440\u0435\u0433\u043b\u044f\u043d\u0443\u0442\u0438 \u0441\u043f\u0438\u0441\u043e\u043a \u0432\u043c\u0456\u0441\u0442\u0443 \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0443. \u0421\u043f\u0438\u0441\u043a\u0438 \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0456\u0432 \u043c\u043e\u0436\u0443\u0442\u044c \u0432\u0438\u044f\u0432\u0438\u0442\u0438 \u043f\u0440\u0438\u0445\u043e\u0432\u0430\u043d\u0456 \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u0457, \u043c\u0456\u0441\u0442\u0438\u0442\u0438 \u0444\u0430\u0439\u043b\u0438, \u0432\u0438\u0445\u0456\u0434\u043d\u0456 \u0444\u0430\u0439\u043b\u0438 \u0440\u0435\u0437\u0435\u0440\u0432\u043d\u0438\u0445 \u043a\u043e\u043f\u0456\u0439 \u0442\u043e\u0449\u043e, \u0434\u043e \u044f\u043a\u0438\u0445 \u043c\u043e\u0436\u043d\u0430 \u043e\u0442\u0440\u0438\u043c\u0430\u0442\u0438 \u0434\u043e\u0441\u0442\u0443\u043f, \u0449\u043e\u0431 \u0432\u0456\u0434\u043a\u0440\u0438\u0442\u0438 \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0443 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e. pscanrules.directorybrowsing.extrainfo = \u0412\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u043e\u0432\u0430\u043d\u043e\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = \u041d\u0430\u043b\u0430\u0448\u0442\u0443\u pscanrules.hashdisclosure.desc = \u0413\u0435\u0448 \u0431\u0443\u0432 \u0432\u0456\u0434\u043a\u0440\u0438\u0442\u0438\u0439 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c. pscanrules.hashdisclosure.name = \u0420\u043e\u0437\u043a\u0440\u0438\u0442\u0442\u044f \u0433\u0435\u0448\u0443 pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0433\u0435\u0448\u0456, \u044f\u043a\u0456 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u044e\u0442\u044c\u0441\u044f \u0434\u043b\u044f \u0437\u0430\u0445\u0438\u0441\u0442\u0443 \u043e\u0431\u043b\u0456\u043a\u043e\u0432\u0438\u0445 \u0434\u0430\u043d\u0438\u0445 \u0430\u0431\u043e \u0456\u043d\u0448\u0438\u0445 \u0440\u0435\u0441\u0443\u0440\u0441\u0456\u0432, \u043d\u0435 \u0432\u0438\u0442\u0456\u043a\u0430\u044e\u0442\u044c \u0447\u0435\u0440\u0435\u0437 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440 \u0430\u0431\u043e \u0431\u0430\u0437\u0443 \u0434\u0430\u043d\u0438\u0445. \u0417\u0430\u0437\u0432\u0438\u0447\u0430\u0439 \u043d\u0435\u043c\u0430\u0454 \u0432\u0438\u043c\u043e\u0433\u0438, \u0449\u043e\u0431 \u0433\u0435\u0448\u0456 \u043f\u0430\u0440\u043e\u043b\u0456\u0432 \u0431\u0443\u043b\u0438 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0456 \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0443. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = \u0412\u043f\u0440\u043e\u0432\u0430\u0434\u0436\u0435\u043d\u043d\u044f TLS \u0456 DTLS \u0443 OpenSSL 1.0.1 \u0434\u043e 1.0.1g \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e \u043e\u0431\u0440\u043e\u0431\u043b\u044f\u044e\u0442\u044c \u043f\u0430\u043a\u0435\u0442\u0438 Heartbeat Extension, \u0449\u043e \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0432\u0456\u0434\u0434\u0430\u043b\u0435\u043d\u0438\u043c \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u0430\u043c \u043e\u0442\u0440\u0438\u043c\u0443\u0432\u0430\u0442\u0438 \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0443 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e \u0437 \u043f\u0430\u043c\u2019\u044f\u0442\u0456 \u043f\u0440\u043e\u0446\u0435\u0441\u0443 \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u0441\u0442\u0432\u043e\u0440\u0435\u043d\u0438\u0445 \u043f\u0430\u043a\u0435\u0442\u0456\u0432, \u044f\u043a\u0456 \u0437\u0430\u043f\u0443\u0441\u043a\u0430\u044e\u0442\u044c \u043f\u0435\u0440\u0435\u0447\u0438\u0442\u0443\u0432\u0430\u043d\u043d\u044f \u0431\u0443\u0444\u0435\u0440\u0430, \u043f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u043e \u0440\u043e\u0437\u043a\u0440\u0438\u0432\u0430\u044e\u0447\u0438 \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0443 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e. +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f. \u041e\u0434\u043d\u0430\u043a \u0437\u0430\u0443\u0432\u0430\u0436\u0442\u0435, \u0449\u043e \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u0430 \u0432\u0435\u0440\u0441\u0456\u044f \u043c\u043e\u0436\u0435 \u043c\u0456\u0441\u0442\u0438\u0442\u0438 \u0437\u0432\u043e\u0440\u043e\u0442\u043d\u0456 \u0432\u0438\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u043d\u044f \u0431\u0435\u0437\u043f\u0435\u043a\u0438, \u0442\u043e\u043c\u0443 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0445\u0438\u0431\u043d\u043e \u043f\u043e\u0437\u0438\u0442\u0438\u0432\u043d\u043e\u044e. \u0426\u0435 \u0447\u0430\u0441\u0442\u043e \u0437\u0443\u0441\u0442\u0440\u0456\u0447\u0430\u0454\u0442\u044c\u0441\u044f, \u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, \u0443 Red Hat. pscanrules.heartbleed.name = \u0423\u0440\u0430\u0437\u043b\u0438\u0432\u0456\u0441\u0442\u044c Heartbleed OpenSSL (\u0456\u043d\u0434\u0438\u043a\u0430\u0442\u0438\u0432\u043d\u043e) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = \u041e\u043d\u043e\u0432\u0456\u0442\u044c \u0434\u pscanrules.infoprivateaddressdisclosure.desc = \u0423 \u0442\u0456\u043b\u0456 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 HTTP \u0437\u043d\u0430\u0439\u0434\u0435\u043d\u043e \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u0443 IP-\u0430\u0434\u0440\u0435\u0441\u0443 (\u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, 10.x.x.x, 172.x.x.x, 192.168.x.x) \u0430\u0431\u043e \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u0435 \u0456\u043c\u2019\u044f \u0445\u043e\u0441\u0442\u0430 Amazon EC2 (\u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, ip-10-0-56-78). \u0426\u044f \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044f \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u043a\u043e\u0440\u0438\u0441\u043d\u043e\u044e \u0434\u043b\u044f \u043f\u043e\u0434\u0430\u043b\u044c\u0448\u0438\u0445 \u0430\u0442\u0430\u043a, \u0441\u043f\u0440\u044f\u043c\u043e\u0432\u0430\u043d\u0438\u0445 \u043d\u0430 \u0432\u043d\u0443\u0442\u0440\u0456\u0448\u043d\u0456 \u0441\u0438\u0441\u0442\u0435\u043c\u0438. pscanrules.infoprivateaddressdisclosure.name = \u0420\u043e\u0437\u0433\u043e\u043b\u043e\u0448\u0435\u043d\u043d\u044f \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u043e\u0457 IP-\u0430\u0434\u0440\u0435\u0441\u0438 pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = \u0412\u0438\u0434\u0430\u043b\u0456\u0442\u044c \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u0443 IP-\u0430\u0434\u0440\u0435\u0441\u0443 \u0437 \u0442\u0456\u043b\u0430 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 HTTP. \u0414\u043b\u044f \u043a\u043e\u043c\u0435\u043d\u0442\u0430\u0440\u0456\u0432 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u043a\u043e\u043c\u0435\u043d\u0442\u0430\u0440\u0456 JSP/ASP/PHP \u0437\u0430\u043c\u0456\u0441\u0442\u044c \u043a\u043e\u043c\u0435\u043d\u0442\u0430\u0440\u0456\u0432 HTML/JavaScript, \u044f\u043a\u0456 \u043c\u043e\u0436\u0443\u0442\u044c \u0431\u0430\u0447\u0438\u0442\u0438 \u043a\u043b\u0456\u0454\u043d\u0442\u0441\u044c\u043a\u0456 \u0431\u0440\u0430\u0443\u0437\u0435\u0440\u0438. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = \u0412\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u0442\u0438\u043f\u043e\u0432\u0456 \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044f \u043f\u0440\u043e \u043f\u043e\u043c\u0438\u043b\u043a\u0438, \u044f\u043a\u0456 \u043f\u043e\u0432\u0435\u0440\u0442\u0430\u044e\u0442\u044c\u0441\u044f \u0442\u0430\u043a\u0438\u043c\u0438 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430\u043c\u0438, \u044f\u043a ASP.NET, \u0456 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u0430\u043c\u0438, \u044f\u043a IIS \u0456 Apache. \u0412\u0438 \u043c\u043e\u0436\u0435\u0442\u0435 \u043d\u0430\u043b\u0430\u0448\u0442\u0443\u0432\u0430\u0442\u0438 \u0441\u043f\u0438\u0441\u043e\u043a \u0442\u0438\u043f\u043e\u0432\u0438\u0445 \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u044c \u043d\u0430\u043b\u0430\u0433\u043e\u0434\u0436\u0435\u043d\u043d\u044f. pscanrules.informationdisclosuredebugerrors.name = \u0420\u043e\u0437\u0433\u043e\u043b\u043e\u0448\u0435\u043d\u043d\u044f \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457 - \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044f \u043f\u0440\u043e \u043f\u043e\u043c\u0438\u043b\u043a\u0438 \u043d\u0430\u043b\u0430\u0433\u043e\u0434\u0436\u0435\u043d\u043d\u044f @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = \u0420\u043e\u0437\u0433\u043e\u043 pscanrules.informationdisclosureinurl.otherinfo.cc = URL-\u0430\u0434\u0440\u0435\u0441\u0430 \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e \u043f\u0440\u043e \u043a\u0440\u0435\u0434\u0438\u0442\u043d\u0443 \u043a\u0430\u0440\u0442\u043a\u0443. pscanrules.informationdisclosureinurl.otherinfo.email = URL-\u0430\u0434\u0440\u0435\u0441\u0430 \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u0430\u0434\u0440\u0435\u0441\u0438 \u0435\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u043e\u0457 \u043f\u043e\u0448\u0442\u0438. pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = URL-\u0430\u0434\u0440\u0435\u0441\u0430 \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u043f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u043e \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0443 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e. \u0417\u0430 \u0448\u0430\u0431\u043b\u043e\u043d\u043e\u043c \u0431\u0443\u043b\u043e \u0437\u043d\u0430\u0439\u0434\u0435\u043d\u043e \u043d\u0430\u0441\u0442\u0443\u043f\u043d\u0438\u0439 \u0440\u044f\u0434\u043e\u043a\:{0}{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = URL-\u0430\u0434\u0440\u0435\u0441\u0430 \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u043d\u043e\u043c\u0435\u0440\u0438 \u0441\u043e\u0446\u0456\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u0441\u0442\u0440\u0430\u0445\u0443\u0432\u0430\u043d\u043d\u044f \u0421\u0428\u0410\n +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = \u041d\u0435 \u043f\u0435\u0440\u0435\u0434\u0430\u0432\u0430\u0439\u0442\u0435 \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0443 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e \u0447\u0435\u0440\u0435\u0437 URI. pscanrules.informationdisclosurereferrer.bin.field = \u0406\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0439\u043d\u0438\u0439 \u043d\u043e\u043c\u0435\u0440 \u0431\u0430\u043d\u043a\u0443\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = \u0414\u043b\u044f \u0431\u0435\u0437\u043f\u pscanrules.insecureauthentication.desc = \u0427\u0435\u0440\u0435\u0437 \u043d\u0435\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0435 \u0437\u2019\u0454\u0434\u043d\u0430\u043d\u043d\u044f \u0431\u0443\u043b\u043e \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043e \u0431\u0430\u0437\u043e\u0432\u0443 \u0430\u0431\u043e \u0434\u0430\u0439\u0434\u0436\u0435\u0441\u0442-\u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u044e HTTP. \u041e\u0431\u043b\u0456\u043a\u043e\u0432\u0456 \u0434\u0430\u043d\u0456 \u043c\u043e\u0436\u0443\u0442\u044c \u0431\u0443\u0442\u0438 \u043f\u0440\u043e\u0447\u0438\u0442\u0430\u043d\u0456 \u0442\u0430 \u0437\u043d\u043e\u0432\u0443 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u0456 \u043a\u0438\u043c\u043e\u0441\u044c \u0456\u0437 \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c \u0434\u043e \u043c\u0435\u0440\u0435\u0436\u0456. pscanrules.insecureauthentication.name = \u0421\u043b\u0430\u0431\u043a\u0438\u0439 \u043c\u0435\u0442\u043e\u0434 \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = \u0417\u0430\u0445\u0438\u0441\u0442\u0456\u0442\u044c \u0437\u2019\u0454\u0434\u043d\u0430\u043d\u043d\u044f \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e HTTPS \u0430\u0431\u043e \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u0431\u0456\u043b\u044c\u0448 \u043d\u0430\u0434\u0456\u0439\u043d\u0438\u0439 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c \u0430\u0432\u0442\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0457 +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = \u0426\u044f \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0430 \u0448\u0443\u043a\u0430\u0454 \u043d\u0435\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0456 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438 HTTP, \u044f\u043a\u0456 \u043c\u0456\u0441\u0442\u044f\u0442\u044c \u0444\u043e\u0440\u043c\u0438 HTTPS. \u041f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u043f\u043e\u043b\u044f\u0433\u0430\u0454 \u0432 \u0442\u043e\u043c\u0443, \u0449\u043e \u043d\u0435\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0443 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0443 HTTP \u043c\u043e\u0436\u043d\u0430 \u043b\u0435\u0433\u043a\u043e \u0437\u043b\u0430\u043c\u0430\u0442\u0438 \u0447\u0435\u0440\u0435\u0437 MITM, \u0430 \u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0443 \u0444\u043e\u0440\u043c\u0443 HTTPS \u043c\u043e\u0436\u043d\u0430 \u0437\u0430\u043c\u0456\u043d\u0438\u0442\u0438 \u0430\u0431\u043e \u043f\u0456\u0434\u0440\u043e\u0431\u0438\u0442\u0438. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = \u041d\u0435\u0431\u0435\u0437\u043f\u0435\u0447\u043d\u0438\u0439 \u043f\u0435\u0440\u0435\u0445\u0456\u0434 \u0437 HTTP \u043d\u0430 HTTPS \u0443 \u043f\u0443\u0431\u043b\u0456\u043a\u0430\u0446\u0456\u0457 \u0444\u043e\u0440\u043c\u0438 -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = \u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 HTTP-\u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044f \u0434\u043b\u044f \u0446\u0456\u043b\u044c\u043e\u0432\u0438\u0445 \u0441\u0442\u043e\u0440\u0456\u043d\u043e\u043a, \u044f\u043a\u0456 \u043c\u0456\u0441\u0442\u044f\u0442\u044c \u0431\u0435\u0437\u043f\u0435\u0447\u043d\u0456 \u0444\u043e\u0440\u043c\u0438. pscanrules.insecureformpost.desc = \u0426\u044f \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0430 \u0432\u0438\u0437\u043d\u0430\u0447\u0430\u0454 \u0431\u0435\u0437\u043f\u0435\u0447\u043d\u0456 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438 HTTPS, \u044f\u043a\u0456 \u043c\u0456\u0441\u0442\u044f\u0442\u044c \u043d\u0435\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0456 \u0444\u043e\u0440\u043c\u0438 HTTP. \u041f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u043f\u043e\u043b\u044f\u0433\u0430\u0454 \u0432 \u0442\u043e\u043c\u0443, \u0449\u043e \u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0430 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0430 \u043f\u0435\u0440\u0435\u0445\u043e\u0434\u0438\u0442\u044c \u043d\u0430 \u043d\u0435\u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0443 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0443, \u043a\u043e\u043b\u0438 \u0434\u0430\u043d\u0456 \u0437\u0430\u0432\u0430\u043d\u0442\u0430\u0436\u0443\u044e\u0442\u044c\u0441\u044f \u0447\u0435\u0440\u0435\u0437 \u0444\u043e\u0440\u043c\u0443. \u041a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447 \u043c\u043e\u0436\u0435 \u043f\u043e\u0434\u0443\u043c\u0430\u0442\u0438, \u0449\u043e \u043d\u0430\u0434\u0441\u0438\u043b\u0430\u0454 \u0434\u0430\u043d\u0456 \u043d\u0430 \u0431\u0435\u0437\u043f\u0435\u0447\u043d\u0443 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0443, \u0445\u043e\u0447\u0430 \u043d\u0430\u0441\u043f\u0440\u0430\u0432\u0434\u0456 \u0446\u0435 \u043d\u0435 \u0442\u0430\u043a. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0456 \u0434\u0430\u043d\u0456 \u043d\u0430\u0434\u0441\u0438\u043b\u0430\u044e\u0442\u044c\u0441\u044f \u043b\u0438\u0448\u0435 \u0437\u0430\u0445\u0438\u0449\u0435\u043d\u0438\u043c\u0438 \u043a\u0430\u043d\u0430\u043b\u0430\u043c\u0438 HTTPS. pscanrules.insecurejsfviewstate.desc = \u0412\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c \u0437\u0430 \u043d\u0430\u0441\u0442\u0443\u043f\u043d\u043e\u044e URL-\u0430\u0434\u0440\u0435\u0441\u043e\u044e \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f ViewState, \u044f\u043a\u0435 \u043d\u0435 \u043c\u0430\u0454 \u043a\u0440\u0438\u043f\u0442\u043e\u0433\u0440\u0430\u0444\u0456\u0447\u043d\u043e\u0433\u043e \u0437\u0430\u0445\u0438\u0441\u0442\u0443. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = \u041f\u0440\u0438\u043d\u0430\u0439\u043c\u043d\u0456 \u043e\u0434\u043d\u0435 \u043f\u043e\u0441\u0438\u043b\u0430\u043d\u043d\u044f \u043d\u0430 \u0446\u0456\u0439 \u0441\u0442\u043e\u0440\u0456\u043d\u0446\u0456 \u0432\u0440\u0430\u0437\u043b\u0438\u0432\u0435 \u0434\u043e \u0437\u0432\u043e\u0440\u043e\u0442\u043d\u043e\u0433\u043e \u043f\u0435\u0440\u0435\u0445\u043e\u0434\u0443 \u0432\u043a\u043b\u0430\u0434\u043e\u043a, \u043e\u0441\u043a\u0456\u043b\u044c\u043a\u0438 \u0432\u043e\u043d\u043e \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454 \u0446\u0456\u043b\u044c\u043e\u0432\u0438\u0439 \u0430\u0442\u0440\u0438\u0431\u0443\u0442 \u0431\u0435\u0437 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f \u043a\u043b\u044e\u0447\u043e\u0432\u0438\u0445 \u0441\u043b\u0456\u0432 \u00abnoopener\u00bb \u0456 \u00abnoreferrer\u00bb \u0432 \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u0456 \u00abrel\u00bb, \u0449\u043e \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0454 \u0446\u0456\u043b\u044c\u043e\u0432\u0456\u0439 \u0441\u0442\u043e\u0440\u0456\u043d\u0446\u0456 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044e\u0432\u0430\u0442\u0438 \u0446\u044e \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0443. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = \u0421\u0442\u043e\u0440\u0456\u043d\u043a\u0430 pscanrules.mixedcontent.name = \u0417\u0430\u0445\u0438\u0449\u0435\u043d\u0456 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438 \u0432\u043a\u043b\u044e\u0447\u0430\u044e\u0442\u044c \u0437\u043c\u0456\u0448\u0430\u043d\u0438\u0439 \u0432\u043c\u0456\u0441\u0442 pscanrules.mixedcontent.name.inclscripts = \u0417\u0430\u0445\u0438\u0449\u0435\u043d\u0456 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0438 \u0432\u043a\u043b\u044e\u0447\u0430\u044e\u0442\u044c \u0437\u043c\u0456\u0448\u0430\u043d\u0438\u0439 \u0432\u043c\u0456\u0441\u0442 (\u0432\u043a\u043b\u044e\u0447\u043d\u043e \u0437\u0456 \u0441\u043a\u0440\u0438\u043f\u0442\u0430\u043c\u0438) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = \u0421\u0442\u043e\u0440\u0456\u043d\u043a\u0430, \u044f\u043a\u0430 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u0430 \u0447\u0435\u0440\u0435\u0437 SSL/TLS, \u043c\u0430\u0454 \u043f\u043e\u0432\u043d\u0456\u0441\u0442\u044e \u0441\u043a\u043b\u0430\u0434\u0430\u0442\u0438\u0441\u044f \u0437 \u0432\u043c\u0456\u0441\u0442\u0443, \u044f\u043a\u0438\u0439 \u043f\u0435\u0440\u0435\u0434\u0430\u0454\u0442\u044c\u0441\u044f \u0447\u0435\u0440\u0435\u0437 SSL/TLS.\n\u0421\u0442\u043e\u0440\u0456\u043d\u043a\u0430 \u043d\u0435 \u043c\u0430\u0454 \u043c\u0456\u0441\u0442\u0438\u0442\u0438 \u0432\u043c\u0456\u0441\u0442, \u044f\u043a\u0438\u0439 \u043f\u0435\u0440\u0435\u0434\u0430\u0454\u0442\u044c\u0441\u044f \u0447\u0435\u0440\u0435\u0437 \u043d\u0435\u0437\u0430\u0448\u0438\u0444\u0440\u043e\u0432\u0430\u043d\u0438\u0439 HTTP.\n \u0426\u0435 \u0432\u043a\u043b\u044e\u0447\u0430\u0454 \u0432\u043c\u0456\u0441\u0442 \u0441\u0442\u043e\u0440\u043e\u043d\u043d\u0456\u0445 \u0441\u0430\u0439\u0442\u0456\u0432. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = \u041f\u0440\u043e\u0433\u0440\u0430\u043c\u0430 \u0432\u0438\u0433\u043b\u044f\u0434\u0430\u0454 \u044f\u043a \u0441\u0443\u0447\u0430\u0441\u043d\u0430 \u0432\u0435\u0431\u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0430. \u042f\u043a\u0449\u043e \u0432\u0430\u043c \u043f\u043e\u0442\u0440\u0456\u0431\u043d\u043e \u0434\u043e\u0441\u043b\u0456\u0434\u0436\u0443\u0432\u0430\u0442\u0438 \u0439\u043e\u0433\u043e \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0447\u043d\u043e, \u0442\u043e Ajax Spider \u0446\u0456\u043b\u043a\u043e\u043c \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0435\u0444\u0435\u043a\u0442\u0438\u0432\u043d\u0456\u0448\u0438\u043c, \u043d\u0456\u0436 \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u0438\u0439. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = \u041f\u043e\u0441\u0442\u0430\u0447\u0430\u043b\u pscanrules.pii.name = \u0420\u043e\u0437\u0433\u043e\u043b\u043e\u0448\u0435\u043d\u043d\u044f \u043f\u0435\u0440\u0441\u043e\u043d\u0430\u043b\u044c\u043d\u043e\u0457 \u0456\u0434\u0435\u043d\u0442\u0438\u0444\u0456\u043a\u0430\u0446\u0456\u0439\u043d\u043e\u0457 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457 pscanrules.pii.soln = \u041f\u0435\u0440\u0435\u0432\u0456\u0440\u0442\u0435 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c \u043d\u0430 \u043f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u0443 \u043d\u0430\u044f\u0432\u043d\u0456\u0441\u0442\u044c \u043e\u0441\u043e\u0431\u0438\u0441\u0442\u043e\u0457 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457 (PII), \u043f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u0430 \u043d\u0435 \u0440\u043e\u0437\u043f\u043e\u0432\u0441\u044e\u0434\u0436\u0443\u0454 \u043d\u0456\u0447\u043e\u0433\u043e \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u043e\u0433\u043e.