Scribd
Upload
33 views1 page

2023 03 14 ZAP Report

The ZAP scanning report summarizes the results of a scan on the site https://www.iit.org.pk. It found a total of 12 alerts, including 1 high risk issue, 5 medium risk issues, 4 low risk issues, and 2 informational issues. The report provides a breakdown of the number and type of alerts by risk level and confidence. It then lists each individual alert found, including the risk level, affected URL, and type of issue detected.

Uploaded by

Muhammad Khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
33 views1 page

2023 03 14 ZAP Report

The ZAP scanning report summarizes the results of a scan on the site https://www.iit.org.pk. It found a total of 12 alerts, including 1 high risk issue, 5 medium risk issues, 4 low risk issues, and 2 informational issues. The report provides a breakdown of the number and type of alerts by risk level and confidence. It then lists each individual alert found, including the risk level, affected URL, and type of issue detected.

Uploaded by

Muhammad Khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

ZAP Scanning Report

Generated with The ZAP logoZAP on Tue 14 Mar 2023, at 20:45:10

Contents
1. About this report
1. Report parameters
2. Summaries
1. Alert counts by risk and confidence
2. Alert counts by site and risk
3. Alert counts by alert type
3. Alerts
1. Risk=Medium, Confidence=High (1)
2. Risk=Medium, Confidence=Medium (3)
3. Risk=Medium, Confidence=Low (1)
4. Risk=Low, Confidence=High (1)
5. Risk=Low, Confidence=Medium (3)
6. Risk=Informational, Confidence=Medium (1)
7. Risk=Informational, Confidence=Low (2)
4. Appendix
1. Alert types

About this report


Report parameters

Contexts

No contexts were selected, so all contexts were included by default.

Sites

The following sites were included:

https://www.iit.org.pk

(If no sites were selected, all sites were included by default.)

An included site must also be within one of the included contexts for its data to be included in the report.

Risk levels

Included: High, Medium, Low, Informational

Excluded: None

Confidence levels

Included: User Confirmed, High, Medium, Low

Excluded: User Confirmed, High, Medium, Low, False Positive

Summaries
Alert counts by risk and confidence

This table shows the number of alerts for each level of risk and confidence included in the report.

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to
one decimal place.)

Confidence
User Confirmed High Medium Low Total
0 0 0 0 0
High
(0.0%) (0.0%) (0.0%) (0.0%) (0.0%)
0 1 3 1 5
Medium
(0.0%) (8.3%) (25.0%) (8.3%) (41.7%)
0 1 3 0 4
Risk Low
(0.0%) (8.3%) (25.0%) (0.0%) (33.3%)
0 0 1 2 3
Informational
(0.0%) (0.0%) (8.3%) (16.7%) (25.0%)
0 2 7 3 12
Total
(0.0%) (16.7%) (58.3%) (25.0%) (100%)

Alert counts by site and risk

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

Alerts with a confidence level of "False Positive" have been excluded from these counts.

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)

Risk
High Medium Low Informational
(= High) (>= Medium) (>= Low) (>= Informational)
0 5 4 3
Site https://www.iit.org.pk
(0) (5) (9) (12)

Alert counts by alert type

This table shows the number of alerts of each alert type, together with the
alert type's risk level.

(The percentages in brackets represent each count as a percentage, rounded


to one decimal place, of the total number of alerts included in this report.)

Alert type Risk Count


5
Absence of Anti-CSRF Tokens Medium
(41.7%)
8
Content Security Policy (CSP) Header Not Set Medium
(66.7%)
35
Cross-Domain Misconfiguration Medium
(291.7%)
5
Missing Anti-clickjacking Header Medium
(41.7%)
4
Vulnerable JS Library Medium
(33.3%)
3
Application Error Disclosure Low
(25.0%)
10
Cross-Domain JavaScript Source File Inclusion Low
(83.3%)
3
Information Disclosure - Debug Error Messages Low
(25.0%)
38
Strict-Transport-Security Header Not Set Low
(316.7%)
11
Information Disclosure - Suspicious Comments Informational
(91.7%)
7
Modern Web Application Informational
(58.3%)
5
Re-examine Cache-control Directives Informational
(41.7%)
Total 12

Alerts
1. Risk=Medium, Confidence=High (1)

1. https://www.iit.org.pk (1)

1. Content Security Policy (CSP) Header Not Set (1)

1. GET https://www.iit.org.pk/

2. Risk=Medium, Confidence=Medium (3)

1. https://www.iit.org.pk (3)

