Unexpected results in generated Report
codewode opened this issue · 0 comments
codewode commented
I am running zap-cli quick-scan with alert-level high, which returns zero issues, but the generated report lists Medium and Low alerts. how can I avoid the generated report, not to include any medium or low alerts. Here is how I run my tests.
docker run -d -p 8090:8090 -i owasp/zap2docker-stable zap.sh -daemon -port 8090 -host 0.0.0.0 -config api.disablekey=true -config api.addrs.addr.name=".*" -config api.addrs.addr.regex=true
zap-cli policies set-strength -s "High"
zap-cli policies set-threshold -t "High"
zap-cli quick-scan -o '-config scanner.attackOnStart=true -config view.mode=attack -config connection.dnsTtlSuccessfulQueries=-1 -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true' -s xss,sqli --spider --alert-level "High" --recursive https://MYURL
the docker logs looks like
97724 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://MYURL | CrossSiteScriptingScanRule strength HIGH threshold HIGH
106519 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL | CrossSiteScriptingScanRule in 8.797s with 0 message(s) sent and 0 alert(s) raised.
106519 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://MYURL | PersistentXssPrimeScanRule strength HIGH threshold HIGH
114712 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL | PersistentXssPrimeScanRule in 8.193s with 0 message(s) sent and 0 alert(s) raised.
114713 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start [host https://MYURL](https://MYURL) | PersistentXssSpiderScanRule strength HIGH threshold HIGH
119656 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL | PersistentXssSpiderScanRule in 4.943s with 81 message(s) sent and 0 alert(s) raised.
119657 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://MYURL | PersistentXssScanRule strength HIGH threshold HIGH
129123 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL| PersistentXssScanRule in 9.466s with 0 message(s) sent and 0 alert(s) raised.
129124 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://MYURL | SqlInjectionScanRule strength HIGH threshold HIGH
136959 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://MYURL | SqlInjectionScanRule in 7.836s with 0 message(s) sent and 0 alert(s) raised.
136959 [Thread-9] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host https://MYURL in 107.097s with 0 alert(s) raised.
136960 [Thread-8] INFO org.parosproxy.paros.core.scanner.Scanner - scanner completed in 107.127s
and the xml generated report is
zap-cli report -o OWASP-ZAP-Report.xml -f xml
<?xml version="1.0"?>
<OWASPZAPReport version="2.11.1" generated="Thu, 3 Feb 2022 09:52:03">
<site name="https://MYURL" host="MYURL" port="443" ssl="true">
<alerts>
<alertitem>
<pluginid>10055</pluginid>
<alertRef>10055</alertRef>
<alert>CSP: Wildcard Directive</alert>
<name>CSP: Wildcard Directive</name>
<riskcode>2</riskcode>
<confidence>2</confidence>
<riskdesc>Medium (Medium)</riskdesc>
<confidencedesc>Medium</confidencedesc>
<desc><p>The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: </p><p>connects-src, frame-ancestors, form-action</p><p></p><p>The directive(s): frame-ancestors, form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.</p></desc>
<instances>
<instance>
<uri>https://MYURL</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence>default-src </evidence>
</instance>
</instances>
<count>1</count>
<solution><p>Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.</p></solution>
<otherinfo></otherinfo>
<reference><p>http://www.w3.org/TR/CSP2/</p><p>http://www.w3.org/TR/CSP/</p><p>http://caniuse.com/#search=content+security+policy</p><p>http://content-security-policy.com/</p><p>https://github.com/shapesecurity/salvation</p><p>https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources</p></reference>
<cweid>693</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10055</pluginid>
<alertRef>10055</alertRef>
<alert>CSP: script-src unsafe-inline</alert>
<name>CSP: script-src unsafe-inline</name>
<riskcode>2</riskcode>
<confidence>2</confidence>
<riskdesc>Medium (Medium)</riskdesc>
<confidencedesc>Medium</confidencedesc>
<desc><p>script-src includes unsafe-inline.</p></desc>
<instances>
<instance>
<uri>https://MYURL</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence>default-src </evidence>
</instance>
</instances>
<count>1</count>
<solution><p>Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.</p></solution>
<otherinfo></otherinfo>
<reference><p>http://www.w3.org/TR/CSP2/</p><p>http://www.w3.org/TR/CSP/</p><p>http://caniuse.com/#search=content+security+policy</p><p>http://content-security-policy.com/</p><p>https://github.com/shapesecurity/salvation</p><p>https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources</p></reference>
<cweid>693</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10055</pluginid>
<alertRef>10055</alertRef>
<alert>CSP: style-src unsafe-inline</alert>