\n -pscanrules.retrievedfromcache.desc = \u0412\u043c\u0456\u0441\u0442 \u0431\u0443\u043b\u043e \u043e\u0442\u0440\u0438\u043c\u0430\u043d\u043e \u0437\u0456 \u0441\u043f\u0456\u043b\u044c\u043d\u043e\u0433\u043e \u043a\u0435\u0448\u0443. \u042f\u043a\u0449\u043e \u0434\u0430\u043d\u0456 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0456, \u043e\u0441\u043e\u0431\u0438\u0441\u0442\u0456 \u0430\u0431\u043e \u0441\u043f\u0435\u0446\u0438\u0444\u0456\u0447\u043d\u0456 \u0434\u043b\u044f \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430, \u0446\u0435 \u043c\u043e\u0436\u0435 \u043f\u0440\u0438\u0437\u0432\u0435\u0441\u0442\u0438 \u0434\u043e \u0432\u0438\u0442\u043e\u043a\u0443 \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u043e\u0457 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457. \u0423 \u0434\u0435\u044f\u043a\u0438\u0445 \u0432\u0438\u043f\u0430\u0434\u043a\u0430\u0445 \u0446\u0435 \u043c\u043e\u0436\u0435 \u043d\u0430\u0432\u0456\u0442\u044c \u043f\u0440\u0438\u0437\u0432\u0435\u0441\u0442\u0438 \u0434\u043e \u0442\u043e\u0433\u043e, \u0449\u043e \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447 \u043e\u0442\u0440\u0438\u043c\u0430\u0454 \u043f\u043e\u0432\u043d\u0438\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c \u043d\u0430\u0434 \u0441\u0435\u0430\u043d\u0441\u043e\u043c \u0456\u043d\u0448\u043e\u0433\u043e \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430, \u0437\u0430\u043b\u0435\u0436\u043d\u043e \u0432\u0456\u0434 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u0457 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0456\u0432 \u043a\u0435\u0448\u0443\u0432\u0430\u043d\u043d\u044f, \u044f\u043a\u0456 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u044e\u0442\u044c\u0441\u044f \u0432 \u0439\u043e\u0433\u043e \u0441\u0435\u0440\u0435\u0434\u043e\u0432\u0438\u0449\u0456. \u0426\u0435 \u043d\u0430\u0441\u0430\u043c\u043f\u0435\u0440\u0435\u0434 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430, \u043a\u043e\u043b\u0438 \u043a\u0435\u0448-\u0441\u0435\u0440\u0432\u0435\u0440\u0438, \u0442\u0430\u043a\u0456 \u044f\u043a "\u043f\u0440\u043e\u043a\u0441\u0456-\u043a\u0435\u0448\u0456", \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u0456 \u0432 \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u0456\u0439 \u043c\u0435\u0440\u0435\u0436\u0456. \u0422\u0430\u043a\u0430 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u044f \u0437\u0430\u0437\u0432\u0438\u0447\u0430\u0439 \u0437\u0443\u0441\u0442\u0440\u0456\u0447\u0430\u0454\u0442\u044c\u0441\u044f, \u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, \u0443 \u043a\u043e\u0440\u043f\u043e\u0440\u0430\u0442\u0438\u0432\u043d\u0438\u0445 \u0430\u0431\u043e \u043e\u0441\u0432\u0456\u0442\u043d\u0456\u0445 \u0441\u0435\u0440\u0435\u0434\u043e\u0432\u0438\u0449\u0430\u0445. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = \u041e\u0442\u0440\u0438\u043c\u0430\u043d\u043e \u0437 \u043a\u0435\u0448\u0443 pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c \u043d\u0435 \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u043e\u0457, \u043e\u0441\u043e\u0431\u0438\u0441\u0442\u043e\u0457 \u0430\u0431\u043e \u0441\u043f\u0435\u0446\u0438\u0444\u0456\u0447\u043d\u043e\u0457 \u0434\u043b\u044f \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457. \u042f\u043a\u0449\u043e \u043c\u0456\u0441\u0442\u0438\u0442\u044c, \u0440\u043e\u0437\u0433\u043b\u044f\u043d\u044c\u0442\u0435 \u043c\u043e\u0436\u043b\u0438\u0432\u0456\u0441\u0442\u044c \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f \u043d\u0430\u0432\u0435\u0434\u0435\u043d\u0438\u0445 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0456\u0432 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 HTTP, \u0449\u043e\u0431 \u043e\u0431\u043c\u0435\u0436\u0438\u0442\u0438 \u0430\u0431\u043e \u0437\u0430\u043f\u043e\u0431\u0456\u0433\u0442\u0438 \u0437\u0431\u0435\u0440\u0456\u0433\u0430\u043d\u043d\u044e \u0442\u0430 \u043e\u0442\u0440\u0438\u043c\u0430\u043d\u043d\u044e \u0432\u043c\u0456\u0441\u0442\u0443 \u0437 \u043a\u0435\u0448\u0443 \u0456\u043d\u0448\u0438\u043c \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u043c\:\n\u041a\u0435\u0448-\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044c\: \u0431\u0435\u0437 \u043a\u0435\u0448\u0443, \u0431\u0435\u0437 \u0437\u0431\u0435\u0440\u0435\u0436\u0435\u043d\u043d\u044f, \u043e\u0431\u043e\u0432\u2019\u044f\u0437\u043a\u043e\u0432\u0430 \u043f\u043e\u0432\u0442\u043e\u0440\u043d\u0430 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0430, \u043f\u0440\u0438\u0432\u0430\u0442\u043d\u0438\u0439\n\u041f\u0440\u0430\u0433\u043c\u0430\: \u0431\u0435\u0437 \u043a\u0435\u0448\u0443\n\u0422\u0435\u0440\u043c\u0456\u043d \u0434\u0456\u0457\: 0\n\u0426\u044f \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u044f \u0432\u043a\u0430\u0437\u0443\u0454 \u0441\u0435\u0440\u0432\u0435\u0440\u0430\u043c \u043a\u0435\u0448\u0443\u0432\u0430\u043d\u043d\u044f, \u0441\u0443\u043c\u0456\u0441\u043d\u0438\u043c \u0456\u0437 HTTP 1.0 \u0456 HTTP 1.1, \u043d\u0435 \u0437\u0431\u0435\u0440\u0456\u0433\u0430\u0442\u0438 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c \u0456 \u043d\u0435 \u043e\u0442\u0440\u0438\u043c\u0443\u0432\u0430\u0442\u0438 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c (\u0431\u0435\u0437 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0438) \u0437 \u043a\u0435\u0448\u0443 \u0443 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u044c \u043d\u0430 \u043f\u043e\u0434\u0456\u0431\u043d\u0438\u0439 \u0437\u0430\u043f\u0438\u0442. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = \u0417\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 HTTP\n @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = \u0421\u0435\u0440\u0432\u0435\u04 pscanrules.stricttransportsecurity.compliance.malformed.content.desc = \u0411\u0443\u043b\u043e \u0437\u043d\u0430\u0439\u0434\u0435\u043d\u043e \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a HTTP Strict Transport Security (HSTS), \u0430\u043b\u0435 \u0432\u0456\u043d \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u0434\u0435\u044f\u043a\u0438\u0439 \u043d\u0435\u043e\u0447\u0456\u043a\u0443\u0432\u0430\u043d\u0438\u0439 \u0432\u043c\u0456\u0441\u0442 (\u043c\u043e\u0436\u043b\u0438\u0432\u043e, \u0444\u0456\u0433\u0443\u0440\u043d\u0456 \u043b\u0430\u043f\u043a\u0438), \u043e\u0447\u0456\u043a\u0443\u0454\u0442\u044c\u0441\u044f, \u0449\u043e \u0432\u043c\u0456\u0441\u0442 \u0431\u0443\u0434\u0435 \u0434\u0440\u0443\u043a\u043e\u0432\u0430\u043d\u0438\u043c\u0438 \u0441\u0438\u043c\u0432\u043e\u043b\u0430\u043c\u0438 ASCII. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = \u041f\u0435\u0440\u0435\u0433\u043b\u044f\u043d\u044c\u0442\u0435 \u043a\u043e\u043d\u0444\u0456\u0433\u0443\u0440\u0430\u0446\u0456\u044e \u0446\u044c\u043e\u0433\u043e \u0435\u043b\u0435\u043c\u0435\u043d\u0442\u0430 \u043a\u0435\u0440\u0443\u0432\u0430\u043d\u043d\u044f. \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0432\u0430\u0448 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440, \u0441\u0435\u0440\u0432\u0435\u0440 \u0434\u043e\u0434\u0430\u0442\u043a\u0456\u0432, \u0431\u0430\u043b\u0430\u043d\u0441\u0443\u0432\u0430\u043b\u044c\u043d\u0438\u043a \u043d\u0430\u0432\u0430\u043d\u0442\u0430\u0436\u0435\u043d\u043d\u044f \u0442\u043e\u0449\u043e \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u043e \u043d\u0430 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044f Strict-Transport-Security \u0437 \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u043d\u0438\u043c \u0432\u043c\u0456\u0441\u0442\u043e\u043c. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = \u0411\u0443\u043b\u043e \u0437\u043d\u0430\u0439\u0434\u0435\u043d\u043e \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a HTTP Strict Transport Security (HSTS), \u0430\u043b\u0435 \u0432\u0456\u043d \u043c\u0456\u0441\u0442\u0438\u0442\u044c \u043b\u0430\u043f\u043a\u0438 \u043f\u0435\u0440\u0435\u0434 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u043e\u044e max-age (\u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f max-age \u043c\u043e\u0436\u043d\u0430 \u0432\u0437\u044f\u0442\u0438 \u0432 \u043b\u0430\u043f\u043a\u0438, \u0430\u043b\u0435 \u0441\u0430\u043c\u0443 \u0434\u0438\u0440\u0435\u043a\u0442\u0438\u0432\u0443 - \u043d\u0456). \u0414\u043b\u044f \u043e\u0442\u0440\u0438\u043c\u0430\u043d\u043d\u044f \u0434\u043e\u0434\u0430\u0442\u043a\u043e\u0432\u0438\u0445 \u0432\u0456\u0434\u043e\u043c\u043e\u0441\u0442\u0435\u0439 \u043f\u0435\u0440\u0435\u0433\u043b\u044f\u043d\u044c\u0442\u0435 RFC 6797.\nHTTP Strict Transport Security (HSTS) \u2014 \u0446\u0435 \u043c\u0435\u0445\u0430\u043d\u0456\u0437\u043c \u043f\u043e\u043b\u0456\u0442\u0438\u043a\u0438 \u0432\u0435\u0431\u0431\u0435\u0437\u043f\u0435\u043a\u0438, \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e \u044f\u043a\u043e\u0433\u043e \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440 \u043e\u0433\u043e\u043b\u043e\u0448\u0443\u0454, \u0449\u043e \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u043d\u0456 \u0430\u0433\u0435\u043d\u0442\u0438 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 (\u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, \u0432\u0435\u0431\u0431\u0440\u0430\u0443\u0437\u0435\u0440) \u043f\u043e\u0432\u0438\u043d\u043d\u0456 \u0432\u0437\u0430\u0454\u043c\u043e\u0434\u0456\u044f\u0442\u0438 \u0437 \u043d\u0438\u043c, \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u044e\u0447\u0438 \u043b\u0438\u0448\u0435 \u0431\u0435\u0437\u043f\u0435\u0447\u043d\u0456 \u0437\u2019\u0454\u0434\u043d\u0430\u043d\u043d\u044f HTTPS (\u0442\u043e\u0431\u0442\u043e HTTP \u043d\u0430 \u0440\u0456\u0432\u043d\u0456 TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = \u0417\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a Strict-Transport-Security pscanrules.stricttransportsecurity.soln = \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0432\u0430\u0448 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440, \u0441\u0435\u0440\u0432\u0435\u0440 \u0434\u043e\u0434\u0430\u0442\u043a\u0456\u0432, \u0431\u0430\u043b\u0430\u043d\u0441\u0443\u0432\u0430\u043b\u044c\u043d\u0438\u043a \u043d\u0430\u0432\u0430\u043d\u0442\u0430\u0436\u0435\u043d\u043d\u044f \u0442\u043e\u0449\u043e \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u043e \u043d\u0430 \u0437\u0430\u0441\u0442\u043e\u0441\u0443\u0432\u0430\u043d\u043d\u044f Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = \u041f\u043e\u0437\u043d\u0430\u0447\u043a\u0443 \u0447\u0430\u0441\u0443 \u0431\u0443\u043b\u043e \u0432\u0456\u0434\u043a\u0440\u0438\u0442\u043e \u0434\u043e\u0434\u0430\u0442\u043a\u043e\u043c/\u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440\u043e\u043c -pscanrules.timestampdisclosure.extrainfo = {0}, \u0449\u043e \u043c\u0430\u0454 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = \u0420\u043e\u0437\u043a\u0440\u0438\u0442\u0442\u044f \u043f\u043e\u0437\u043d\u0430\u0447\u043a\u0438 \u0447\u0430\u0441\u0443 pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = \u041f\u0456\u0434\u0442\u0432\u0435\u0440\u0434\u044c\u0442\u0435 \u0432\u0440\u0443\u0447\u043d\u0443, \u0449\u043e \u0434\u0430\u043d\u0456 \u043f\u0440\u043e \u043f\u043e\u0437\u043d\u0430\u0447\u043a\u0443 \u0447\u0430\u0441\u0443 \u043d\u0435 \u0454 \u043a\u043e\u043d\u0444\u0456\u0434\u0435\u043d\u0446\u0456\u0439\u043d\u0438\u043c\u0438 \u0442\u0430 \u0449\u043e \u0434\u0430\u043d\u0456 \u043d\u0435 \u043c\u043e\u0436\u043d\u0430 \u043e\u0431'\u0454\u0434\u043d\u0443\u0432\u0430\u0442\u0438 \u0434\u043b\u044f \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043d\u044f \u0448\u0430\u0431\u043b\u043e\u043d\u0456\u0432, \u044f\u043a\u0456 \u043c\u043e\u0436\u043d\u0430 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = \u041f\u0456\u0434\u0442\u0432\u0435\u0440 pscanrules.usercontrolledcharset.desc = \u0426\u044f \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0430 \u0440\u043e\u0437\u0433\u043b\u044f\u0434\u0430\u0454 \u0432\u0432\u0435\u0434\u0435\u043d\u0456 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u043c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438 \u0440\u044f\u0434\u043a\u0430 \u0437\u0430\u043f\u0438\u0442\u0443 \u0442\u0430 \u0434\u0430\u043d\u0456 POST, \u0449\u043e\u0431 \u0432\u0438\u0437\u043d\u0430\u0447\u0438\u0442\u0438, \u0434\u0435 \u043e\u0433\u043e\u043b\u043e\u0448\u0435\u043d\u043d\u044f \u043d\u0430\u0431\u043e\u0440\u0443 \u0441\u0438\u043c\u0432\u043e\u043b\u0456\u0432 Content-Type \u0430\u0431\u043e \u043c\u0435\u0442\u0430\u0442\u0435\u0433\u0456\u0432 \u043c\u043e\u0436\u0443\u0442\u044c \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044e\u0432\u0430\u0442\u0438\u0441\u044c \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u043c. \u0422\u0430\u043a\u0456 \u043e\u0433\u043e\u043b\u043e\u0448\u0435\u043d\u043d\u044f \u043d\u0430\u0431\u043e\u0440\u0443 \u0441\u0438\u043c\u0432\u043e\u043b\u0456\u0432 \u0437\u0430\u0432\u0436\u0434\u0438 \u043f\u043e\u0432\u0438\u043d\u043d\u0456 \u043e\u0433\u043e\u043b\u043e\u0448\u0443\u0432\u0430\u0442\u0438\u0441\u044f \u0434\u043e\u0434\u0430\u0442\u043a\u043e\u043c. \u042f\u043a\u0449\u043e \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a \u043c\u043e\u0436\u0435 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044e\u0432\u0430\u0442\u0438 \u043a\u043e\u0434\u0443\u0432\u0430\u043d\u043d\u044f \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456, \u0432\u0456\u043d \u043c\u043e\u0436\u0435 \u043a\u0435\u0440\u0443\u0432\u0430\u0442\u0438 HTML \u0434\u043b\u044f \u0432\u0438\u043a\u043e\u043d\u0430\u043d\u043d\u044f XSS \u0430\u0431\u043e \u0456\u043d\u0448\u0438\u0445 \u0430\u0442\u0430\u043a. \u041d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a, \u044f\u043a\u0438\u0439 \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044e\u0454 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u043a\u043e\u0434\u0443\u0432\u0430\u043d\u043d\u044f \u0435\u043b\u0435\u043c\u0435\u043d\u0442\u0430 , \u043c\u043e\u0436\u0435 \u043e\u0433\u043e\u043b\u043e\u0441\u0438\u0442\u0438 UTF-7, \u0430 \u0442\u0430\u043a\u043e\u0436 \u043c\u043e\u0436\u0435 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0438 \u0434\u043e\u0441\u0442\u0430\u0442\u043d\u044c\u043e \u043a\u043e\u0440\u0438\u0441\u043d\u043e\u0433\u043e \u043d\u0430\u0432\u0430\u043d\u0442\u0430\u0436\u0435\u043d\u043d\u044f, \u043a\u0435\u0440\u043e\u0432\u0430\u043d\u043e\u0433\u043e \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u043c, \u043d\u0430 \u043f\u043e\u0447\u0430\u0442\u043a\u0443 HTML-\u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u0430, \u0449\u043e\u0431 \u0432\u0456\u043d \u0456\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0443\u0432\u0430\u0432\u0441\u044f \u044f\u043a UTF-7. \u041a\u043e\u0434\u0443\u044e\u0447\u0438 \u0441\u0432\u043e\u0454 \u043a\u043e\u0440\u0438\u0441\u043d\u0435 \u043d\u0430\u0432\u0430\u043d\u0442\u0430\u0436\u0435\u043d\u043d\u044f \u0437\u0430 \u0434\u043e\u043f\u043e\u043c\u043e\u0433\u043e\u044e UTF-7, \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a \u043c\u043e\u0436\u0435 \u043e\u0431\u0456\u0439\u0442\u0438 \u0431\u0443\u0434\u044c-\u044f\u043a\u0438\u0439 \u0437\u0430\u0445\u0438\u0441\u0442 XSS \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0456 \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u0442\u0430 \u0432\u0431\u0443\u0434\u0443\u0432\u0430\u0442\u0438 \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u0439 \u043d\u0430 \u0441\u0442\u043e\u0440\u0456\u043d\u043a\u0443. pscanrules.usercontrolledcharset.extrainfo = \u0410\u0442\u0440\u0438\u0431\u0443\u0442 [{0}] \u0442\u0435\u0433\u0443 [{1}]\n\n\u0417\u043d\u0430\u0439\u0434\u0435\u043d\u0438\u0439 \u0432\u0445\u0456\u0434 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430\:\n{2}\={3}\n\n\u0417\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u043a\u043e\u0434\u0443\u0432\u0430\u043d\u043d\u044f, \u044f\u043a\u0438\u043c \u0432\u0456\u043d \u043a\u0435\u0440\u0443\u0432\u0430\u0432, \u0431\u0443\u043b\u043e\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = \u041f\u0440\u0438\u043c\u0443\u0441\u043e\u0432\u043e \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438 UTF-8 \u0443 \u0432\u0441\u0456\u0445 \u043e\u0433\u043e\u043b\u043e\u0448\u0435\u043d\u043d\u044f\u0445 \u043a\u043e\u0434\u0443\u0432\u0430\u043d\u043d\u044f. \u042f\u043a\u0449\u043e \u0434\u043b\u044f \u0432\u0438\u0440\u0456\u0448\u0435\u043d\u043d\u044f \u043e\u0433\u043e\u043b\u043e\u0448\u0435\u043d\u043d\u044f \u043a\u043e\u0434\u0443\u0432\u0430\u043d\u043d\u044f \u043f\u043e\u0442\u0440\u0456\u0431\u0435\u043d \u0432\u0445\u0456\u0434 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430, \u043f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0454\u0442\u044c\u0441\u044f \u043b\u0438\u0448\u0435 \u0434\u043e\u0437\u0432\u043e\u043b\u0435\u043d\u0438\u0439 \u0441\u043f\u0438\u0441\u043e\u043a.\n pscanrules.usercontrolledcookie.desc = \u0426\u044f \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0430 \u0440\u043e\u0437\u0433\u043b\u044f\u0434\u0430\u0454 \u0432\u0432\u0435\u0434\u0435\u043d\u0456 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u043c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438 \u0440\u044f\u0434\u043a\u0430 \u0437\u0430\u043f\u0438\u0442\u0443 \u0442\u0430 \u0434\u0430\u043d\u0456 POST, \u0449\u043e\u0431 \u0432\u0438\u0437\u043d\u0430\u0447\u0438\u0442\u0438, \u0434\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438 \u0444\u0430\u0439\u043b\u0456\u0432 cookie \u043c\u043e\u0436\u0443\u0442\u044c \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044e\u0432\u0430\u0442\u0438\u0441\u044f. \u0426\u0435 \u043d\u0430\u0437\u0438\u0432\u0430\u0454\u0442\u044c\u0441\u044f cookie poisoning attack, \u0456 \u0457\u0457 \u043c\u043e\u0436\u043d\u0430 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438, \u043a\u043e\u043b\u0438 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a \u043c\u043e\u0436\u0435 \u043a\u0435\u0440\u0443\u0432\u0430\u0442\u0438 \u0444\u0430\u0439\u043b\u0430\u043c\u0438 cookie \u0440\u0456\u0437\u043d\u0438\u043c\u0438 \u0441\u043f\u043e\u0441\u043e\u0431\u0430\u043c\u0438. \u0423 \u0434\u0435\u044f\u043a\u0438\u0445 \u0432\u0438\u043f\u0430\u0434\u043a\u0430\u0445 \u0446\u0435 \u043d\u0435 \u043c\u043e\u0436\u043d\u0430 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0432\u0430\u0442\u0438, \u043e\u0434\u043d\u0430\u043a \u0434\u043e\u0437\u0432\u0456\u043b \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430\u043c URL-\u0430\u0434\u0440\u0435\u0441\u0438 \u0434\u043b\u044f \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044f \u0437\u043d\u0430\u0447\u0435\u043d\u044c \u0444\u0430\u0439\u043b\u0456\u0432 cookie \u0437\u0430\u0437\u0432\u0438\u0447\u0430\u0439 \u0432\u0432\u0430\u0436\u0430\u0454\u0442\u044c\u0441\u044f \u043f\u043e\u043c\u0438\u043b\u043a\u043e\u044e. pscanrules.usercontrolledcookie.extrainfo = {\u0426\u0435 \u0431\u0443\u043b\u043e \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043e \u0432..\:\n\n{1}\n\n\u0412\u0445\u0456\u0434\u043d\u0456 \u0434\u0430\u043d\u0456 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0431\u0443\u043b\u043e \u0437\u043d\u0430\u0439\u0434\u0435\u043d\u043e \u0432 \u043d\u0430\u0441\u0442\u0443\u043f\u043d\u043e\u043c\u0443 \u0444\u0430\u0439\u043b\u0456 cookie\:\n{2}\n\n\u0412\u0445\u0456\u0434\u043d\u0456 \u0434\u0430\u043d\u0456 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0431\u0443\u043b\u0438\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = \u0417\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a \u043c\u043e\u0436\u0435 \u0431\u0443\u0442\u0438 \u0432 \u0437\u043c\u043e\u0437\u0456 \u0437\u043c\u0456\u043d\u0438\u0442\u0438 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0444\u0430\u0439\u043b\u0456\u0432 cookie \u0447\u0435\u0440\u0435\u0437 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438 URL-\u0430\u0434\u0440\u0435\u0441\u0438. \u0412\u0432\u0435\u0434\u0456\u0442\u044c \u043a\u0440\u0430\u043f\u043a\u0443 \u0437 \u043a\u043e\u043c\u043e\u044e, \u0449\u043e\u0431 \u043f\u043e\u0431\u0430\u0447\u0438\u0442\u0438, \u0447\u0438 \u043c\u043e\u0436\u043d\u0430 \u0434\u043e\u0434\u0430\u0442\u0438 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f cookie (\u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, name\=controlledValue;name\=anotherValue;). -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = \u041d\u0435 \u0434\u043e\u0437\u0432\u043e\u043b\u044f\u0439\u0442\u0435 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430\u043c \u043a\u0435\u0440\u0443\u0432\u0430\u0442\u0438 \u0456\u043c\u0435\u043d\u0430\u043c\u0438 \u0442\u0430 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f\u043c\u0438 \u0444\u0430\u0439\u043b\u0456\u0432 cookie. \u042f\u043a\u0449\u043e \u0434\u0435\u044f\u043a\u0456 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438 \u0440\u044f\u0434\u043a\u0430 \u0437\u0430\u043f\u0438\u0442\u0443 \u043f\u043e\u0442\u0440\u0456\u0431\u043d\u043e \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u0438 \u0432 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f\u0445 \u0444\u0430\u0439\u043b\u0456\u0432 cookie, \u0432\u0456\u0434\u0444\u0456\u043b\u044c\u0442\u0440\u0443\u0439\u0442\u0435 \u043a\u0440\u0430\u043f\u043a\u0438 \u0437 \u043a\u043e\u043c\u043e\u044e, \u044f\u043a\u0456 \u043c\u043e\u0436\u0443\u0442\u044c \u0441\u043b\u0443\u0436\u0438\u0442\u0438 \u0440\u043e\u0437\u0434\u0456\u043b\u044c\u043d\u0438\u043a\u0430\u043c\u0438 \u043f\u0430\u0440 \u0456\u043c\u2019\u044f/\u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f. pscanrules.usercontrolledhtmlattributes.desc = \u0426\u044f \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0430 \u0440\u043e\u0437\u0433\u043b\u044f\u0434\u0430\u0454 \u0432\u0432\u0435\u0434\u0435\u043d\u0456 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u043c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438 \u0440\u044f\u0434\u043a\u0430 \u0437\u0430\u043f\u0438\u0442\u0443 \u0442\u0430 \u0434\u0430\u043d\u0456 POST, \u0449\u043e\u0431 \u0432\u0438\u0437\u043d\u0430\u0447\u0438\u0442\u0438, \u0434\u0435 \u043f\u0435\u0432\u043d\u0456 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u0456\u0432 HTML \u043c\u043e\u0436\u0443\u0442\u044c \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044e\u0432\u0430\u0442\u0438\u0441\u044f. \u0426\u0435 \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0443\u0454 \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043d\u044f \u0431\u0435\u0437\u043f\u0440\u043e\u0432\u0456\u0434\u043d\u0438\u0445 \u0442\u043e\u0447\u043e\u043a \u0434\u043e\u0441\u0442\u0443\u043f\u0443 \u0434\u043b\u044f XSS (\u043c\u0456\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0438\u0445 \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u0457\u0432), \u044f\u043a\u0456 \u0432\u0438\u043c\u0430\u0433\u0430\u044e\u0442\u044c \u043f\u043e\u0434\u0430\u043b\u044c\u0448\u043e\u0457 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0438 \u0430\u043d\u0430\u043b\u0456\u0442\u0438\u043a\u043e\u043c \u0431\u0435\u0437\u043f\u0435\u043a\u0438 \u0434\u043b\u044f \u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u043c\u043e\u0436\u043b\u0438\u0432\u043e\u0441\u0442\u0456 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f. -pscanrules.usercontrolledhtmlattributes.extrainfo = \u0417\u043d\u0430\u0439\u0434\u0435\u043d\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u0456\u0432 HTML, \u043a\u0435\u0440\u043e\u0432\u0430\u043d\u0456 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u043c. \u0421\u043f\u0440\u043e\u0431\u0443\u0439\u0442\u0435 \u0432\u0441\u0442\u0430\u0432\u0438\u0442\u0438 \u0441\u043f\u0435\u0446\u0456\u0430\u043b\u044c\u043d\u0456 \u0441\u0438\u043c\u0432\u043e\u043b\u0438, \u0449\u043e\u0431 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u0438\u0442\u0438, \u0447\u0438 \u043c\u043e\u0436\u043b\u0438\u0432\u0438\u0439 XSS. \u0421\u0442\u043e\u0440\u0456\u043d\u043a\u0430 \u0437\u0430 \u0442\u0430\u043a\u043e\u044e URL-\u0430\u0434\u0440\u0435\u0441\u043e\u044e\:\n\n{0}\n\n\u0437\u0434\u0430\u0454\u0442\u044c\u0441\u044f, \u0432\u043a\u043b\u044e\u0447\u0430\u0454 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044f \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0432\:\n\na(n) \u0430\u0442\u0440\u0438\u0431\u0443\u0442 \u0442\u0435\u0433\u0443 [{1}] [{2}].