1. Cross-Domain Misconfiguration (1)

1. GET https://www.iit.org.pk/

2. Missing Anti-clickjacking Header (1)

1. GET https://www.iit.org.pk/

3. Vulnerable JS Library (1)

1. GET https://www.iit.org.pk/js/jquery-3.0.0.min.js

3. Risk=Medium, Confidence=Low (1)

1. https://www.iit.org.pk (1)

1. Absence of Anti-CSRF Tokens (1)

1. GET https://www.iit.org.pk/

4. Risk=Low, Confidence=High (1)

1. https://www.iit.org.pk (1)

1. Strict-Transport-Security Header Not Set (1)

1. GET https://www.iit.org.pk/

5. Risk=Low, Confidence=Medium (3)

1. https://www.iit.org.pk (3)

1. Application Error Disclosure (1)

1. GET https://www.iit.org.pk/sitemap.xml

2. Cross-Domain JavaScript Source File Inclusion (1)

1. GET https://www.iit.org.pk/

3. Information Disclosure - Debug Error Messages (1)

1. GET https://www.iit.org.pk/sitemap.xml

6. Risk=Informational, Confidence=Medium (1)

1. https://www.iit.org.pk (1)

1. Modern Web Application (1)

1. GET https://www.iit.org.pk/

7. Risk=Informational, Confidence=Low (2)

1. https://www.iit.org.pk (2)

1. Information Disclosure - Suspicious Comments (1)

1. GET https://www.iit.org.pk/js/jquery-3.0.0.min.js

2. Re-examine Cache-control Directives (1)

1. GET https://www.iit.org.pk/

Appendix
Alert types

This section contains additional information on the types of alerts in the report.

1. Absence of Anti-CSRF Tokens

Source raised by a passive scanner (Absence of Anti-CSRF Tokens)


CWE ID 352
WASC ID 9
1. http://projects.webappsec.org/Cross-Site-Request-Forgery
Reference
2. http://cwe.mitre.org/data/definitions/352.html

2. Content Security Policy (CSP) Header Not Set

Source raised by a passive scanner (Content Security Policy (CSP) Header Not Set)
CWE ID 693
WASC ID 15
1. https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
2. https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
3. http://www.w3.org/TR/CSP/
Reference 4. http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html
5. http://www.html5rocks.com/en/tutorials/security/content-security-policy/
6. http://caniuse.com/#feat=contentsecuritypolicy
7. http://content-security-policy.com/

3. Cross-Domain Misconfiguration

Source raised by a passive scanner (Cross-Domain Misconfiguration)


CWE ID 264
WASC ID 14
Reference 1. https://vulncat.fortify.com/en/detail?id=desc.config.dotnet.html5_overly_permissive_cors_policy

4. Missing Anti-clickjacking Header

Source raised by a passive scanner (Anti-clickjacking Header)


CWE ID 1021
WASC ID 15
Reference 1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

5. Vulnerable JS Library

Source raised by a passive scanner (Vulnerable JS Library (Powered by Retire.js))


CWE ID 829
1. https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
2. https://nvd.nist.gov/vuln/detail/CVE-2019-11358
Reference
3. https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
4. https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

6. Application Error Disclosure

Source raised by a passive scanner (Application Error Disclosure)


CWE ID 200
WASC ID 13

7. Cross-Domain JavaScript Source File Inclusion

Source raised by a passive scanner (Cross-Domain JavaScript Source File Inclusion)


CWE ID 829
WASC ID 15

8. Information Disclosure - Debug Error Messages

Source raised by a passive scanner (Information Disclosure - Debug Error Messages)


CWE ID 200
WASC ID 13

9. Strict-Transport-Security Header Not Set

Source raised by a passive scanner (Strict-Transport-Security Header)


CWE ID 319
WASC ID 15
1. https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
2. https://owasp.org/www-community/Security_Headers
Reference 3. http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
4. http://caniuse.com/stricttransportsecurity
5. http://tools.ietf.org/html/rfc6797

10. Information Disclosure - Suspicious Comments

Source raised by a passive scanner (Information Disclosure - Suspicious Comments)


CWE ID 200
WASC ID 13

11. Modern Web Application

Source raised by a passive scanner (Modern Web Application)

12. Re-examine Cache-control Directives

Source raised by a passive scanner (Re-examine Cache-control Directives)


CWE ID 525
WASC ID 13
1. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
Reference 2. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
3. https://grayduck.mn/2021/09/13/cache-control-recommendations/

You might also like