<name>CSP: style-src unsafe-inline</name>
<riskcode>2</riskcode>
<confidence>2</confidence>
<riskdesc>Medium (Medium)</riskdesc>
<confidencedesc>Medium</confidencedesc>
<desc><p>style-src includes unsafe-inline.</p></desc>
<instances>
<instance>
<uri>https://MYURL</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence>default-src</evidence>
</instance>
</instances>
<count>1</count>
<solution><p>Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.</p></solution>
<otherinfo></otherinfo>
<reference><p>http://www.w3.org/TR/CSP2/</p><p>http://www.w3.org/TR/CSP/</p><p>http://caniuse.com/#search=content+security+policy</p><p>http://content-security-policy.com/</p><p>https://github.com/shapesecurity/salvation</p><p>https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources</p></reference>
<cweid>693</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10017</pluginid>
<alertRef>10017</alertRef>
<alert>Cross-Domain JavaScript Source File Inclusion</alert>
<name>Cross-Domain JavaScript Source File Inclusion</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<confidencedesc>Medium</confidencedesc>
<desc><p>The page includes one or more script files from a third-party domain.</p></desc>
<instances>
<instance>
<uri>https://MYURL</uri>
<method>GET</method>
<param>https://app.usercentrics.eu/latest/main.js</param>
<attack></attack>
<evidence><script type="application/javascript" src="https://app.usercentrics.eu/latest/main.js" id="u5MUYXh1"></script></evidence>
</instance>
</instances>
<count>1</count>
<solution><p>Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.</p></solution>
<otherinfo></otherinfo>
<reference></reference>
<cweid>829</cweid>
<wascid>15</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10015</pluginid>
<alertRef>10015</alertRef>
<alert>Incomplete or No Cache-control Header Set</alert>
<name>Incomplete or No Cache-control Header Set</name>
<riskcode>1</riskcode>
<confidence>2</confidence>
<riskdesc>Low (Medium)</riskdesc>
<confidencedesc>Medium</confidencedesc>
<desc><p>The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content.</p></desc>
<instances>
<instance>
<uri>https://MYURL</uri>
<method>GET</method>
<param>Cache-Control</param>
<attack></attack>
<evidence>max-age=600, must-revalidate</evidence>
</instance>
<instance>
<uri>https://MYURL/etc/designs/dm/favicon/manifest.json</uri>
<method>GET</method>
<param>Cache-Control</param>
<attack></attack>
<evidence>max-age=600</evidence>
</instance>
</instances>
<count>2</count>
<solution><p>Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate.</p></solution>
<otherinfo></otherinfo>
<reference><p>https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching</p><p>https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control</p></reference>
<cweid>525</cweid>
<wascid>13</wascid>
<sourceid>3</sourceid>
</alertitem>
<alertitem>
<pluginid>10096</pluginid>
<alertRef>10096</alertRef>
<alert>Timestamp Disclosure - Unix</alert>
<name>Timestamp Disclosure - Unix</name>
<riskcode>1</riskcode>
<confidence>1</confidence>
<riskdesc>Low (Low)</riskdesc>
<confidencedesc>Low</confidencedesc>
<desc><p>A timestamp was disclosed by the application/web server - Unix</p></desc>
<instances>
<instance>
<uri>https://MYURL/</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence>20010904</evidence>
</instance>
<instance>
<uri>https://MYURL/</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence>16777215</evidence>
</instance>
<instance>
<uri>https://MYURL</uri>
<method>GET</method>
<param></param>
<attack></attack>
<evidence>16777215</evidence>
</instance>
</instances>
<count>3</count>
<solution><p>Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.</p></solution>
<otherinfo><p>20010904, which evaluates to: 1970-08-20 14:35:04</p></otherinfo>
<reference><p>http://projects.webappsec.org/w/page/13246936/Information%20Leakage</p></reference>
<cweid>200</cweid>
<wascid>13</wascid>
<sourceid>76</sourceid>
</alertitem>
<alertitem>
<pluginid>10027</pluginid>
<alertRef>10027</alertRef>
<alert>Information Disclosure - Suspicious Comments</alert>
<name>Information Disclosure - Suspicious Comments</name>
<riskcode>0</riskcode>
<confidence>1</confidence>
<riskdesc>Informational (Low)</riskdesc>
<confidencedesc>Low</confidencedesc>
<desc><p>The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.</p></desc>
<instances>
</instances>
<count>12</count>
<solution><p>Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.</p></solution>
<otherinfo><p>The following pattern was used: \bDB\b and was detected 8 times, the first in the element starting with: "var bL=function(c4){var dg,dh,dk,c3,da,db,df,dd,cU,cW,c7,du,dQ,dl,dN,cV,cY,di,cS,dw="sizzle"+1*new Date,c2=c4.document,c8=0,cZ=0", see evidence field for the suspicious comment/snippet.</p></otherinfo>
<reference></reference>
<cweid>200</cweid>
<wascid>13</wascid>
<sourceid>84</sourceid>
</alertitem>
</alerts>
</site>
</OWASPZAPReport>