\n\n\u0417\u043d\u0430\u0439\u0434\u0435\u043d\u0438\u0439 \u0432\u0445\u0456\u0434 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430\:\n{3}\={4}\n\n\u041a\u043e\u043d\u0442\u0440\u043e\u043b\u044c\u043e\u0432\u0430\u043d\u0435 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u043c \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0431\u0443\u043b\u043e\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = \u041a\u0435\u0440\u043e\u0432\u0430\u043d\u0438\u0439 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u043c \u0430\u0442\u0440\u0438\u0431\u0443\u0442 HTML-\u0435\u043b\u0435\u043c\u0435\u043d\u0442\u0430 (\u043f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u0438\u0439 XSS)\n pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = \u041f\u0435\u0440\u0435\u0432\u0456\u0440\u0442\u0435 \u0432\u0441\u0456 \u0432\u0432\u0435\u0434\u0435\u043d\u0456 \u0434\u0430\u043d\u0456 \u0442\u0430 \u043e\u0447\u0438\u0441\u0442\u044c\u0442\u0435 \u0432\u0438\u0445\u0456\u0434\u043d\u0456 \u0434\u0430\u043d\u0456 \u043f\u0435\u0440\u0435\u0434 \u0437\u0430\u043f\u0438\u0441\u043e\u043c \u0434\u043e \u0431\u0443\u0434\u044c-\u044f\u043a\u0438\u0445 \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u0456\u0432 HTML. pscanrules.usercontrolledjavascriptevent.desc = \u0426\u044f \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0430 \u0440\u043e\u0437\u0433\u043b\u044f\u0434\u0430\u0454 \u0432\u0432\u0435\u0434\u0435\u043d\u0456 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u043c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0438 \u0440\u044f\u0434\u043a\u0430 \u0437\u0430\u043f\u0438\u0442\u0443 \u0442\u0430 \u0434\u0430\u043d\u0456 POST, \u0449\u043e\u0431 \u0432\u0438\u0437\u043d\u0430\u0447\u0438\u0442\u0438, \u0434\u0435 \u043f\u0435\u0432\u043d\u0456 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0430\u0442\u0440\u0438\u0431\u0443\u0442\u0456\u0432 HTML \u043c\u043e\u0436\u0443\u0442\u044c \u043a\u043e\u043d\u0442\u0440\u043e\u043b\u044e\u0432\u0430\u0442\u0438\u0441\u044f. \u0426\u0435 \u0437\u0430\u0431\u0435\u0437\u043f\u0435\u0447\u0443\u0454 \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043d\u044f \u0431\u0435\u0437\u043f\u0440\u043e\u0432\u0456\u0434\u043d\u0438\u0445 \u0442\u043e\u0447\u043e\u043a \u0434\u043e\u0441\u0442\u0443\u043f\u0443 \u0434\u043b\u044f XSS (\u043c\u0456\u0436\u0441\u0430\u0439\u0442\u043e\u0432\u0438\u0445 \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u0457\u0432), \u044f\u043a\u0456 \u0432\u0438\u043c\u0430\u0433\u0430\u044e\u0442\u044c \u043f\u043e\u0434\u0430\u043b\u044c\u0448\u043e\u0457 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u0438 \u0430\u043d\u0430\u043b\u0456\u0442\u0438\u043a\u043e\u043c \u0431\u0435\u0437\u043f\u0435\u043a\u0438 \u0434\u043b\u044f \u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u043c\u043e\u0436\u043b\u0438\u0432\u043e\u0441\u0442\u0456 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = \u041a\u0435\u0440\u043e\u0432\u0430\u043d\u0430 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0435\u043c \u043f\u043e\u0434\u0456\u044f JavaScript (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = \u041f\u0435\u0440\u0435\u0432\u0456\u0440\u0442\u0435 \u0432\u0441\u0456 \u0432\u0432\u0435\u0434\u0435\u043d\u0456 \u0434\u0430\u043d\u0456 \u0442\u0430 \u043e\u0447\u0438\u0441\u0442\u044c\u0442\u0435 \u0432\u0438\u0445\u0456\u0434\u043d\u0456 \u0434\u0430\u043d\u0456 \u043f\u0435\u0440\u0435\u0434 \u0437\u0430\u043f\u0438\u0441\u043e\u043c \u0434\u043e \u0431\u0443\u0434\u044c-\u044f\u043a\u0438\u0445 \u043f\u043e\u0434\u0456\u0439 Javascript on*. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = \u0429\u043e\u0431 \u0443\u043d\u04 pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = \u0413\u0435\u0448 \u0431\u0443\u0432 {0} \u0437\u0456 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f\u043c\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = \u0412\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u043e\u0432\u0443\u0439\u0442\u0435 \u043d\u0435\u043f\u0440\u044f\u043c\u0456 \u043f\u043e\u0441\u0438\u043b\u0430\u043d\u043d\u044f \u043d\u0430 \u043e\u0431'\u0454\u043a\u0442\u0438 \u0434\u043b\u044f \u043a\u043e\u0436\u043d\u043e\u0433\u043e \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447\u0430 \u0430\u0431\u043e \u0441\u0435\u0430\u043d\u0441\u0443 (\u0441\u0442\u0432\u043e\u0440\u044e\u0439\u0442\u0435 \u0442\u0438\u043c\u0447\u0430\u0441\u043e\u0432\u0435 \u0432\u0456\u0434\u043e\u0431\u0440\u0430\u0436\u0435\u043d\u043d\u044f \u043d\u0430 \u0447\u0430\u0441 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f). \u0410\u0431\u043e \u043f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u043a\u043e\u0436\u043d\u0435 \u0432\u0438\u043a\u043e\u0440\u0438\u0441\u0442\u0430\u043d\u043d\u044f \u043f\u0440\u044f\u043c\u043e\u0433\u043e \u043f\u043e\u0441\u0438\u043b\u0430\u043d\u043d\u044f \u043d\u0430 \u043e\u0431'\u0454\u043a\u0442 \u043f\u043e\u0432'\u044f\u0437\u0430\u043d\u0435 \u0437 \u043f\u0435\u0440\u0435\u0432\u0456\u0440\u043a\u043e\u044e \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0456\u0457, \u0449\u043e\u0431 \u043f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0442\u0438\u0441\u044f, \u0449\u043e \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0447 \u043c\u0430\u0454 \u043f\u0440\u0430\u0432\u043e \u0434\u043e\u0441\u0442\u0443\u043f\u0443 \u0434\u043e \u0437\u0430\u043f\u0438\u0442\u0443\u0432\u0430\u043d\u043e\u0433\u043e \u043e\u0431'\u0454\u043a\u0442\u0430. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = \u0411\u0443\u043b\u043e \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043e, \u0449\u043e \u0442\u0430\u043a\u0456 \u0435\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u0456 \u043b\u0438\u0441\u0442\u0438 \u0441\u0435\u0440\u0456\u0430\u043b\u0456\u0437\u0443\u044e\u0442\u044c\u0441\u044f \u0432 \u043f\u043e\u043b\u0456 viewstate\: pscanrules.viewstate.content.email.name = \u0415\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u0456 \u043b\u0438\u0441\u0442\u0438 \u0437\u043d\u0430\u0439\u0434\u0435\u043d\u043e \u0443 Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = \u041d\u0430\u043b\u0430\u0448\u0442\u0443\u0439\u0442\u0435 \u0441\u0435\u0440\u0432\u0435\u0440 \u0442\u0430\u043a, \u0449\u043e\u0431 \u0432\u0456\u043d \u043d\u0435 \u043f\u043e\u0432\u0435\u0440\u0442\u0430\u0432 \u0446\u0456 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0438. pscanrules.xbackendserver.desc = \u0421\u0435\u0440\u0432\u0435\u0440 \u0432\u0438\u0442\u0456\u043a\u0430\u0454 \u0437 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457, \u0449\u043e \u0441\u0442\u043e\u0441\u0443\u0454\u0442\u044c\u0441\u044f \u0441\u0435\u0440\u0432\u0435\u0440\u043d\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c (\u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, \u0456\u043c\u0435\u043d\u0430 \u0445\u043e\u0441\u0442\u0456\u0432 \u0430\u0431\u043e IP-\u0430\u0434\u0440\u0435\u0441\u0438). \u041e\u0437\u0431\u0440\u043e\u0457\u0432\u0448\u0438\u0441\u044c \u0446\u0456\u0454\u044e \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0454\u044e, \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a \u043c\u043e\u0436\u0435 \u0430\u0442\u0430\u043a\u0443\u0432\u0430\u0442\u0438 \u0456\u043d\u0448\u0456 \u0441\u0438\u0441\u0442\u0435\u043c\u0438 \u0430\u0431\u043e \u0431\u0456\u043b\u044c\u0448 \u043f\u0440\u044f\u043c\u043e/\u0435\u0444\u0435\u043a\u0442\u0438\u0432\u043d\u043e \u0430\u0442\u0430\u043a\u0443\u0432\u0430\u0442\u0438 \u0446\u0456 \u0441\u0438\u0441\u0442\u0435\u043c\u0438. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = \u0412\u0438\u0442\u0456\u043a \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0443 X-Backend-Server -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440, \u0441\u0435\u0440\u0432\u0435\u0440 \u0437\u0430\u0441\u0442\u043e\u0441\u0443\u043d\u043a\u0456\u0432, \u0441\u0442\u0430\u0431\u0456\u043b\u0456\u0437\u0430\u0442\u043e\u0440 \u043d\u0430\u0432\u0430\u043d\u0442\u0430\u0436\u0435\u043d\u043d\u044f \u0442\u043e\u0449\u043e \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u0456 \u043d\u0430 \u043f\u0440\u0438\u0434\u0443\u0448\u0435\u043d\u043d\u044f \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0456\u0432 X-Backend-Server. pscanrules.xchromeloggerdata.desc = \u0421\u0435\u0440\u0432\u0435\u0440 \u0432\u0438\u0442\u0456\u043a\u0430\u0454 \u0447\u0435\u0440\u0435\u0437 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043e\u043a \u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0456 X-ChromeLogger-Data (\u0430\u0431\u043e X-ChromePhp-Data). \u0420\u043e\u0437\u0440\u043e\u0431\u043d\u0438\u043a \u043c\u043e\u0436\u0435 \u043d\u0430\u043b\u0430\u0448\u0442\u0443\u0432\u0430\u0442\u0438 \u0432\u043c\u0456\u0441\u0442 \u0442\u0430\u043a\u0438\u0445 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0456\u0432, \u043e\u0434\u043d\u0430\u043a \u043d\u0435\u0440\u0456\u0434\u043a\u043e \u043c\u043e\u0436\u043d\u0430 \u0437\u043d\u0430\u0439\u0442\u0438\: \u0440\u043e\u0437\u0442\u0430\u0448\u0443\u0432\u0430\u043d\u043d\u044f \u0444\u0430\u0439\u043b\u043e\u0432\u043e\u0457 \u0441\u0438\u0441\u0442\u0435\u043c\u0438 \u0441\u0435\u0440\u0432\u0435\u0440\u0430, \u043e\u0433\u043e\u043b\u043e\u0448\u0435\u043d\u043d\u044f vhost \u0442\u043e\u0449\u043e. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = \u0412\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440/\u0441\u0435\u0440\u0432\u0435\u0440 \u0434\u043e\u0434\u0430\u0442\u043a\u0456\u0432 \u043f\u0440\u043e\u043f\u0443\u0441\u043a\u0430\u0454 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u044e \u0447\u0435\u0440\u0435\u0437 \u043e\u0434\u0438\u043d \u0430\u0431\u043e \u043a\u0456\u043b\u044c\u043a\u0430 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0456\u0432 HTTP-\u0432\u0456\u0434\u043f\u043e\u0432\u0456\u0434\u0435\u0439 "X-\u041d\u0430-\u043e\u0441\u043d\u043e\u0432\u0456". \u0414\u043e\u0441\u0442\u0443\u043f \u0434\u043e \u0442\u0430\u043a\u043e\u0457 \u0456\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0456\u0457 \u043c\u043e\u0436\u0435 \u043f\u043e\u043b\u0435\u0433\u0448\u0438\u0442\u0438 \u0437\u043b\u043e\u0432\u043c\u0438\u0441\u043d\u0438\u043a\u0430\u043c \u0432\u0438\u044f\u0432\u043b\u0435\u043d\u043d\u044f \u0456\u043d\u0448\u0438\u0445 \u0444\u0440\u0435\u0439\u043c\u0432\u043e\u0440\u043a\u0456\u0432/\u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0456\u0432, \u043d\u0430 \u044f\u043a\u0456 \u043f\u043e\u043a\u043b\u0430\u0434\u0430\u0454\u0442\u044c\u0441\u044f \u0432\u0430\u0448 \u0432\u0435\u0431-\u0434\u043e\u0434\u0430\u0442\u043e\u043a, \u0442\u0430 \u0432\u0440\u0430\u0437\u043b\u0438\u0432\u043e\u0441\u0442\u0435\u0439, \u0434\u043e \u044f\u043a\u0438\u0445 \u043c\u043e\u0436\u0443\u0442\u044c \u0431\u0443\u0442\u0438 \u0441\u0445\u0438\u043b\u044c\u043d\u0456 \u0442\u0430\u043a\u0456 \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0438. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = \u0422\u0430\u043a\u043e\u0436 \u0431\u0443\u043b\u0438 \u0437\u043d\u0430\u0439\u0434\u0435\u043d\u0456 \u0442\u0430\u043a\u0456 \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0438 X-Powered-By\: pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ur_PK.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ur_PK.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ur_PK.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_ur_PK.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_vi_VN.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_vi_VN.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_vi_VN.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_vi_VN.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_yo_NG.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_yo_NG.properties index e21081833db..be014b0b58a 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_yo_NG.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_yo_NG.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = Cross-Domain Misconfiguration pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_zh_CN.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_zh_CN.properties index e2bdaf06268..c211c1f6b46 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_zh_CN.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_zh_CN.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = \u6355\u83b7\u8eab\u4efd\u9a8c\u8bc1\u51ed\u636e pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = \u8de8\u57df\u914d\u7f6e\u9519\u8bef pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src \u4e0d\u5b89\u5168-\u5185\u8054 pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = \u66f4\u65b0\u5230 OpenSSL 1.0.1g \u6216\u66f4\u9ad pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = \u4fe1\u606f\u6cc4\u9732-\u8c03\u8bd5\u9519\u8bef\u6d88\u606f @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = \u8be5\u7f51\u5740\u4f3c\u4e4e\u5305\u542b\u4fe1\u7528\u5361\u4fe1\u606f\u3002 pscanrules.informationdisclosureinurl.otherinfo.email = \u8be5\u7f51\u5740\u5305\u542b\u7535\u5b50\u90ae\u4ef6\u5730\u5740\u3002 pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = \u8be5\u7f51\u5740\u4f3c\u4e4e\u5305\u542b\u7f8e\u56fd\u793e\u4f1a\u5b89\u5168\u53f7\u7801 +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = \u4e0d\u8981\u5728URIs\u4e2d\u4f20\u9012\u654f\u611f\u4fe1\u606f\u3002 pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = \u73b0\u4ee3 Web \u5e94\u7528\u7a0b\u5e8f @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = \u53d1\u884c\u4eba\uff1a pscanrules.pii.name = PII \u6cc4\u6f0f pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = \u65f6\u95f4\u6233\u6cc4\u6f0f pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_zh_TW.properties b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_zh_TW.properties index 0e75f1e66e1..8a9a1fe3ec4 100644 --- a/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_zh_TW.properties +++ b/addOns/pscanrules/src/main/resources/org/zaproxy/zap/extension/pscanrules/resources/Messages_zh_TW.properties @@ -1,12 +1,12 @@ pscanrules.anticlickjacking.compliance.malformed.setting.desc = An X-Frame-Options header was present in the response but the value was not correctly set. pscanrules.anticlickjacking.compliance.malformed.setting.name = X-Frame-Options Setting Malformed pscanrules.anticlickjacking.compliance.malformed.setting.refs = https\://tools.ietf.org/html/rfc7034\#section-2.1 -pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.compliance.malformed.setting.soln = Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. pscanrules.anticlickjacking.compliance.meta.desc = An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034). pscanrules.anticlickjacking.compliance.meta.name = X-Frame-Options Defined via META (Non-compliant with Spec) pscanrules.anticlickjacking.compliance.meta.refs = https\://tools.ietf.org/html/rfc7034\#section-4 -pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. -pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. +pscanrules.anticlickjacking.compliance.meta.soln = Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive. +pscanrules.anticlickjacking.incInCsp = The Content-Security-Policy does include a 'frame-ancestors' element which takes precedence over the X-Frame-Options header, which is why this has been raised with a LOW risk. pscanrules.anticlickjacking.missing.desc = The response does not include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options to protect against 'ClickJacking' attacks. pscanrules.anticlickjacking.missing.name = Missing Anti-clickjacking Header pscanrules.anticlickjacking.missing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options @@ -23,10 +23,10 @@ pscanrules.applicationerrors.soln = Review the source code of this page. Impleme pscanrules.authenticationcredentialscaptured.alert.basicauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and password [{4}]. pscanrules.authenticationcredentialscaptured.alert.digestauth.extrainfo = [{0}] [{1}] uses insecure authentication mechanism [{2}], revealing username [{3}] and additional information [{4}]. -pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. +pscanrules.authenticationcredentialscaptured.desc = An insecure authentication mechanism is in use. This allows an attacker on the network access to the userid and password of the authenticated user. For Basic Authentication, the attacker must merely monitor the network traffic until a Basic Authentication request is received, and then base64 decode the username and password. For Digest Authentication, the attacker has access to the username, and possibly also the password, if the hash (including a nonce) can be successfully cracked, or if a Man-In-The-Middle attack is mounted.\nThe attacker eavesdrops on the network until an authentication has completed. pscanrules.authenticationcredentialscaptured.name = Authentication Credentials Captured pscanrules.authenticationcredentialscaptured.refs = https\://owasp.org/www-community/attacks/Brute_force_attack\nhttps\://en.wikipedia.org/wiki/Digest_access_authentication -pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. +pscanrules.authenticationcredentialscaptured.soln = Use HTTPS, and use a secure authentication mechanism that does not transmit the userid or password in an un-encrypted fashion. In particular, avoid use of the Basic Authentication mechanism, since this trivial obfuscation mechanism is easily broken. pscanrules.bigredirects.desc = The server has responded with a redirect that seems to provide a large response. This may indicate that although the server sent a redirect it also responded with body content (which may include sensitive details, PII, etc.). pscanrules.bigredirects.extrainfo = Location header URI length\: {0} [{1}].\nPredicted response size\: {2}.\nResponse Body Length\: {3}. @@ -77,7 +77,7 @@ pscanrules.cookiehttponly.refs = https\://owasp.org/www-community/HttpOnly pscanrules.cookiehttponly.soln = Ensure that the HttpOnly flag is set for all cookies. pscanrules.cookielooselyscoped.desc = Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent. -pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\: \n{0}\n{1} +pscanrules.cookielooselyscoped.extrainfo = The origin domain used for comparison was\:\n{0}\n{1} pscanrules.cookielooselyscoped.extrainfo.cookie = {0}\n pscanrules.cookielooselyscoped.name = Loosely Scoped Cookie pscanrules.cookielooselyscoped.refs = https\://tools.ietf.org/html/rfc6265\#section-4.1\nhttps\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html\nhttps\://code.google.com/p/browsersec/wiki/Part2\#Same-origin_policy_for_cookies @@ -97,7 +97,7 @@ pscanrules.cookiesecureflag.name = Cookie Without Secure Flag pscanrules.cookiesecureflag.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html pscanrules.cookiesecureflag.soln = Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information. -pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server +pscanrules.crossdomain.desc = Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server. pscanrules.crossdomain.extrainfo = The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing. pscanrules.crossdomain.name = \u8de8\u7db2\u57df\u8a2d\u5b9a\u932f\u8aa4 pscanrules.crossdomain.refs = https\://vulncat.fortify.com/en/detail?id\=desc.config.dotnet.html5_overly_permissive_cors_policy @@ -135,13 +135,13 @@ pscanrules.csp.stylesrc.unsafe.hashes.refs = https\://www.w3.org/TR/CSP3/\#unsaf pscanrules.csp.stylesrc.unsafe.name = style-src unsafe-inline pscanrules.csp.stylesrc.unsafe.otherinfo = style-src includes unsafe-inline. pscanrules.csp.wildcard.name = Wildcard Directive -pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\: \n{0} +pscanrules.csp.wildcard.otherinfo = The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined\:\n{0} pscanrules.csp.xcsp.name = X-Content-Security-Policy pscanrules.csp.xcsp.otherinfo = The header X-Content-Security-Policy was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. pscanrules.csp.xwkcsp.name = X-WebKit-CSP pscanrules.csp.xwkcsp.otherinfo = The header X-WebKit-CSP was found on this response. While it is a good sign that CSP is implemented to some degree the policy specified in this header has not been analyzed by ZAP. To ensure full support by modern browsers ensure that the Content-Security-Policy header is defined and attached to responses. -pscanrules.desc = Release status passive scan rules +pscanrules.desc = Release status passive scan rules. pscanrules.directorybrowsing.desc = It is possible to view a listing of the directory contents. Directory listings may reveal hidden scripts, include files, backup source files, etc., which can be accessed to reveal sensitive information. pscanrules.directorybrowsing.extrainfo = Web server identified\: {0} @@ -152,9 +152,9 @@ pscanrules.directorybrowsing.soln = Configure the web server to disable director pscanrules.hashdisclosure.desc = A hash was disclosed by the web server. pscanrules.hashdisclosure.name = Hash Disclosure pscanrules.hashdisclosure.refs = https\://openwall.info/wiki/john/sample-hashes -pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. +pscanrules.hashdisclosure.soln = Ensure that hashes that are used to protect credentials or other resources are not leaked by the web server or database. There is typically no requirement for password hashes to be accessible to the web browser. -pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.\t +pscanrules.heartbleed.desc = The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information. pscanrules.heartbleed.extrainfo = {0} is in use. Note however that the reported version could contain back-ported security fixes, and so the issue could be a false positive. This is common on Red Hat, for instance. pscanrules.heartbleed.name = Heartbleed OpenSSL Vulnerability (Indicative) pscanrules.heartbleed.refs = https\://nvd.nist.gov/vuln/detail/CVE-2014-0160 @@ -163,7 +163,7 @@ pscanrules.heartbleed.soln = Update to OpenSSL 1.0.1g or later. Re-issue HTTPS c pscanrules.infoprivateaddressdisclosure.desc = A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems. pscanrules.infoprivateaddressdisclosure.name = Private IP Disclosure pscanrules.infoprivateaddressdisclosure.refs = https\://tools.ietf.org/html/rfc1918 -pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. +pscanrules.infoprivateaddressdisclosure.soln = Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers. pscanrules.informationdisclosuredebugerrors.desc = The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages. pscanrules.informationdisclosuredebugerrors.name = Information Disclosure - Debug Error Messages @@ -174,7 +174,7 @@ pscanrules.informationdisclosureinurl.name = Information Disclosure - Sensitive pscanrules.informationdisclosureinurl.otherinfo.cc = The URL appears to contain credit card information. pscanrules.informationdisclosureinurl.otherinfo.email = The URL contains email address(es). pscanrules.informationdisclosureinurl.otherinfo.sensitiveinfo = The URL contains potentially sensitive information. The following string was found via the pattern\: {0}\n{1} -pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s) +pscanrules.informationdisclosureinurl.otherinfo.ssn = The URL appears to contain US Social Security Number(s). pscanrules.informationdisclosureinurl.soln = Do not pass sensitive information in URIs. pscanrules.informationdisclosurereferrer.bin.field = Bank Identification Number\: @@ -206,25 +206,23 @@ pscanrules.infosessionidurl.soln = For secure content, put session ID in a cooki pscanrules.insecureauthentication.desc = HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network. pscanrules.insecureauthentication.name = Weak Authentication Method pscanrules.insecureauthentication.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html -pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism +pscanrules.insecureauthentication.soln = Protect the connection using HTTPS or use a stronger authentication mechanism. pscanrules.insecureformload.desc = This check looks for insecure HTTP pages that host HTTPS forms. The issue is that an insecure HTTP page can easily be hijacked through MITM and the secure HTTPS form can be replaced or spoofed. pscanrules.insecureformload.extrainfo = The response to the following request over HTTP included an HTTPS form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformload.name = HTTP to HTTPS Insecure Transition in Form Post -pscanrules.insecureformload.refs= pscanrules.insecureformload.soln = Use HTTPS for landing pages that host secure forms. pscanrules.insecureformpost.desc = This check identifies secure HTTPS pages that host insecure HTTP forms. The issue is that a secure page is transitioning to an insecure page when data is uploaded through a form. The user may think they're submitting data to a secure page when in fact they are not. pscanrules.insecureformpost.extrainfo = The response to the following request over HTTPS included an HTTP form tag action attribute value\:\n\n{0}\nThe context was\:\n\n{1} pscanrules.insecureformpost.name = HTTPS to HTTP Insecure Transition in Form Post -pscanrules.insecureformpost.refs= pscanrules.insecureformpost.soln = Ensure sensitive data is only sent over secured HTTPS channels. pscanrules.insecurejsfviewstate.desc = The response at the following URL contains a ViewState value that has no cryptographic protections. -pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure +pscanrules.insecurejsfviewstate.extrainfo = JSF ViewState [{0}] is insecure. pscanrules.insecurejsfviewstate.name = Insecure JSF ViewState pscanrules.insecurejsfviewstate.refs = https\://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt -pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment +pscanrules.insecurejsfviewstate.soln = Secure VIEWSTATE with a MAC specific to your environment. pscanrules.linktarget.desc = At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the "noopener" and "noreferrer" keywords in the "rel" attribute, which allows the target page to take control of this page. pscanrules.linktarget.name = Reverse Tabnabbing @@ -235,7 +233,7 @@ pscanrules.mixedcontent.desc = The page includes mixed content, that is content pscanrules.mixedcontent.name = Secure Pages Include Mixed Content pscanrules.mixedcontent.name.inclscripts = Secure Pages Include Mixed Content (Including Scripts) pscanrules.mixedcontent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html -pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\n This includes content from third party sites. +pscanrules.mixedcontent.soln = A page that is available over SSL/TLS must be comprised completely of content which is transmitted over SSL/TLS.\nThe page must not contain any content that is transmitted over unencrypted HTTP.\nThis includes content from third party sites. pscanrules.modernapp.desc = The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one. pscanrules.modernapp.name = Modern Web Application @@ -264,11 +262,17 @@ pscanrules.pii.issuer.field = Issuer\: pscanrules.pii.name = PII Disclosure pscanrules.pii.soln = Check the response for the potential presence of personally identifiable information (PII), ensure nothing sensitive is leaked by the application. -pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. +pscanrules.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content. +pscanrules.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. +pscanrules.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) +pscanrules.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 +pscanrules.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. + +pscanrules.retrievedfromcache.desc = The content was retrieved from a shared cache. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where caching servers such as "proxy" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance. pscanrules.retrievedfromcache.extrainfo.http11ageheader = The presence of the 'Age' header indicates that a HTTP/1.1 compliant caching server is in use. pscanrules.retrievedfromcache.name = Retrieved from Cache pscanrules.retrievedfromcache.refs = https\://tools.ietf.org/html/rfc7234\nhttps\://tools.ietf.org/html/rfc7231\nhttps\://www.rfc-editor.org/rfc/rfc9110.html -pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. +pscanrules.retrievedfromcache.soln = Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user\:\nCache-Control\: no-cache, no-store, must-revalidate, private\nPragma\: no-cache\nExpires\: 0\nThis configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. pscanrules.serverheader.rule.name = HTTP Server Response Header @@ -283,7 +287,7 @@ pscanrules.serverheaderversioninfoleak.name = Server Leaks Version Information v pscanrules.stricttransportsecurity.compliance.malformed.content.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains some content that was not expected (perhaps curly quotes), the expectation is that the content be printable ASCII characters. pscanrules.stricttransportsecurity.compliance.malformed.content.name = Strict-Transport-Security Malformed Content (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.malformed.content.refs = https\://datatracker.ietf.org/doc/html/rfc6797 -pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. +pscanrules.stricttransportsecurity.compliance.malformed.content.soln = Review the configuration of this control. Ensure that your web server, application server, load balancer, etc. is configured to set Strict-Transport-Security with appropriate content. pscanrules.stricttransportsecurity.compliance.max.age.malformed.desc = A HTTP Strict Transport Security (HSTS) header was found, but it contains quotes preceding the max-age directive (the max-age value can be quoted, but the directive itself cannot be). See RFC 6797 for further details.\nHTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). pscanrules.stricttransportsecurity.compliance.max.age.malformed.name = Strict-Transport-Security Max-Age Malformed (Non-compliant with Spec) pscanrules.stricttransportsecurity.compliance.max.age.malformed.refs = https\://datatracker.ietf.org/doc/html/rfc6797\#section-6.1 @@ -314,8 +318,8 @@ pscanrules.stricttransportsecurity.refs = https\://cheatsheetseries.owasp.org/ch pscanrules.stricttransportsecurity.rule.name = Strict-Transport-Security Header pscanrules.stricttransportsecurity.soln = Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security. -pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server -pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1} +pscanrules.timestampdisclosure.desc = A timestamp was disclosed by the application/web server. +pscanrules.timestampdisclosure.extrainfo = {0}, which evaluates to\: {1}. pscanrules.timestampdisclosure.name = Timestamp Disclosure pscanrules.timestampdisclosure.refs = https\://cwe.mitre.org/data/definitions/200.html pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns. @@ -323,25 +327,24 @@ pscanrules.timestampdisclosure.soln = Manually confirm that the timestamp data i pscanrules.usercontrolledcharset.desc = This check looks at user-supplied input in query string parameters and POST data to identify where Content-Type or meta tag charset declarations might be user-controlled. Such charset declarations should always be declared by the application. If an attacker can control the response charset, they could manipulate the HTML to perform XSS or other attacks. For example, an attacker controlling the element charset value is able to declare UTF-7 and is also able to include enough user-controlled payload early in the HTML document to have it interpreted as UTF-7. By encoding their payload with UTF-7 the attacker is able to bypass any server-side XSS protections and embed script in the page. pscanrules.usercontrolledcharset.extrainfo = A(n) [{0}] tag [{1}] attribute\n\nThe user input found was\:\n{2}\={3}\n\nThe charset value it controlled was\:\n{4} pscanrules.usercontrolledcharset.name = User Controllable Charset -pscanrules.usercontrolledcharset.refs= pscanrules.usercontrolledcharset.soln = Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used. pscanrules.usercontrolledcookie.desc = This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug. pscanrules.usercontrolledcookie.extrainfo = {0}This was identified at\:\n\n{1}\n\nUser-input was found in the following cookie\:\n{2}\n\nThe user input was\:\n{3}\={4} -pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n -pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n +pscanrules.usercontrolledcookie.extrainfo.get = An attacker may be able to poison cookie values through URL parameters. Try injecting a semicolon to see if you can add cookie values (e.g. name\=controlledValue;name\=anotherValue;).\n\n +pscanrules.usercontrolledcookie.extrainfo.post = An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example\: https\://nottrusted.com/page?value\=maliciousInput.\n\n pscanrules.usercontrolledcookie.name = Cookie Poisoning pscanrules.usercontrolledcookie.refs = https\://en.wikipedia.org/wiki/HTTP_cookie\nhttps\://cwe.mitre.org/data/definitions/565.html pscanrules.usercontrolledcookie.soln = Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters. pscanrules.usercontrolledhtmlattributes.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\: \n\na(n) [{1}] tag [{2}] attribute \n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} +pscanrules.usercontrolledhtmlattributes.extrainfo = User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL\:\n\n{0}\n\nappears to include user input in\:\na(n) [{1}] tag [{2}] attribute\n\nThe user input found was\:\n{3}\={4}\n\nThe user-controlled value was\:\n{5} pscanrules.usercontrolledhtmlattributes.name = User Controllable HTML Element Attribute (Potential XSS) pscanrules.usercontrolledhtmlattributes.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledhtmlattributes.soln = Validate all input and sanitize output it before writing to any HTML attributes. pscanrules.usercontrolledjavascriptevent.desc = This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. -pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\: \n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} +pscanrules.usercontrolledjavascriptevent.extrainfo = User-controlled javascript event(s) was found. Exploitability will need to be manually determined. The page at the following URL\:\n\n{0}\n\nincludes the following Javascript event which may be attacker-controllable\:\n\nUser-input was found in the following data of an [{1}] event\:\n{2}\n\nThe user input was\:\n{3} pscanrules.usercontrolledjavascriptevent.name = User Controllable JavaScript Event (XSS) pscanrules.usercontrolledjavascriptevent.refs = https\://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html pscanrules.usercontrolledjavascriptevent.soln = Validate all input and sanitize output it before writing to any Javascript on* events. @@ -356,9 +359,9 @@ pscanrules.usercontrolledopenredirect.soln = To avoid the open redirect vulnerab pscanrules.usernameidor.desc = A hash of a username ({0}) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused. pscanrules.usernameidor.name = Username Hash Found -pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} +pscanrules.usernameidor.otherinfo = The hash was an {0}, with value\: {1} pscanrules.usernameidor.refs = https\://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.html -pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. +pscanrules.usernameidor.soln = Use per user or session indirect object references (create a temporary mapping at time of use). Or, ensure that each use of a direct object reference is tied to an authorization check to ensure the user is authorized for the requested object. pscanrules.viewstate.content.email.desc = The following emails were found being serialized in the viewstate field\: pscanrules.viewstate.content.email.name = Emails Found in the Viewstate @@ -390,9 +393,7 @@ pscanrules.xaspnetversion.refs = https\://www.troyhunt.com/shhh-dont-let-your-re pscanrules.xaspnetversion.soln = Configure the server so it will not return those headers. pscanrules.xbackendserver.desc = The server is leaking information pertaining to backend systems (such as hostnames or IP addresses). Armed with this information an attacker may be able to attack other systems or more directly/efficiently attack those systems. -pscanrules.xbackendserver.extrainfo= pscanrules.xbackendserver.name = X-Backend-Server Header Information Leak -pscanrules.xbackendserver.refs= pscanrules.xbackendserver.soln = Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers. pscanrules.xchromeloggerdata.desc = The server is leaking information through the X-ChromeLogger-Data (or X-ChromePhp-Data) response header. The content of such headers can be customized by the developer, however it is not uncommon to find\: server file system locations, vhost declarations, etc. @@ -415,7 +416,6 @@ pscanrules.xdebugtoken.refs = https\://symfony.com/doc/current/cookbook/profiler pscanrules.xdebugtoken.soln = Limit access to Symfony's Profiler, either via authentication/authorization or limiting inclusion of the header to specific clients (by IP, etc.). pscanrules.xpoweredbyheaderinfoleak.desc = The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to. -pscanrules.xpoweredbyheaderinfoleak.extrainfo= pscanrules.xpoweredbyheaderinfoleak.name = Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) pscanrules.xpoweredbyheaderinfoleak.otherinfo.msg = The following X-Powered-By headers were also found\:\n pscanrules.xpoweredbyheaderinfoleak.refs = https\://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Framework\nhttps\://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ar_SA/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ar_SA/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ar_SA/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ar_SA/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_az_AZ/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_az_AZ/contents/pscanbeta.html index b45c59106df..059eb44c997 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_az_AZ/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_az_AZ/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_bs_BA/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_bs_BA/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_bs_BA/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_bs_BA/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_da_DK/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_da_DK/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_da_DK/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_da_DK/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_de_DE/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_de_DE/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_de_DE/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_de_DE/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_el_GR/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_el_GR/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_el_GR/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_el_GR/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_es_ES/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_es_ES/contents/pscanbeta.html index 597ed3f4db0..7338abd94ec 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_es_ES/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_es_ES/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_fa_IR/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_fa_IR/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_fa_IR/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_fa_IR/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_fil_PH/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_fil_PH/contents/pscanbeta.html index 485b9ecceca..b0c69d6bef1 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_fil_PH/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_fil_PH/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_fr_FR/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_fr_FR/contents/pscanbeta.html index 6347b85acb0..a587f27c6fd 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_fr_FR/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_fr_FR/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_hi_IN/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_hi_IN/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_hi_IN/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_hi_IN/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_hu_HU/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_hu_HU/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_hu_HU/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_hu_HU/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_id_ID/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_id_ID/contents/pscanbeta.html index 3180018d563..68f79fc6d17 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_id_ID/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_id_ID/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_it_IT/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_it_IT/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_it_IT/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_it_IT/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ja_JP/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ja_JP/contents/pscanbeta.html index aa428d03be1..48ac40b3639 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ja_JP/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ja_JP/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ms_MY/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ms_MY/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ms_MY/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ms_MY/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_pl_PL/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_pl_PL/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_pl_PL/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_pl_PL/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_pt_BR/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_pt_BR/contents/pscanbeta.html index 31e5125f859..3ccacf6675b 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_pt_BR/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_pt_BR/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ro_RO/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ro_RO/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ro_RO/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ro_RO/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ru_RU/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ru_RU/contents/pscanbeta.html index 1610b6d793d..94c5d39f334 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ru_RU/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ru_RU/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_sr_CS/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_sr_CS/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_sr_CS/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_sr_CS/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_tr_TR/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_tr_TR/contents/pscanbeta.html index ee54c6a0b18..1c8c4abda73 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_tr_TR/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_tr_TR/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ur_PK/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ur_PK/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ur_PK/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_ur_PK/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_zh_CN/contents/pscanbeta.html b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_zh_CN/contents/pscanbeta.html index a7d08d68d26..6f2cc04dbbb 100644 --- a/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_zh_CN/contents/pscanbeta.html +++ b/addOns/pscanrulesBeta/src/main/javahelp/org/zaproxy/zap/extension/pscanrulesBeta/resources/help_zh_CN/contents/pscanbeta.html @@ -72,28 +72,6 @@

                                                                                                  Permissions Policy Header Not Set

                                                                                                  Latest code: PermissionsPolicyScanRule.java
                                                                                                  Alert ID: 10063 -

                                                                                                  Script Served From Malicious Domain (polyfill)

                                                                                                  -This checks for scripts being served from one of the 'polyfill' domains, which are known to have been compromised.
                                                                                                  -It will raise an alert with a High confidence if a script is loaded from one of the malicious domains, -and a Low confidence if it just finds an apparent reference to one of the malicious domains in the script contents. -

                                                                                                  -The known malicious 'polyfill' domains are: -

                                                                                                    -
                                                                                                  • polyfill.io
                                                                                                  • -
                                                                                                  • bootcdn.net
                                                                                                  • -
                                                                                                  • bootcss.com
                                                                                                  • -
                                                                                                  • staticfile.net
                                                                                                  • -
                                                                                                  • staticfile.org
                                                                                                  • -
                                                                                                  • unionadjs.com
                                                                                                  • -
                                                                                                  • xhsbpza.com
                                                                                                  • -
                                                                                                  • union.macoms.la
                                                                                                  • -
                                                                                                  • newcrbpc.com
                                                                                                  • -
                                                                                                  -

                                                                                                  -Latest code: PolyfillCdnScriptScanRule.java -
                                                                                                  -Alert ID: 10115. -

                                                                                                  Site Isolation Scan Rule

                                                                                                  Spectre is a side-channel attack allowing an attacker to read data from memory. One of the counter-measures is to prevent sensitive data diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ar_SA.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ar_SA.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ar_SA.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ar_SA.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_az_AZ.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_az_AZ.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_az_AZ.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_az_AZ.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_bn_BD.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_bn_BD.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_bn_BD.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_bn_BD.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_bs_BA.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_bs_BA.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_bs_BA.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_bs_BA.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ceb_PH.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ceb_PH.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ceb_PH.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ceb_PH.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_da_DK.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_da_DK.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_da_DK.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_da_DK.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_de_DE.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_de_DE.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_de_DE.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_de_DE.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_el_GR.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_el_GR.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_el_GR.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_el_GR.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_es_ES.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_es_ES.properties index 5e8a2921b1b..992b42afaec 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_es_ES.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_es_ES.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_fa_IR.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_fa_IR.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_fa_IR.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_fa_IR.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_fil_PH.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_fil_PH.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_fil_PH.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_fil_PH.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_fr_FR.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_fr_FR.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_fr_FR.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_fr_FR.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ha_HG.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ha_HG.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ha_HG.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ha_HG.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_he_IL.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_he_IL.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_he_IL.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_he_IL.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_hi_IN.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_hi_IN.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_hi_IN.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_hi_IN.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_hr_HR.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_hr_HR.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_hr_HR.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_hr_HR.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_hu_HU.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_hu_HU.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_hu_HU.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_hu_HU.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_id_ID.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_id_ID.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_id_ID.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_id_ID.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_it_IT.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_it_IT.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_it_IT.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_it_IT.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ja_JP.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ja_JP.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ja_JP.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ja_JP.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ko_KR.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ko_KR.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ko_KR.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ko_KR.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_mk_MK.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_mk_MK.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_mk_MK.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_mk_MK.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ms_MY.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ms_MY.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ms_MY.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ms_MY.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_nb_NO.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_nb_NO.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_nb_NO.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_nb_NO.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_nl_NL.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_nl_NL.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_nl_NL.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_nl_NL.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pcm_NG.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pcm_NG.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pcm_NG.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pcm_NG.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pl_PL.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pl_PL.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pl_PL.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pl_PL.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pt_BR.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pt_BR.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pt_BR.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pt_BR.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pt_PT.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pt_PT.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pt_PT.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_pt_PT.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ro_RO.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ro_RO.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ro_RO.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ro_RO.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ru_RU.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ru_RU.properties index 106df5604c0..2483908f0de 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ru_RU.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ru_RU.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = \u041d\u0435\u0443\u043a\u0430\u0437\u0430\u043d\u043d\u043e\u0435 \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u0444\u043e\u0440\u043c\u044b\: \u0430\u0442\u0430\u043a\u0430 \u043f\u0435\u0440\u0435\u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 HTTP \u043f\u043e\u0442\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u0430. \n\u042d\u0442\u043e \u0438\u0437\u0432\u0435\u0441\u0442\u043d\u0430\u044f \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0441 \u0441\u0435\u0440\u0432\u043b\u0435\u0442\u0430\u043c\u0438 Java, \u043d\u043e \u0434\u0440\u0443\u0433\u0438\u0435 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b \u0442\u0430\u043a\u0436\u0435 \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u044b. pscanbeta.servletparameterpollution.name = \u041f\u0435\u0440\u0435\u043e\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u043e\u0432 HTTP pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_si_LK.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_si_LK.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_si_LK.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_si_LK.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sk_SK.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sk_SK.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sk_SK.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sk_SK.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sl_SI.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sl_SI.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sl_SI.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sl_SI.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sq_AL.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sq_AL.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sq_AL.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sq_AL.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sr_CS.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sr_CS.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sr_CS.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sr_CS.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sr_SP.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sr_SP.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sr_SP.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_sr_SP.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_tr_TR.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_tr_TR.properties index 2c6955c54dd..e054ab19294 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_tr_TR.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_tr_TR.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_uk_UA.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_uk_UA.properties index b132a92ec9c..bbbda9df582 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_uk_UA.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_uk_UA.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = \u0417\u0430\u0433\u043e\u043b\u043e\u pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = \u041f\u0435\u0440\u0435\u043a\u043e\u043d\u0430\u0439\u0442\u0435\u0441\u044f, \u0449\u043e \u0432\u0430\u0448 \u0432\u0435\u0431\u0441\u0435\u0440\u0432\u0435\u0440, \u0441\u0435\u0440\u0432\u0435\u0440 \u043f\u0440\u043e\u0433\u0440\u0430\u043c, \u0431\u0430\u043b\u0430\u043d\u0441\u0443\u0432\u0430\u043b\u044c\u043d\u0438\u043a \u043d\u0430\u0432\u0430\u043d\u0442\u0430\u0436\u0435\u043d\u043d\u044f \u0442\u043e\u0449\u043e \u043d\u0430\u043b\u0430\u0448\u0442\u043e\u0432\u0430\u043d\u043e \u043d\u0430 \u0432\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u043d\u044f \u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u0430 \u00ab\u041f\u043e\u043b\u0456\u0442\u0438\u043a\u0430 \u0434\u043e\u0437\u0432\u043e\u043b\u0456\u0432\u00bb. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = \u041d\u0435\u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u0430 \u0434\u0456\u044f \u0444\u043e\u0440\u043c\u0438\: \u043f\u043e\u0442\u0435\u043d\u0446\u0456\u0439\u043d\u043e \u043c\u043e\u0436\u043b\u0438\u0432\u0430 \u0430\u0442\u0430\u043a\u0430 \u0456\u0437 \u043f\u0435\u0440\u0435\u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f\u043c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0456\u0432 HTTP. \u0426\u0435 \u0432\u0456\u0434\u043e\u043c\u0430 \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0437 Java Servlets, \u0430\u043b\u0435 \u0456\u043d\u0448\u0456 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0438 \u0442\u0430\u043a\u043e\u0436 \u043c\u043e\u0436\u0443\u0442\u044c \u0431\u0443\u0442\u0438 \u0432\u0440\u0430\u0437\u043b\u0438\u0432\u0438\u043c\u0438. pscanbeta.servletparameterpollution.name = \u041f\u0435\u0440\u0435\u0432\u0438\u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0456\u0432 HTTP pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ur_PK.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ur_PK.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ur_PK.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_ur_PK.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_vi_VN.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_vi_VN.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_vi_VN.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_vi_VN.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_yo_NG.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_yo_NG.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_yo_NG.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_yo_NG.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_zh_CN.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_zh_CN.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_zh_CN.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_zh_CN.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_zh_TW.properties b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_zh_TW.properties index 6267dd6407d..5059747682d 100644 --- a/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_zh_TW.properties +++ b/addOns/pscanrulesBeta/src/main/resources/org/zaproxy/zap/extension/pscanrulesBeta/resources/Messages_zh_TW.properties @@ -35,12 +35,6 @@ pscanbeta.permissionspolicymissing.name = Permissions Policy Header Not Set pscanbeta.permissionspolicymissing.refs = https\://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy\nhttps\://developer.chrome.com/blog/feature-policy/\nhttps\://scotthelme.co.uk/a-new-security-header-feature-policy/\nhttps\://w3c.github.io/webappsec-feature-policy/\nhttps\://www.smashingmagazine.com/2018/12/feature-policy/ pscanbeta.permissionspolicymissing.soln = Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header. -pscanbeta.polyfillcdnscript.desc1 = The page includes one or more script files loaded from one of the 'polyfill' domains.\nThese is not associated with the polyfill.js library and are known to serve malicious content. -pscanbeta.polyfillcdnscript.desc2 = The page includes one or more script which appear to include a reference to one of the 'polyfill' domains.\nThese are not associated with the polyfill.js library and are known to serve malicious content.\nYou should check to see if it is a safe reference (for example in a comment) or whether the script is loading content from that domain. -pscanbeta.polyfillcdnscript.name = Script Served From Malicious Domain (polyfill) -pscanbeta.polyfillcdnscript.refs = https\://sansec.io/research/polyfill-supply-chain-attack\nhttps\://x.com/triblondon/status/1761852117579427975 -pscanbeta.polyfillcdnscript.soln = Change all scripts to use a known good source based on their documentation. - pscanbeta.servletparameterpollution.desc = Unspecified form action\: HTTP parameter override attack potentially possible. This is a known problem with Java Servlets but other platforms may also be vulnerable. pscanbeta.servletparameterpollution.name = HTTP Parameter Override pscanbeta.servletparameterpollution.refs = https\://download.oracle.com/javaee-archive/servlet-spec.java.net/jsr340-experts/att-0317/OnParameterPollutionAttacks.pdf diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ar_SA.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ar_SA.properties index d394947ae1f..c21128c5232 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ar_SA.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ar_SA.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey=[empty string] +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName=[empty string] +scripts.api.action.clearScriptVar.param.varKey=[empty string] +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName=[empty string] +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName=[empty string] +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName=[empty string] +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset=[empty string] +scripts.api.action.load.param.fileName=[empty string] +scripts.api.action.load.param.scriptDescription=[empty string] +scripts.api.action.load.param.scriptEngine=[empty string] +scripts.api.action.load.param.scriptName=[empty string] +scripts.api.action.load.param.scriptType=[empty string] +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName=[empty string] +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName=[empty string] +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey=[empty string] +scripts.api.action.setGlobalVar.param.varValue=[empty string] +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName=[empty string] +scripts.api.action.setScriptVar.param.varKey=[empty string] +scripts.api.action.setScriptVar.param.varValue=[empty string] +scripts.api.desc=[empty string] +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey=[empty string] +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName=[empty string] +scripts.api.view.scriptVar.param.varKey=[empty string] +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName=[empty string] + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_az_AZ.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_az_AZ.properties index 60dfd6704d6..0635bb28ee4 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_az_AZ.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_az_AZ.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_bn_BD.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_bn_BD.properties index db6f9b4fde2..bed20dffa30 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_bn_BD.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_bn_BD.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_bs_BA.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_bs_BA.properties index 9c3c33c3820..1626ce59f62 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_bs_BA.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_bs_BA.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ceb_PH.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ceb_PH.properties index 0eba9c753bf..205cb9a576b 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ceb_PH.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ceb_PH.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Dili pagpagana sa script na adunay gihatag na pangalan +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Nagpagana sa script uban sa gihatag na pangalan +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Nag-load sa script ngadto sa ZAP gikan sa gihatag na lokal file, uban sa gihatag na pangalan, tipo ug makita, opsyonal uban sa usa ka paghulagway, ug usa ka charset na pangalan para mobasa sa script (ang charset na pangalan kay nagkinahanglan kung ang script kay dili sa UTF-8, pananglitan, sa ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Nagtangtang sa script na adunay gihatag na pangalan +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Naglista sa script na mga makita na magamit +scripts.api.view.listScripts = Ilista ang mga script na magamit, uban niini ang makina, paghulagway, matang ug kasaypanan nga kahimtang. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_da_DK.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_da_DK.properties index 4a76999b385..920db0a7ac7 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_da_DK.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_da_DK.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_de_DE.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_de_DE.properties index d4f1d28232a..c90006b7f1e 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_de_DE.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_de_DE.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey=\ +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName=\ +scripts.api.action.clearScriptVar.param.varKey=\ +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName=\ +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName=\ +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName=\ +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset=\ +scripts.api.action.load.param.fileName=\ +scripts.api.action.load.param.scriptDescription=\ +scripts.api.action.load.param.scriptEngine=\ +scripts.api.action.load.param.scriptName=\ +scripts.api.action.load.param.scriptType=\ +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName=\ +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName=\ +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey=\ +scripts.api.action.setGlobalVar.param.varValue=\ +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName=\ +scripts.api.action.setScriptVar.param.varKey=\ +scripts.api.action.setScriptVar.param.varValue=\ +scripts.api.desc=\ +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey=\ +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName=\ +scripts.api.view.scriptVar.param.varKey=\ +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName=\ + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_el_GR.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_el_GR.properties index 14cf88702c7..9f0f9277cb9 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_el_GR.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_el_GR.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_es_ES.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_es_ES.properties index 40598c78815..73635de667b 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_es_ES.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_es_ES.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Borra una variable personalizada global. +scripts.api.action.clearGlobalCustomVar.param.varKey = La clave de la variable. +scripts.api.action.clearGlobalVar = Borra la variable global con la clave dada. +scripts.api.action.clearGlobalVar.param.varKey=[cadena vac\u00eda] +scripts.api.action.clearGlobalVars = Borra las variables globales. +scripts.api.action.clearScriptCustomVar = Borra una variable personalizada del script. +scripts.api.action.clearScriptCustomVar.param.scriptName = El nombre del script. +scripts.api.action.clearScriptCustomVar.param.varKey = La clave de la variable. +scripts.api.action.clearScriptVar = Borra la variable con la clave dada del script dado. Devuelve un error de API (DOES_NOT_EXIST) si no existe ning\u00fan script con el nombre proporcionado. +scripts.api.action.clearScriptVar.param.scriptName=[cadena vac\u00eda] +scripts.api.action.clearScriptVar.param.varKey=[cadena vac\u00eda] +scripts.api.action.clearScriptVars = Borra las variables del script dado. Devuelve un error de API (DOES_NOT_EXIST) si no existe ning\u00fan script con el nombre proporcionado. +scripts.api.action.clearScriptVars.param.scriptName=[cadena vac\u00eda] +scripts.api.action.disable = Inhabilta la secuencia de comandos con el nombre de pila +scripts.api.action.disable.param.scriptName=[cadena vac\u00eda] +scripts.api.action.enable = Activa la secuencia de comandos con el nombre pila +scripts.api.action.enable.param.scriptName=[cadena vac\u00eda] +scripts.api.action.load = Carga un archivo de \u00f3rdenes en ZAP desde el archivo local que fue proporcionado, con el nombre, tipo y motor porporcionado, opcionalmente con una descripci\u00f3n, y un nombre de conjunto de caracteres para leer el archivo de \u00f3rdenes (el nombre del conjunto de caracteres es obligatorio si el archivo de \u00f3rden no se encuentra en UTF-8, por ejemplo, en ISO-8859-1). +scripts.api.action.load.param.charset=[cadena vac\u00eda] +scripts.api.action.load.param.fileName=[cadena vac\u00eda] +scripts.api.action.load.param.scriptDescription=[cadena vac\u00eda] +scripts.api.action.load.param.scriptEngine=[cadena vac\u00eda] +scripts.api.action.load.param.scriptName=[cadena vac\u00eda] +scripts.api.action.load.param.scriptType=[cadena vac\u00eda] +scripts.api.action.remove = Suprimir la secuencia de comandos con el nombre de pila +scripts.api.action.remove.param.scriptName=[cadena vac\u00eda] +scripts.api.action.runStandAloneScript = Ejecuta el script independiente con el nombre dado +scripts.api.action.runStandAloneScript.param.scriptName=[cadena vac\u00eda] +scripts.api.action.setGlobalVar = Establece el valor de la variable global con la clave dada. +scripts.api.action.setGlobalVar.param.varKey=[cadena vac\u00eda] +scripts.api.action.setGlobalVar.param.varValue=[cadena vac\u00eda] +scripts.api.action.setScriptVar = Establece el valor de la variable con la clave dada del script dado. Devuelve un error de API (DOES_NOT_EXIST) si no existe ning\u00fan script con el nombre proporcionado. +scripts.api.action.setScriptVar.param.scriptName=[cadena vac\u00eda] +scripts.api.action.setScriptVar.param.varKey=[cadena vac\u00eda] +scripts.api.action.setScriptVar.param.varValue=[cadena vac\u00eda] +scripts.api.desc=[cadena vac\u00eda] +scripts.api.view.globalCustomVar = Obtiene el valor (representaci\u00f3n de cadena) de una variable personalizada global. Devuelve un error de API (DOES_NOT_EXIST) si no se estableci\u00f3 ning\u00fan valor previamente. +scripts.api.view.globalCustomVar.param.varKey = La clave de la variable. +scripts.api.view.globalCustomVars = Obtiene todas las variables personalizadas globales (pares clave/valor, el valor es la representaci\u00f3n de un string). +scripts.api.view.globalVar = Obtiene el valor de la variable global con la clave dada. Devuelve un error de API (DOES_NOT_EXIST) si no se estableci\u00f3 ning\u00fan valor previamente. +scripts.api.view.globalVar.param.varKey=[cadena vac\u00eda] +scripts.api.view.globalVars = Obtiene todas las variables globales (pares clave/valor). +scripts.api.view.listEngines = Menciona todos los motores de archivos de \u00f3rdenes disponibles +scripts.api.view.listScripts = Lista los scripts disponibles, con su motor, nombre, descripci\u00f3n, tipo y estado de error. +scripts.api.view.listTypes = Enumera los tipos de script disponibles. +scripts.api.view.scriptCustomVar = Obtiene el valor (representado como un string) de una variable personalizada. Devuelve un error de API (DOES_NOT_EXIST) si no existe ning\u00fan script con el nombre dado o si no se estableci\u00f3 ning\u00fan valor previamente. +scripts.api.view.scriptCustomVar.param.scriptName = El nombre del script. +scripts.api.view.scriptCustomVar.param.varKey = La clave de la variable. +scripts.api.view.scriptCustomVars = Obtiene todas las variables personalizadas (pares clave/valor, el valor se representa como un string) de un script. Devuelve un error de API (DOES_NOT_EXIST) si no existe ning\u00fan script con el nombre dado. +scripts.api.view.scriptCustomVars.param.scriptName = El nombre del script. +scripts.api.view.scriptVar = Obtiene el valor de la variable con la clave dada para el script dado. Devuelve un error de API (DOES_NOT_EXIST) si no existe ning\u00fan script con el nombre dado o si no se estableci\u00f3 ning\u00fan valor previamente. +scripts.api.view.scriptVar.param.scriptName=[cadena vac\u00eda] +scripts.api.view.scriptVar.param.varKey=[cadena vac\u00eda] +scripts.api.view.scriptVars = Obtiene todas las variables (pares clave/valor) del script dado. Devuelve un error de API (DOES_NOT_EXIST) si no existe ning\u00fan script con el nombre dado. +scripts.api.view.scriptVars.param.scriptName=[cadena vac\u00eda] + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Acci\u00f3n\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_fa_IR.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_fa_IR.properties index ac12c7731fe..48d184a2294 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_fa_IR.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_fa_IR.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_fil_PH.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_fil_PH.properties index edb91c1aa78..32be9809ca9 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_fil_PH.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_fil_PH.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Ang hindi pinagana na script sa ibinigay na pangalan +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Pinapagana ang script sa ibinigay na pangalan +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Nag lo\=load ng isang script tungo sa ZAP mula sa ibinigay na lokal na file, na may ibinigay na pangalan, uri at engine, opsyonal na may isang deskripsyon, at isang pangalan ng charset para basahin ang script (ang pangalan ng charset ay kailangan kung ang script ay hindi nasa UTF-8, para sa halimbawa, sa ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Tinatanggal ang script sa ibinigay na pangalan +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Inililista ang magagamit na mga script engine +scripts.api.view.listScripts = Inililista ang mga script na magagamit, kasama ang makina nito, deskripsyon, uri at estado ng kamalian. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_fr_FR.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_fr_FR.properties index 5e88799f7bf..3b169c7a343 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_fr_FR.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_fr_FR.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey=\ +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName=\ +scripts.api.action.clearScriptVar.param.varKey=\ +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName=\ +scripts.api.action.disable = D\u00e9sactive le script avec le nom donn\u00e9 +scripts.api.action.disable.param.scriptName=\ +scripts.api.action.enable = Active le script avec le nom donn\u00e9 +scripts.api.action.enable.param.scriptName=\ +scripts.api.action.load = Charge un script dans ZAP \u00e0 partir du fichier local donn\u00e9, avec le nom, le type et le moteur, en option avec une description +scripts.api.action.load.param.charset=\ +scripts.api.action.load.param.fileName=\ +scripts.api.action.load.param.scriptDescription=\ +scripts.api.action.load.param.scriptEngine=\ +scripts.api.action.load.param.scriptName=\ +scripts.api.action.load.param.scriptType=\ +scripts.api.action.remove = Supprime le script avec le nom donn\u00e9 +scripts.api.action.remove.param.scriptName=\ +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName=\ +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey=\ +scripts.api.action.setGlobalVar.param.varValue=\ +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName=\ +scripts.api.action.setScriptVar.param.varKey=\ +scripts.api.action.setScriptVar.param.varValue=\ +scripts.api.desc=\ +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey=\ +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = R\u00e9pertorie les moteurs de script disponibles +scripts.api.view.listScripts = R\u00e9pertorie les scripts disponibles, avec leur moteur, nom, description, type et statut d'erreur. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName=\ +scripts.api.view.scriptVar.param.varKey=\ +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName=\ + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ha_HG.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ha_HG.properties index d2f3c6240a9..ed1b0b73c4c 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ha_HG.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ha_HG.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_he_IL.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_he_IL.properties index 04dd399db0e..d59a3ddbb84 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_he_IL.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_he_IL.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_hi_IN.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_hi_IN.properties index 1fd3f4639e2..f20e9e6859a 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_hi_IN.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_hi_IN.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_hr_HR.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_hr_HR.properties index 82d68ad92d9..b4d98004e0a 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_hr_HR.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_hr_HR.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_hu_HU.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_hu_HU.properties index f25042a7e5c..ba9472119ad 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_hu_HU.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_hu_HU.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Adott nev\u0171 szkript tilt\u00e1sa +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_id_ID.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_id_ID.properties index c865f16aed6..6f33f76b648 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_id_ID.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_id_ID.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Nonaktifkan skrip dengan nama yang diberikan +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Mengaktifkan script dengan nama yang diberikan +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Muat skrip ke ZAP dari file lokal yang diberikan, dengan nama, jenis dan mesin yang diberikan, opsional dengan deskripsi, dan nama charset untuk membaca skrip (nama charset diperlukan jika skrip tidak ada dalam UTF-8, untuk Contohnya, dalam ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Menghapus script dengan nama yang diberikan +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Daftar mesin skrip yang tersedia +scripts.api.view.listScripts = Daftar skrip yang tersedia, dengan status mesin, nama, deskripsi, jenis dan kesalahannya. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_it_IT.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_it_IT.properties index 8c7a8b3e45d..8ea7c359a01 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_it_IT.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_it_IT.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disabilita lo script con il nome selezionato +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Abilita lo script con il nome selezionato +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Carica uno script in ZAP dal file locale fornito, con i dati (nome, tipo e motore) forniti, oltre ad una descrizione opzionale +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Rimuove lo script con il nome fornito +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Elenca i motori di scripting disponibili +scripts.api.view.listScripts = Elenca gli script disponibili, con il loro motore, nome, descrizione, tipo e stato di errore. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ja_JP.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ja_JP.properties index a3113c598a1..32003f35693 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ja_JP.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ja_JP.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ko_KR.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ko_KR.properties index ee11c90397e..589e6766d8c 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ko_KR.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ko_KR.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = \uc2a4\ud06c\ub9bd\ud2b8\uc758 \uc774\ub984. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = \uc2a4\ud06c\ub9bd\ud2b8\uc758 \uc774\ub984. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = \uc2a4\ud06c\ub9bd\ud2b8\uc758 \uc774\ub984. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_mk_MK.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_mk_MK.properties index d2f3c6240a9..ed1b0b73c4c 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_mk_MK.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_mk_MK.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ms_MY.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ms_MY.properties index af597ad6ecd..bc337ad7c3e 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ms_MY.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ms_MY.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_nb_NO.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_nb_NO.properties index 9f6a71d8ce8..a0a44e8cca0 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_nb_NO.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_nb_NO.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_nl_NL.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_nl_NL.properties index d185f14f6b7..81889dadddc 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_nl_NL.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_nl_NL.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Schakelt het script met de gegeven naam uit +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Schakelt het script met de gegeven naam in +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Laad een script in ZAP uit het gegeven lokale bestand, met de gegeven naam, type en engine, optioneel met een beschrijving +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Verwijdert het script met de gegeven naam +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Toont de beschikbare script engines +scripts.api.view.listScripts = Toont de beschikbare scripts, met hun engine, naam, beschrijving, type en fout status. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automatisering scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pcm_NG.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pcm_NG.properties index c2e3e72bc32..db413fc35c2 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pcm_NG.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pcm_NG.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pl_PL.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pl_PL.properties index 2684b0d94ed..19cdcd4d842 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pl_PL.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pl_PL.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = Nazwa skryptu. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = Nazwa skryptu. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = Nazwa skryptu. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pt_BR.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pt_BR.properties index 4d2135c3325..30ad57ba46e 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pt_BR.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pt_BR.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Limpa uma vari\u00e1vel personalizada global. +scripts.api.action.clearGlobalCustomVar.param.varKey = A chave da vari\u00e1vel. +scripts.api.action.clearGlobalVar = Limpa a vari\u00e1vel global com a chave fornecida. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Limpa as vari\u00e1veis globais. +scripts.api.action.clearScriptCustomVar = Limpa uma vari\u00e1vel personalizada de script. +scripts.api.action.clearScriptCustomVar.param.scriptName = O nome do script. +scripts.api.action.clearScriptCustomVar.param.varKey = A chave da vari\u00e1vel. +scripts.api.action.clearScriptVar = Limpa a vari\u00e1vel com a chave fornecida do script fornecido. Retorna um erro de API (DOES_NOT_EXIST) se nenhum script com o nome fornecido existir. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Limpa as vari\u00e1veis do script fornecido. Retorna um erro de API (DOES_NOT_EXIST) se nenhum script com o nome fornecido existir. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Desativa o script com o nome fornecido +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Ativa o script com o nome fornecido +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Carrega um script no ZAP a partir do arquivo local fornecido, com o nome, tipo e engine fornecidos, opcionalmente com uma descri\u00e7\u00e3o e um nome de conjunto de caracteres para ler o script (o nome do conjunto de caracteres \u00e9 necess\u00e1rio se o script n\u00e3o estiver em UTF-8, por exemplo, em ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Remove o script com o nome fornecido +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Executa o script aut\u00f4nomo com o nome fornecido +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Define o valor da vari\u00e1vel global com a chave fornecida. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Define o valor da vari\u00e1vel com a chave fornecida do script fornecido. Retorna um erro de API (DOES_NOT_EXIST) se nenhum script com o nome fornecido existir. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Obt\u00e9m o valor (representa\u00e7\u00e3o de string) de uma vari\u00e1vel personalizada global. Retorna um erro de API (DOES_NOT_EXIST) se nenhum valor foi definido anteriormente. +scripts.api.view.globalCustomVar.param.varKey = A chave da vari\u00e1vel. +scripts.api.view.globalCustomVars = Obt\u00e9m todas as vari\u00e1veis personalizadas globais (pares de chave / valor, o valor \u00e9 a representa\u00e7\u00e3o da string). +scripts.api.view.globalVar = Obt\u00e9m o valor da vari\u00e1vel global com a chave fornecida. Retorna um erro de API (DOES_NOT_EXIST) se nenhum valor foi definido anteriormente. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Obt\u00e9m todas as vari\u00e1veis globais (pares de chave / valor). +scripts.api.view.listEngines = Lista os script engines dispon\u00edveis +scripts.api.view.listScripts = Lista os scripts dispon\u00edveis, com seu engine, nome, descri\u00e7\u00e3o, tipo e estado de erro. +scripts.api.view.listTypes = Lista os tipos de script dispon\u00edveis. +scripts.api.view.scriptCustomVar = Obt\u00e9m o valor (representa\u00e7\u00e3o de string) de uma vari\u00e1vel personalizada. Retorna um erro de API (DOES_NOT_EXIST) se nenhum script com o nome fornecido existir ou se nenhum valor tiver sido definido anteriormente. +scripts.api.view.scriptCustomVar.param.scriptName = O nome do script. +scripts.api.view.scriptCustomVar.param.varKey = A chave da vari\u00e1vel. +scripts.api.view.scriptCustomVars = Obt\u00e9m todas as vari\u00e1veis personalizadas (pares chave / valor, o valor \u00e9 a representa\u00e7\u00e3o da string) de um script. Retorna um erro de API (DOES_NOT_EXIST) se nenhum script com o nome fornecido existir. +scripts.api.view.scriptCustomVars.param.scriptName = O nome do script. +scripts.api.view.scriptVar = Obt\u00e9m o valor da vari\u00e1vel com a chave fornecida para o script fornecido. Retorna um erro de API (DOES_NOT_EXIST) se nenhum script com o nome fornecido existir ou se nenhum valor tiver sido definido anteriormente. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Obt\u00e9m todas as vari\u00e1veis (pares de chave / valor) do script fornecido. Retorna um erro de API (DOES_NOT_EXIST) se nenhum script com o nome fornecido existir. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pt_PT.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pt_PT.properties index 6264fb7685d..6af3b45ddc2 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pt_PT.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_pt_PT.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ro_RO.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ro_RO.properties index 9cc7e22acdf..fb883049cb4 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ro_RO.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ro_RO.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ru_RU.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ru_RU.properties index 81536116b10..e731dc02e96 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ru_RU.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ru_RU.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = \u041e\u0447\u0438\u0449\u0430\u0435\u0442 \u0433\u043b\u043e\u0431\u0430\u043b\u044c\u043d\u0443\u044e \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0443\u044e \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u0443\u044e. +scripts.api.action.clearGlobalCustomVar.param.varKey = \u041a\u043b\u044e\u0447 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0439. +scripts.api.action.clearGlobalVar = \u041e\u0447\u0438\u0449\u0430\u0435\u0442 \u0433\u043b\u043e\u0431\u0430\u043b\u044c\u043d\u0443\u044e \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u0443\u044e \u0441 \u0437\u0430\u0434\u0430\u043d\u043d\u044b\u043c \u043a\u043b\u044e\u0447\u043e\u043c. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = \u041e\u0447\u0438\u0449\u0430\u0435\u0442 \u0433\u043b\u043e\u0431\u0430\u043b\u044c\u043d\u044b\u0435 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0435. +scripts.api.action.clearScriptCustomVar = \u041e\u0447\u0438\u0449\u0430\u0435\u0442 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0443\u044e \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u0443\u044e \u0441\u043a\u0440\u0438\u043f\u0442\u0430. +scripts.api.action.clearScriptCustomVar.param.scriptName = \u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u044f. +scripts.api.action.clearScriptCustomVar.param.varKey = \u041a\u043b\u044e\u0447 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0439. +scripts.api.action.clearScriptVar = \u041e\u0447\u0438\u0449\u0430\u0435\u0442 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u0443\u044e \u0441 \u0437\u0430\u0434\u0430\u043d\u043d\u044b\u043c \u043a\u043b\u044e\u0447\u043e\u043c \u0434\u0430\u043d\u043d\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0430. \u0412\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442 \u043e\u0448\u0438\u0431\u043a\u0443 API (DOES_NOT_EXIST), \u0435\u0441\u043b\u0438 \u0441\u043a\u0440\u0438\u043f\u0442 \u0441 \u0434\u0430\u043d\u043d\u044b\u043c \u0438\u043c\u0435\u043d\u0435\u043c \u043d\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = \u041e\u0447\u0438\u0449\u0430\u0435\u0442 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0430. \u0412\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442 \u043e\u0448\u0438\u0431\u043a\u0443 API (DOES_NOT_EXIST), \u0435\u0441\u043b\u0438 \u0441\u043a\u0440\u0438\u043f\u0442 \u0441 \u0434\u0430\u043d\u043d\u044b\u043c \u0438\u043c\u0435\u043d\u0435\u043c \u043d\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = \u041e\u0442\u043a\u043b\u044e\u0447\u0430\u0435\u0442 \u0441\u043a\u0440\u0438\u043f\u0442 \u0441 \u0437\u0430\u0434\u0430\u043d\u043d\u044b\u043c \u0438\u043c\u0435\u043d\u0435\u043c +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = \u0412\u043a\u043b\u044e\u0447\u0430\u0435\u0442 \u0441\u043a\u0440\u0438\u043f\u0442 \u0441 \u0437\u0430\u0434\u0430\u043d\u043d\u044b\u043c \u0438\u043c\u0435\u043d\u0435\u043c +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = \u0417\u0430\u0433\u0440\u0443\u0436\u0430\u0435\u0442 \u0441\u043a\u0440\u0438\u043f\u0442 \u0432 ZAP \u0438\u0437 \u0434\u0430\u043d\u043d\u043e\u0433\u043e \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0430 \u0441 \u0437\u0430\u0434\u0430\u043d\u043d\u044b\u043c \u0438\u043c\u0435\u043d\u0435\u043c, \u0442\u0438\u043f\u043e\u043c \u0438 \u0434\u0432\u0438\u0436\u043a\u043e\u043c, \u043d\u0435\u043e\u0431\u044f\u0437\u0430\u0442\u0435\u043b\u044c\u043d\u043e \u0441 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435\u043c \u0438 \u0438\u043c\u0435\u043d\u0435\u043c \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u0438 \u0434\u043b\u044f \u0447\u0442\u0435\u043d\u0438\u044f \u0441\u043a\u0440\u0438\u043f\u0442\u0430 (\u0438\u043c\u044f \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u043a\u0438 \u0442\u0440\u0435\u0431\u0443\u0435\u0442\u0441\u044f, \u0435\u0441\u043b\u0438 \u0441\u043a\u0440\u0438\u043f\u0442 \u043d\u0435 \u0432 UTF-8, \u0434\u043b\u044f \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440, \u0432 ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = \u0423\u0434\u0430\u043b\u044f\u0435\u0442 \u0441\u043a\u0440\u0438\u043f\u0442 \u0441 \u0437\u0430\u0434\u0430\u043d\u043d\u044b\u043c \u0438\u043c\u0435\u043d\u0435\u043c +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = \u0417\u0430\u043f\u0443\u0441\u043a\u0430\u0435\u0442 \u0430\u0432\u0442\u043e\u043d\u043e\u043c\u043d\u044b\u0439 \u0441\u043a\u0440\u0438\u043f\u0442 \u0441 \u0437\u0430\u0434\u0430\u043d\u043d\u044b\u043c \u0438\u043c\u0435\u043d\u0435\u043c +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = \u0423\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u0433\u043b\u043e\u0431\u0430\u043b\u044c\u043d\u043e\u0439 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0439 \u0441 \u0437\u0430\u0434\u0430\u043d\u043d\u044b\u043c \u043a\u043b\u044e\u0447\u043e\u043c. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = \u0423\u0441\u0442\u0430\u043d\u0430\u0432\u043b\u0438\u0432\u0430\u0435\u0442 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0439 \u0441 \u0434\u0430\u043d\u043d\u044b\u043c \u043a\u043b\u044e\u0447\u043e\u043c \u0434\u0430\u043d\u043d\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0430. \u0412\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442 \u043e\u0448\u0438\u0431\u043a\u0443 API (DOES_NOT_EXIST), \u0435\u0441\u043b\u0438 \u0441\u043a\u0440\u0438\u043f\u0442 \u0441 \u0434\u0430\u043d\u043d\u044b\u043c \u0438\u043c\u0435\u043d\u0435\u043c \u043d\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = \u041f\u043e\u043b\u0443\u0447\u0430\u0435\u0442 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 (\u0441\u0442\u0440\u043e\u043a\u043e\u0432\u043e\u0435 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u0435) \u0433\u043b\u043e\u0431\u0430\u043b\u044c\u043d\u043e\u0439 \u043d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u0435\u043c\u043e\u0439 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0439. \u0412\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442 \u043e\u0448\u0438\u0431\u043a\u0443 API (DOES_NOT_EXIST), \u0435\u0441\u043b\u0438 \u0440\u0430\u043d\u0435\u0435 \u043d\u0435 \u0431\u044b\u043b\u043e \u0437\u0430\u0434\u0430\u043d\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435. +scripts.api.view.globalCustomVar.param.varKey = \u041a\u043b\u044e\u0447 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0439. +scripts.api.view.globalCustomVars = \u041f\u043e\u043b\u0443\u0447\u0430\u0435\u0442 \u0432\u0441\u0435 \u0433\u043b\u043e\u0431\u0430\u043b\u044c\u043d\u044b\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u0438\u0435 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0435 (\u043f\u0430\u0440\u044b \u043a\u043b\u044e\u0447 / \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435, \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u044f\u0432\u043b\u044f\u0435\u0442\u0441\u044f \u0441\u0442\u0440\u043e\u043a\u043e\u0432\u044b\u043c \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c). +scripts.api.view.globalVar = \u041f\u043e\u043b\u0443\u0447\u0430\u0435\u0442 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u0433\u043b\u043e\u0431\u0430\u043b\u044c\u043d\u043e\u0439 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0439 \u0441 \u0437\u0430\u0434\u0430\u043d\u043d\u044b\u043c \u043a\u043b\u044e\u0447\u043e\u043c. \u0412\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442 \u043e\u0448\u0438\u0431\u043a\u0443 API (DOES_NOT_EXIST), \u0435\u0441\u043b\u0438 \u0440\u0430\u043d\u0435\u0435 \u043d\u0435 \u0431\u044b\u043b\u043e \u0437\u0430\u0434\u0430\u043d\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = \u041f\u043e\u043b\u0443\u0447\u0430\u0435\u0442 \u0432\u0441\u0435 \u0433\u043b\u043e\u0431\u0430\u043b\u044c\u043d\u044b\u0435 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0435 (\u043f\u0430\u0440\u044b \u043a\u043b\u044e\u0447 / \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435). +scripts.api.view.listEngines = \u041f\u0435\u0440\u0435\u0447\u0438\u0441\u043b\u044f\u0435\u0442 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0435 \u0441\u043a\u0440\u0438\u043f\u0442\u043e\u0432\u044b\u0435 \u0434\u0432\u0438\u0436\u043a\u0438 +scripts.api.view.listScripts = \u0421\u043f\u0438\u0441\u043e\u043a \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0445 \u0441\u043a\u0440\u0438\u043f\u0442\u043e\u0432 \u0441 \u0443\u043a\u0430\u0437\u0430\u043d\u0438\u0435\u043c \u0434\u0432\u0438\u0436\u043a\u0430, \u0438\u043c\u0435\u043d\u0438, \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u044f, \u0442\u0438\u043f\u0430 \u0438 \u0441\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u044f \u043e\u0448\u0438\u0431\u043a\u0438. +scripts.api.view.listTypes = \u041f\u0435\u0440\u0435\u0447\u0438\u0441\u043b\u044f\u0435\u0442 \u0434\u043e\u0441\u0442\u0443\u043f\u043d\u044b\u0435 \u0442\u0438\u043f\u044b \u0441\u043a\u0440\u0438\u043f\u0442\u043e\u0432. +scripts.api.view.scriptCustomVar = \u041f\u043e\u043b\u0443\u0447\u0430\u0435\u0442 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 (\u0441\u0442\u0440\u043e\u043a\u043e\u0432\u043e\u0435 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u0435) \u043d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u0435\u043c\u043e\u0439 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0439. \u0412\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442 \u043e\u0448\u0438\u0431\u043a\u0443 API (DOES_NOT_EXIST), \u0435\u0441\u043b\u0438 \u0441\u043a\u0440\u0438\u043f\u0442 \u0441 \u0434\u0430\u043d\u043d\u044b\u043c \u0438\u043c\u0435\u043d\u0435\u043c \u043d\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0438\u043b\u0438 \u0435\u0441\u043b\u0438 \u0440\u0430\u043d\u0435\u0435 \u043d\u0435 \u0431\u044b\u043b\u043e \u0437\u0430\u0434\u0430\u043d\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435. +scripts.api.view.scriptCustomVar.param.scriptName = \u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u044f. +scripts.api.view.scriptCustomVar.param.varKey = \u041a\u043b\u044e\u0447 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0439. +scripts.api.view.scriptCustomVars = \u041f\u043e\u043b\u0443\u0447\u0430\u0435\u0442 \u0432\u0441\u0435 \u043d\u0430\u0441\u0442\u0440\u0430\u0438\u0432\u0430\u0435\u043c\u044b\u0435 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0435 (\u043f\u0430\u0440\u044b \u043a\u043b\u044e\u0447 / \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435, \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 - \u0441\u0442\u0440\u043e\u043a\u043e\u0432\u043e\u0435 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u0438\u0435) \u0441\u043a\u0440\u0438\u043f\u0442\u0430. \u0412\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442 \u043e\u0448\u0438\u0431\u043a\u0443 API (DOES_NOT_EXIST), \u0435\u0441\u043b\u0438 \u0441\u043a\u0440\u0438\u043f\u0442 \u0441 \u0434\u0430\u043d\u043d\u044b\u043c \u0438\u043c\u0435\u043d\u0435\u043c \u043d\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442. +scripts.api.view.scriptCustomVars.param.scriptName = \u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u044f. +scripts.api.view.scriptVar = \u041f\u043e\u043b\u0443\u0447\u0430\u0435\u0442 \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u043e\u0439 \u0441 \u0437\u0430\u0434\u0430\u043d\u043d\u044b\u043c \u043a\u043b\u044e\u0447\u043e\u043c \u0434\u043b\u044f \u0437\u0430\u0434\u0430\u043d\u043d\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0430. \u0412\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442 \u043e\u0448\u0438\u0431\u043a\u0443 API (DOES_NOT_EXIST), \u0435\u0441\u043b\u0438 \u0441\u043a\u0440\u0438\u043f\u0442 \u0441 \u0434\u0430\u043d\u043d\u044b\u043c \u0438\u043c\u0435\u043d\u0435\u043c \u043d\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0438\u043b\u0438 \u0435\u0441\u043b\u0438 \u0440\u0430\u043d\u0435\u0435 \u043d\u0435 \u0431\u044b\u043b\u043e \u0437\u0430\u0434\u0430\u043d\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = \u041f\u043e\u043b\u0443\u0447\u0430\u0435\u0442 \u0432\u0441\u0435 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0435 (\u043f\u0430\u0440\u044b \u043a\u043b\u044e\u0447 / \u0437\u043d\u0430\u0447\u0435\u043d\u0438\u0435) \u0434\u0430\u043d\u043d\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0430. \u0412\u043e\u0437\u0432\u0440\u0430\u0449\u0430\u0435\u0442 \u043e\u0448\u0438\u0431\u043a\u0443 API (DOES_NOT_EXIST), \u0435\u0441\u043b\u0438 \u0441\u043a\u0440\u0438\u043f\u0442 \u0441 \u0434\u0430\u043d\u043d\u044b\u043c \u0438\u043c\u0435\u043d\u0435\u043c \u043d\u0435 \u0441\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = \u0421\u043a\u0440\u0438\u043f\u0442\u044b \u0410\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0437\u0430\u0446\u0438\u044f scripts.automation.dialog.action = \u0414\u0435\u0439\u0441\u0442\u0432\u0438\u0435\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_si_LK.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_si_LK.properties index 868b58d00e6..ff6b2aff707 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_si_LK.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_si_LK.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sk_SK.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sk_SK.properties index 0ee5463de66..cfeb86ae9b1 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sk_SK.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sk_SK.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sl_SI.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sl_SI.properties index 2b3ea077b3f..32a1fe00d41 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sl_SI.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sl_SI.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sq_AL.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sq_AL.properties index e69ee15d370..d35ac5e1632 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sq_AL.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sq_AL.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sr_CS.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sr_CS.properties index 77f48d528b7..3679eb12e7f 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sr_CS.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sr_CS.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sr_SP.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sr_SP.properties index 0bc1fc387a1..a66fccf7d84 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sr_SP.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_sr_SP.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_tr_TR.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_tr_TR.properties index 673a0554bf4..2d43411be82 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_tr_TR.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_tr_TR.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Belirtilen isimdeki komut dosyas\u0131n\u0131 devre d\u0131\u015f\u0131 b\u0131rak\u0131r +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Belirtilen isimdeki komut dosyas\u0131n\u0131 etkinle\u015ftirir +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Verilen ad, t\u00fcr ve motor, iste\u011fe ba\u011fl\u0131 olarak bir a\u00e7\u0131klama ve komut dosyas\u0131n\u0131 okumak i\u00e7in bir karakter seti ad\u0131 ile, verilen yerel dosyadan ZAP'e bir komut dosyas\u0131 y\u00fckler. (E\u011fer komut dosyas\u0131 UTF-8 de\u011filse, karakter k\u00fcmesi ad\u0131 gereklidir, \u00d6rnek, ISO-8859-1'de). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Belirtilen isimdeki komut dosyas\u0131n\u0131 kald\u0131r\u0131r +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Kullan\u0131labilir komut motorlar\u0131n\u0131n listesi +scripts.api.view.listScripts = Mevcut komut dosyalar\u0131n\u0131, motorlar\u0131, adlar\u0131, a\u00e7\u0131klamalar\u0131, t\u00fcrleri ve hata durumlar\u0131yla listeler. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_uk_UA.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_uk_UA.properties index b848d11f708..f663da6cf5f 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_uk_UA.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_uk_UA.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = \u041d\u0430\u0437\u0432\u0430 \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u044e. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = \u041e\u0447\u0438\u0449\u0430\u0454 \u0437\u043c\u0456\u043d\u043d\u0443 \u0437 \u0437\u0430\u0434\u0430\u043d\u0438\u043c \u043a\u043b\u044e\u0447\u0435\u043c \u0437\u0430\u0434\u0430\u043d\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0443. \u041f\u043e\u0432\u0435\u0440\u0442\u0430\u0454 \u043f\u043e\u043c\u0438\u043b\u043a\u0443 API (DOES_NOT_EXIST), \u044f\u043a\u0449\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0443 \u0437 \u0442\u0430\u043a\u0438\u043c \u0456\u043c\u0435\u043d\u0435\u043c \u043d\u0435 \u0456\u0441\u043d\u0443\u0454. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = \u041e\u0447\u0438\u0449\u0430\u0454 \u0437\u043c\u0456\u043d\u043d\u0456 \u0437\u0430\u0434\u0430\u043d\u043e\u0433\u043e \u0441\u043a\u0440\u0438\u043f\u0442\u0443. \u041f\u043e\u0432\u0435\u0440\u0442\u0430\u0454 \u043f\u043e\u043c\u0438\u043b\u043a\u0443 API (DOES_NOT_EXIST), \u044f\u043a\u0449\u043e \u0441\u043a\u0440\u0438\u043f\u0442 \u0437 \u0442\u0430\u043a\u0438\u043c \u0456\u043c\u0435\u043d\u0435\u043c \u043d\u0435 \u0456\u0441\u043d\u0443\u0454. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = \u0412\u0438\u043c\u0438\u043a\u0430\u0454 \u0441\u043a\u0440\u0438\u043f\u0442 \u0456\u0437 \u0437\u0430\u0434\u0430\u043d\u0438\u043c \u0456\u043c'\u044f\u043c +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = \u0412\u043c\u0438\u043a\u0430\u0454 \u0441\u043a\u0440\u0438\u043f\u0442 \u0456\u0437 \u0437\u0430\u0434\u0430\u043d\u0438\u043c \u0456\u043c'\u044f\u043c +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = \u0417\u0430\u0432\u0430\u043d\u0442\u0430\u0436\u0443\u0454 \u0441\u043a\u0440\u0438\u043f\u0442 \u0443 ZAP \u0456\u0437 \u0437\u0430\u0434\u0430\u043d\u043e\u0433\u043e \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u0444\u0430\u0439\u043b\u0443 \u0456\u0437 \u0437\u0430\u0434\u0430\u043d\u043e\u044e \u043d\u0430\u0437\u0432\u043e\u044e, \u0442\u0438\u043f\u043e\u043c \u0456 \u0440\u0443\u0448\u0456\u0454\u043c, \u043d\u0435\u043e\u0431\u043e\u0432'\u044f\u0437\u043a\u043e\u0432\u043e \u0437 \u043e\u043f\u0438\u0441\u043e\u043c \u0456 \u043d\u0430\u0437\u0432\u043e\u044e \u043a\u043e\u0434\u0443\u0432\u0430\u043d\u043d\u044f \u0434\u043b\u044f \u0447\u0438\u0442\u0430\u043d\u043d\u044f \u0441\u043a\u0440\u0438\u043f\u0442\u0443 (\u043d\u0430\u0437\u0432\u0430 \u043a\u043e\u0434\u0443\u0432\u0430\u043d\u043d\u044f \u043f\u043e\u0442\u0440\u0456\u0431\u043d\u0430, \u044f\u043a\u0449\u043e \u0441\u043a\u0440\u0438\u043f\u0442 \u043d\u0435 \u0432 UTF-8, \u043d\u0430\u043f\u0440\u0438\u043a\u043b\u0430\u0434, \u0432 ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = \u0417\u0430\u043f\u0443\u0441\u043a\u0430\u0454 \u043e\u043a\u0440\u0435\u043c\u0438\u0439 \u0441\u043a\u0440\u0438\u043f\u0442 \u0456\u0437 \u0437\u0430\u0434\u0430\u043d\u0438\u043c \u0456\u043c'\u044f\u043c +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = \u0412\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u044e\u0454 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0433\u043b\u043e\u0431\u0430\u043b\u044c\u043d\u043e\u0457 \u0437\u043c\u0456\u043d\u043d\u043e\u0457 \u0437 \u0437\u0430\u0434\u0430\u043d\u0438\u043c \u043a\u043b\u044e\u0447\u0435\u043c. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = \u041e\u0442\u0440\u0438\u043c\u0443\u0454 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f (\u0440\u044f\u0434\u043a\u043e\u0432\u0435 \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u043d\u044f) \u0433\u043b\u043e\u0431\u0430\u043b\u044c\u043d\u043e\u0457 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0446\u044c\u043a\u043e\u0457 \u0437\u043c\u0456\u043d\u043d\u043e\u0457. \u041f\u043e\u0432\u0435\u0440\u0442\u0430\u0454 \u043f\u043e\u043c\u0438\u043b\u043a\u0443 API (DOES_NOT_EXIST), \u044f\u043a\u0449\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u043d\u0435 \u0431\u0443\u043b\u043e \u0437\u0430\u0434\u0430\u043d\u043e \u0440\u0430\u043d\u0456\u0448\u0435. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = \u041e\u0442\u0440\u0438\u043c\u0443\u0454 \u0432\u0441\u0456 \u0433\u043b\u043e\u0431\u0430\u043b\u044c\u043d\u0456 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0446\u044c\u043a\u0456 \u0437\u043c\u0456\u043d\u043d\u0456 (\u043f\u0430\u0440\u0438 \u043a\u043b\u044e\u0447 \u0430\u0431\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f, \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0454 \u0440\u044f\u0434\u043a\u043e\u0432\u0438\u043c \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u043d\u044f\u043c). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = \u041d\u0430\u0437\u0432\u0430 \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u044e. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = \u041e\u0442\u0440\u0438\u043c\u0443\u0454 \u0432\u0441\u0456 \u043a\u043e\u0440\u0438\u0441\u0442\u0443\u0432\u0430\u0446\u044c\u043a\u0456 \u0437\u043c\u0456\u043d\u043d\u0456 (\u043f\u0430\u0440\u0438 \u043a\u043b\u044e\u0447/\u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f, \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0454 \u0440\u044f\u0434\u043a\u043e\u0432\u0438\u043c \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u043d\u044f\u043c) \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u044e. \u041f\u043e\u0432\u0435\u0440\u0442\u0430\u0454 \u043f\u043e\u043c\u0438\u043b\u043a\u0443 API (DOES_NOT_EXIST), \u044f\u043a\u0449\u043e \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u0439 \u0437 \u0442\u0430\u043a\u0438\u043c \u0456\u043c\u0435\u043d\u0435\u043c \u043d\u0435 \u0456\u0441\u043d\u0443\u0454. +scripts.api.view.scriptCustomVars.param.scriptName = \u041d\u0430\u0437\u0432\u0430 \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u044e. +scripts.api.view.scriptVar = \u041e\u0442\u0440\u0438\u043c\u0443\u0454 \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f \u0437\u043c\u0456\u043d\u043d\u043e\u0457 \u0437 \u0437\u0430\u0434\u0430\u043d\u0438\u043c \u043a\u043b\u044e\u0447\u0435\u043c \u0434\u043b\u044f \u0434\u0430\u043d\u043e\u0433\u043e \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u044e. \u041f\u043e\u0432\u0435\u0440\u0442\u0430\u0454 \u043f\u043e\u043c\u0438\u043b\u043a\u0443 API (DOES_NOT_EXIST), \u044f\u043a\u0449\u043e \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u0439 \u0437 \u0442\u0430\u043a\u0438\u043c \u0456\u043c\u0435\u043d\u0435\u043c \u043d\u0435 \u0456\u0441\u043d\u0443\u0454 \u0430\u0431\u043e \u044f\u043a\u0449\u043e \u0440\u0430\u043d\u0456\u0448\u0435 \u043d\u0435 \u0431\u0443\u043b\u043e \u0437\u0430\u0434\u0430\u043d\u043e \u0436\u043e\u0434\u043d\u043e\u0433\u043e \u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = \u041e\u0442\u0440\u0438\u043c\u0443\u0454 \u0432\u0441\u0456 \u0437\u043c\u0456\u043d\u043d\u0456 (\u043f\u0430\u0440\u0438 \u043a\u043b\u044e\u0447/\u0437\u043d\u0430\u0447\u0435\u043d\u043d\u044f) \u0437\u0430\u0434\u0430\u043d\u043e\u0433\u043e \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u044e. \u041f\u043e\u0432\u0435\u0440\u0442\u0430\u0454 \u043f\u043e\u043c\u0438\u043b\u043a\u0443 API (DOES_NOT_EXIST), \u044f\u043a\u0449\u043e \u0441\u0446\u0435\u043d\u0430\u0440\u0456\u044e \u0437 \u0442\u0430\u043a\u0438\u043c \u0456\u043c\u0435\u043d\u0435\u043c \u043d\u0435 \u0456\u0441\u043d\u0443\u0454. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = \u0410\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0437\u0430\u0446\u0456\u044f \u0441\u043a\u0440\u0438\u043f\u0442\u0456\u0432 scripts.automation.dialog.action = \u0414\u0456\u044f\: scripts.automation.dialog.inline = \u0423 \u0442\u0435\u043a\u0441\u0442\u0456\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ur_PK.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ur_PK.properties index e5977811f25..2ae0d4230fa 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ur_PK.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_ur_PK.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_vi_VN.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_vi_VN.properties index 5f3fb764abb..9b3f62f5127 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_vi_VN.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_vi_VN.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_yo_NG.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_yo_NG.properties index dbc77f5eac5..6d7a25d85e7 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_yo_NG.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_yo_NG.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = Clears a global custom variable. +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = Clears the global variables. +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = The name of the script. +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = The name of the script. +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = The name of the script. +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_zh_CN.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_zh_CN.properties index 51281879014..94f1449572c 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_zh_CN.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_zh_CN.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = \u6e05\u9664\u5168\u5c40\u81ea\u5b9a\u4e49\u53d8\u91cf\u3002 +scripts.api.action.clearGlobalCustomVar.param.varKey = \u53d8\u91cf\u7684\u952e\u3002 +scripts.api.action.clearGlobalVar = \u6e05\u9664\u7ed9\u5b9a\u952e\u7684\u5168\u5c40\u53d8\u91cf\u3002 +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = \u6e05\u9664\u5168\u5c40\u53d8\u91cf\u3002 +scripts.api.action.clearScriptCustomVar = \u6e05\u9664\u811a\u672c\u81ea\u5b9a\u4e49\u53d8\u91cf\u3002 +scripts.api.action.clearScriptCustomVar.param.scriptName = \u811a\u672c\u540d\u79f0\u3002 +scripts.api.action.clearScriptCustomVar.param.varKey = \u53d8\u91cf\u7684\u952e\u3002 +scripts.api.action.clearScriptVar = \u4f7f\u7528\u7ed9\u5b9a\u811a\u672c\u7684\u7ed9\u5b9a\u952e\u6e05\u9664\u53d8\u91cf\u3002 \u5982\u679c\u4e0d\u5b58\u5728\u5177\u6709\u7ed9\u5b9a\u540d\u79f0\u7684\u811a\u672c\uff0c\u5219\u8fd4\u56de API \u9519\u8bef (DOES_NOT_EXIST)\u3002 +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = \u6e05\u9664\u7ed9\u5b9a\u811a\u672c\u7684\u53d8\u91cf\u3002 \u5982\u679c\u4e0d\u5b58\u5728\u5177\u6709\u7ed9\u5b9a\u540d\u79f0\u7684\u811a\u672c\uff0c\u5219\u8fd4\u56de API \u9519\u8bef (DOES_NOT_EXIST)\u3002 +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = \u7981\u7528\u5177\u6709\u7ed9\u5b9a\u540d\u79f0\u7684\u811a\u672c +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = \u542f\u7528\u5177\u6709\u7ed9\u5b9a\u540d\u79f0\u7684\u811a\u672c +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = \u4ece\u7ed9\u5b9a\u7684\u672c\u5730\u6587\u4ef6\u52a0\u8f7d\u811a\u672c\u5230 ZAP\uff0c\u5177\u6709\u7ed9\u5b9a\u7684\u540d\u79f0\u3001\u7c7b\u578b\u548c\u5f15\u64ce\uff0c\u53ef\u9009\u7684\u63cf\u8ff0\uff0c\u4ee5\u53ca\u7528\u4e8e\u8bfb\u53d6\u811a\u672c\u7684\u5b57\u7b26\u96c6\u540d\u79f0\uff08\u5982\u679c\u811a\u672c\u4e0d\u662f UTF-8\uff0c\u5219\u9700\u8981\u5b57\u7b26\u96c6\u540d\u79f0\uff0c\u4f8b\u5982 ISO-8859-1 \u683c\u5f0f\uff09\u3002 +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = \u79fb\u9664\u5177\u6709\u7ed9\u5b9a\u540d\u79f0\u7684\u811a\u672c +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = \u8fd0\u884c\u5177\u6709\u7ed9\u5b9a\u540d\u79f0\u7684\u72ec\u7acb\u811a\u672c +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = \u4f7f\u7528\u7ed9\u5b9a\u952e\u8bbe\u7f6e\u5168\u5c40\u53d8\u91cf\u7684\u503c\u3002 +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = \u4f7f\u7528\u7ed9\u5b9a\u811a\u672c\u7684\u7ed9\u5b9a\u952e\u8bbe\u7f6e\u53d8\u91cf\u7684\u503c\u3002 \u5982\u679c\u4e0d\u5b58\u5728\u5177\u6709\u7ed9\u5b9a\u540d\u79f0\u7684\u811a\u672c\uff0c\u5219\u8fd4\u56de API \u9519\u8bef (DOES_NOT_EXIST)\u3002 +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = \u83b7\u53d6\u5168\u5c40\u81ea\u5b9a\u4e49\u53d8\u91cf\u7684\u503c\uff08\u5b57\u7b26\u4e32\u8868\u793a\u5f62\u5f0f\uff09\u3002 \u5982\u679c\u4e4b\u524d\u672a\u8bbe\u7f6e\u4efb\u4f55\u503c\uff0c\u5219\u8fd4\u56de API \u9519\u8bef (DOES_NOT_EXIST)\u3002 +scripts.api.view.globalCustomVar.param.varKey = \u53d8\u91cf\u7684\u952e\u3002 +scripts.api.view.globalCustomVars = \u83b7\u53d6\u6240\u6709\u5168\u5c40\u81ea\u5b9a\u4e49\u53d8\u91cf\uff08\u952e/\u503c\u5bf9\uff0c\u503c\u4e3a\u5b57\u7b26\u4e32\u8868\u793a\uff09\u3002 +scripts.api.view.globalVar = \u83b7\u53d6\u5177\u6709\u7ed9\u5b9a\u952e\u7684\u5168\u5c40\u53d8\u91cf\u7684\u503c\u3002 \u5982\u679c\u4e4b\u524d\u672a\u8bbe\u7f6e\u4efb\u4f55\u503c\uff0c\u5219\u8fd4\u56de API \u9519\u8bef (DOES_NOT_EXIST)\u3002 +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = \u83b7\u53d6\u6240\u6709\u5168\u5c40\u53d8\u91cf\uff08\u952e/\u503c\u5bf9\uff09\u3002 +scripts.api.view.listEngines = \u5217\u51fa\u53ef\u7528\u7684\u811a\u672c\u5f15\u64ce +scripts.api.view.listScripts = \u5217\u51fa\u53ef\u7528\u7684\u811a\u672c\uff0c\u53ca\u5176\u5f15\u64ce\u3001\u540d\u79f0\u3001\u63cf\u8ff0\u3001\u7c7b\u578b\u548c\u9519\u8bef\u72b6\u6001\u3002 +scripts.api.view.listTypes = \u5217\u51fa\u53ef\u7528\u7684\u811a\u672c\u7c7b\u578b\u3002 +scripts.api.view.scriptCustomVar = \u83b7\u53d6\u81ea\u5b9a\u4e49\u53d8\u91cf\u7684\u503c\uff08\u5b57\u7b26\u4e32\u8868\u793a\u5f62\u5f0f\uff09\u3002 \u5982\u679c\u4e0d\u5b58\u5728\u5177\u6709\u7ed9\u5b9a\u540d\u79f0\u7684\u811a\u672c\u6216\u4e4b\u524d\u672a\u8bbe\u7f6e\u4efb\u4f55\u503c\uff0c\u5219\u8fd4\u56de API \u9519\u8bef (DOES_NOT_EXIST)\u3002 +scripts.api.view.scriptCustomVar.param.scriptName = \u811a\u672c\u540d\u79f0\u3002 +scripts.api.view.scriptCustomVar.param.varKey = \u53d8\u91cf\u7684\u952e\u3002 +scripts.api.view.scriptCustomVars = \u83b7\u53d6\u811a\u672c\u7684\u6240\u6709\u81ea\u5b9a\u4e49\u53d8\u91cf\uff08\u952e/\u503c\u5bf9\uff0c\u503c\u4e3a\u5b57\u7b26\u4e32\u8868\u793a\uff09\u3002 \u5982\u679c\u4e0d\u5b58\u5728\u5177\u6709\u7ed9\u5b9a\u540d\u79f0\u7684\u811a\u672c\uff0c\u5219\u8fd4\u56de API \u9519\u8bef (DOES_NOT_EXIST)\u3002 +scripts.api.view.scriptCustomVars.param.scriptName = \u811a\u672c\u540d\u79f0\u3002 +scripts.api.view.scriptVar = \u83b7\u53d6\u5177\u6709\u7ed9\u5b9a\u811a\u672c\u7684\u7ed9\u5b9a\u952e\u7684\u53d8\u91cf\u503c\u3002 \u5982\u679c\u4e0d\u5b58\u5728\u5177\u6709\u7ed9\u5b9a\u540d\u79f0\u7684\u811a\u672c\u6216\u4e4b\u524d\u672a\u8bbe\u7f6e\u4efb\u4f55\u503c\uff0c\u5219\u8fd4\u56de API \u9519\u8bef (DOES_NOT_EXIST)\u3002 +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = \u83b7\u53d6\u7ed9\u5b9a\u811a\u672c\u7684\u6240\u6709\u53d8\u91cf\uff08\u952e/\u503c\u5bf9\uff09\u3002 \u5982\u679c\u4e0d\u5b58\u5728\u5177\u6709\u7ed9\u5b9a\u540d\u79f0\u7684\u811a\u672c\uff0c\u5219\u8fd4\u56de API \u9519\u8bef (DOES_NOT_EXIST)\u3002 +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = \u811a\u672c\u81ea\u52a8\u5316 scripts.automation.dialog.action = \u64cd\u4f5c\uff1a scripts.automation.dialog.inline = \u5185\u8054\uff1a diff --git a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_zh_TW.properties b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_zh_TW.properties index cd7015bbc6d..b28307b4587 100644 --- a/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_zh_TW.properties +++ b/addOns/scripts/src/main/resources/org/zaproxy/zap/extension/scripts/resources/Messages_zh_TW.properties @@ -1,3 +1,59 @@ +scripts.api.action.clearGlobalCustomVar = \u6e05\u9664\u5168\u57df\u81ea\u8a02\u8b8a\u6578\u3002 +scripts.api.action.clearGlobalCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearGlobalVar = Clears the global variable with the given key. +scripts.api.action.clearGlobalVar.param.varKey= +scripts.api.action.clearGlobalVars = \u6e05\u9664\u5168\u57df\u8b8a\u6578\u3002 +scripts.api.action.clearScriptCustomVar = Clears a script custom variable. +scripts.api.action.clearScriptCustomVar.param.scriptName = \u6307\u4ee4\u78bc\u540d\u7a31\u3002 +scripts.api.action.clearScriptCustomVar.param.varKey = The key of the variable. +scripts.api.action.clearScriptVar = Clears the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVar.param.scriptName= +scripts.api.action.clearScriptVar.param.varKey= +scripts.api.action.clearScriptVars = Clears the variables of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.clearScriptVars.param.scriptName= +scripts.api.action.disable = Disables the script with the given name +scripts.api.action.disable.param.scriptName= +scripts.api.action.enable = Enables the script with the given name +scripts.api.action.enable.param.scriptName= +scripts.api.action.load = Loads a script into ZAP from the given local file, with the given name, type and engine, optionally with a description, and a charset name to read the script (the charset name is required if the script is not in UTF-8, for example, in ISO-8859-1). +scripts.api.action.load.param.charset= +scripts.api.action.load.param.fileName= +scripts.api.action.load.param.scriptDescription= +scripts.api.action.load.param.scriptEngine= +scripts.api.action.load.param.scriptName= +scripts.api.action.load.param.scriptType= +scripts.api.action.remove = Removes the script with the given name +scripts.api.action.remove.param.scriptName= +scripts.api.action.runStandAloneScript = Runs the stand alone script with the given name +scripts.api.action.runStandAloneScript.param.scriptName= +scripts.api.action.setGlobalVar = Sets the value of the global variable with the given key. +scripts.api.action.setGlobalVar.param.varKey= +scripts.api.action.setGlobalVar.param.varValue= +scripts.api.action.setScriptVar = Sets the value of the variable with the given key of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.action.setScriptVar.param.scriptName= +scripts.api.action.setScriptVar.param.varKey= +scripts.api.action.setScriptVar.param.varValue= +scripts.api.desc= +scripts.api.view.globalCustomVar = Gets the value (string representation) of a global custom variable. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalCustomVar.param.varKey = The key of the variable. +scripts.api.view.globalCustomVars = Gets all the global custom variables (key/value pairs, the value is the string representation). +scripts.api.view.globalVar = Gets the value of the global variable with the given key. Returns an API error (DOES_NOT_EXIST) if no value was previously set. +scripts.api.view.globalVar.param.varKey= +scripts.api.view.globalVars = Gets all the global variables (key/value pairs). +scripts.api.view.listEngines = Lists the script engines available +scripts.api.view.listScripts = Lists the scripts available, with its engine, name, description, type and error state. +scripts.api.view.listTypes = Lists the script types available. +scripts.api.view.scriptCustomVar = Gets the value (string representation) of a custom variable. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptCustomVar.param.scriptName = \u6307\u4ee4\u78bc\u540d\u7a31\u3002 +scripts.api.view.scriptCustomVar.param.varKey = The key of the variable. +scripts.api.view.scriptCustomVars = Gets all the custom variables (key/value pairs, the value is the string representation) of a script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptCustomVars.param.scriptName = \u6307\u4ee4\u78bc\u540d\u7a31\u3002 +scripts.api.view.scriptVar = Gets the value of the variable with the given key for the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists or if no value was previously set. +scripts.api.view.scriptVar.param.scriptName= +scripts.api.view.scriptVar.param.varKey= +scripts.api.view.scriptVars = Gets all the variables (key/value pairs) of the given script. Returns an API error (DOES_NOT_EXIST) if no script with the given name exists. +scripts.api.view.scriptVars.param.scriptName= + scripts.automation.desc = Scripts Automation scripts.automation.dialog.action = Action\: scripts.automation.dialog.inline = Inline\: diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ar_SA/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ar_SA/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ar_SA/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ar_SA/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_az_AZ/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_az_AZ/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_az_AZ/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_az_AZ/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_bs_BA/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_bs_BA/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_bs_BA/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_bs_BA/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_da_DK/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_da_DK/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_da_DK/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_da_DK/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_de_DE/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_de_DE/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_de_DE/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_de_DE/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_el_GR/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_el_GR/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_el_GR/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_el_GR/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_es_ES/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_es_ES/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_es_ES/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_es_ES/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_fa_IR/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_fa_IR/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_fa_IR/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_fa_IR/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_fil_PH/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_fil_PH/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_fil_PH/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_fil_PH/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_fr_FR/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_fr_FR/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_fr_FR/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_fr_FR/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_hi_IN/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_hi_IN/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_hi_IN/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_hi_IN/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_hu_HU/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_hu_HU/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_hu_HU/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_hu_HU/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_id_ID/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_id_ID/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_id_ID/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_id_ID/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_it_IT/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_it_IT/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_it_IT/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_it_IT/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ja_JP/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ja_JP/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ja_JP/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ja_JP/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ms_MY/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ms_MY/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ms_MY/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ms_MY/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_pl_PL/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_pl_PL/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_pl_PL/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_pl_PL/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_pt_BR/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_pt_BR/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_pt_BR/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_pt_BR/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ro_RO/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ro_RO/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ro_RO/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ro_RO/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ru_RU/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ru_RU/contents/webdriverlinux.html index 06dbbcae726..4cd1ab4c74f 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ru_RU/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ru_RU/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Веб-драйверы Linux

                                                                                                  Надстройка Linux WebDrivers предоставляет веб-драйверы для следующих браузеров:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_sr_CS/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_sr_CS/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_sr_CS/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_sr_CS/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_tr_TR/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_tr_TR/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_tr_TR/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_tr_TR/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ur_PK/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ur_PK/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ur_PK/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_ur_PK/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_zh_CN/contents/webdriverlinux.html b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_zh_CN/contents/webdriverlinux.html index 85fb053dd27..9dd95bee8d7 100644 --- a/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_zh_CN/contents/webdriverlinux.html +++ b/addOns/webdrivers/webdriverlinux/src/main/javahelp/org/zaproxy/zap/extension/webdriverlinux/resources/help_zh_CN/contents/webdriverlinux.html @@ -9,7 +9,7 @@

                                                                                                  Linux WebDrivers

                                                                                                  The Linux WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ar_SA/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ar_SA/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ar_SA/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ar_SA/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_az_AZ/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_az_AZ/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_az_AZ/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_az_AZ/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_bs_BA/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_bs_BA/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_bs_BA/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_bs_BA/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_da_DK/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_da_DK/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_da_DK/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_da_DK/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_de_DE/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_de_DE/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_de_DE/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_de_DE/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_el_GR/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_el_GR/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_el_GR/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_el_GR/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_es_ES/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_es_ES/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_es_ES/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_es_ES/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_fa_IR/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_fa_IR/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_fa_IR/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_fa_IR/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_fil_PH/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_fil_PH/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_fil_PH/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_fil_PH/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_fr_FR/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_fr_FR/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_fr_FR/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_fr_FR/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_hi_IN/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_hi_IN/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_hi_IN/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_hi_IN/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_hu_HU/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_hu_HU/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_hu_HU/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_hu_HU/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_id_ID/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_id_ID/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_id_ID/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_id_ID/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_it_IT/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_it_IT/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_it_IT/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_it_IT/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ja_JP/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ja_JP/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ja_JP/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ja_JP/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ms_MY/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ms_MY/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ms_MY/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ms_MY/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_pl_PL/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_pl_PL/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_pl_PL/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_pl_PL/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_pt_BR/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_pt_BR/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_pt_BR/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_pt_BR/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ro_RO/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ro_RO/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ro_RO/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ro_RO/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ru_RU/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ru_RU/contents/webdrivermacos.html index b564c75e36d..b95a89076a1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ru_RU/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ru_RU/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  Веб-драйверы MacOS

                                                                                                  Надстройка MacOS WebDrivers предоставляет веб-драйверы для следующих браузеров:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_sr_CS/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_sr_CS/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_sr_CS/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_sr_CS/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_tr_TR/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_tr_TR/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_tr_TR/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_tr_TR/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ur_PK/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ur_PK/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ur_PK/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_ur_PK/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_zh_CN/contents/webdrivermacos.html b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_zh_CN/contents/webdrivermacos.html index 327357b3214..41502c879f1 100644 --- a/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_zh_CN/contents/webdrivermacos.html +++ b/addOns/webdrivers/webdrivermacos/src/main/javahelp/org/zaproxy/zap/extension/webdrivermacos/resources/help_zh_CN/contents/webdrivermacos.html @@ -9,7 +9,7 @@

                                                                                                  MacOS WebDrivers

                                                                                                  The MacOS WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ar_SA/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ar_SA/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ar_SA/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ar_SA/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_az_AZ/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_az_AZ/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_az_AZ/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_az_AZ/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_bs_BA/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_bs_BA/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_bs_BA/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_bs_BA/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_da_DK/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_da_DK/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_da_DK/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_da_DK/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_de_DE/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_de_DE/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_de_DE/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_de_DE/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_el_GR/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_el_GR/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_el_GR/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_el_GR/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_es_ES/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_es_ES/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_es_ES/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_es_ES/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_fa_IR/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_fa_IR/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_fa_IR/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_fa_IR/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_fil_PH/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_fil_PH/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_fil_PH/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_fil_PH/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_fr_FR/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_fr_FR/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_fr_FR/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_fr_FR/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_hi_IN/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_hi_IN/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_hi_IN/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_hi_IN/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_hu_HU/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_hu_HU/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_hu_HU/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_hu_HU/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_id_ID/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_id_ID/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_id_ID/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_id_ID/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_it_IT/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_it_IT/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_it_IT/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_it_IT/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ja_JP/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ja_JP/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ja_JP/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ja_JP/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ms_MY/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ms_MY/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ms_MY/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ms_MY/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_pl_PL/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_pl_PL/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_pl_PL/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_pl_PL/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_pt_BR/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_pt_BR/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_pt_BR/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_pt_BR/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ro_RO/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ro_RO/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ro_RO/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ro_RO/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ru_RU/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ru_RU/contents/webdriverwindows.html index f13d1e39fad..d9a86751975 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ru_RU/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ru_RU/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Веб-драйверы Windows

                                                                                                  Надстройка Windows WebDrivers предоставляет веб-драйверы для следующих браузеров:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_sr_CS/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_sr_CS/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_sr_CS/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_sr_CS/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_tr_TR/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_tr_TR/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_tr_TR/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_tr_TR/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ur_PK/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ur_PK/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ur_PK/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_ur_PK/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0
                                                                                                  diff --git a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_zh_CN/contents/webdriverwindows.html b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_zh_CN/contents/webdriverwindows.html index 71b59d426d0..dc168c9c337 100644 --- a/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_zh_CN/contents/webdriverwindows.html +++ b/addOns/webdrivers/webdriverwindows/src/main/javahelp/org/zaproxy/zap/extension/webdriverwindows/resources/help_zh_CN/contents/webdriverwindows.html @@ -9,7 +9,7 @@

                                                                                                  Windows WebDrivers

                                                                                                  The Windows WebDrivers add-on provides WebDrivers for the following browsers:

                                                                                                    -
                                                                                                  • Chrome - ChromeDriver 126.0.6478.182
                                                                                                  • +
                                                                                                  • Chrome - ChromeDriver 127.0.6533.72
                                                                                                  • Firefox - geckodriver 0.34.0