ZAP Full Scan Report

Question

ZAP Full Scan Report

Closed this issue a year ago · 0 comments

danilapog commented a year ago

Site: https://10.1.234.1
New Alerts
- Source Code Disclosure - File Inclusion [43] total: 1:
  - https://10.1.234.1/example/wopi-new?fileExt=xlsx
- Bypassing 403 [40038] total: 34:
  - https://10.1.234.1/
  - https://10.1.234.1/
  - https://10.1.234.1/
  - https://10.1.234.1/
  - https://10.1.234.1/
  - ..
- CORS Misconfiguration [40040] total: 53:
  - https://10.1.234.1/example
  - https://10.1.234.1/example/
  - https://10.1.234.1/example/?userid=uid-1&lang=da&directUrl=true
  - https://10.1.234.1/example/editor?fileExt=docx
  - https://10.1.234.1/example/editor?fileExt=docx&sample=true&userid=uid-1&lang=pt-PT&directUrl=false
  - ..
- CSP: Wildcard Directive [10055] total: 1:
  - https://10.1.234.1/sitemap.xml
- Content Security Policy (CSP) Header Not Set [10038] total: 11:
  - https://10.1.234.1/example/
  - https://10.1.234.1/example/editor?fileName=new.docx
  - https://10.1.234.1/example/editor?fileName=new.docxf
  - https://10.1.234.1/example/editor?fileName=new.pptx
  - https://10.1.234.1/example/editor?fileName=new.xlsx
  - ..
- Cross-Domain Misconfiguration [10098] total: 12:
  - https://10.1.234.1/example/
  - https://10.1.234.1/example/editor?fileExt=docx
  - https://10.1.234.1/example/editor?fileExt=docxf
  - https://10.1.234.1/example/editor?fileExt=pptx
  - https://10.1.234.1/example/editor?fileExt=xlsx
  - ..
- Integer Overflow Error [30003] total: 8:
  - https://10.1.234.1/example/editor?fileExt=docx
  - https://10.1.234.1/example/editor?fileExt=docx&sample=true&userid=uid-1&lang=pt-PT&directUrl=false
  - https://10.1.234.1/example/editor?fileExt=xlsx&userid=uid-1&lang=da&directUrl=true
  - https://10.1.234.1/example/editor?fileName=new.docxf
  - https://10.1.234.1/example/editor?fileName=sample%20(5).xlsx&userid=uid-1&lang=fi&directUrl=false
  - ..
- Missing Anti-clickjacking Header [10020] total: 7:
  - https://10.1.234.1/example/
  - https://10.1.234.1/example/editor?fileName=new.docx
  - https://10.1.234.1/example/editor?fileName=new.docxf
  - https://10.1.234.1/example/editor?fileName=new.pptx
  - https://10.1.234.1/example/editor?fileName=new.xlsx
  - ..
- Proxy Disclosure [40025] total: 129:
  - https://10.1.234.1
  - https://10.1.234.1/
  - https://10.1.234.1/7.5.0-125/sdkjs
  - https://10.1.234.1/7.5.0-125/sdkjs/cell
  - https://10.1.234.1/7.5.0-125/sdkjs/cell/css
  - ..
- Source Code Disclosure - SQL [10099] total: 12:
  - https://10.1.234.1/example/editor?fileName=new%20(1).docx&userid=uid-1&lang=ja&directUrl=false
  - https://10.1.234.1/example/editor?fileName=new%20(1).xlsx&userid=uid-1&lang=da&directUrl=true
  - https://10.1.234.1/example/editor?fileName=new%20(2).docx&userid=uid-3&lang=id&directUrl=false
  - https://10.1.234.1/example/editor?fileName=new.docx
  - https://10.1.234.1/example/editor?fileName=new.docxf
  - ..
- Sub Resource Integrity Attribute Missing [90003] total: 4:
  - https://10.1.234.1/example/
  - https://10.1.234.1/example/?userid=uid-1&lang=pt-PT&directUrl=false
  - https://10.1.234.1/example/wopi
  - https://10.1.234.1/welcome/
- Vulnerable JS Library [10003] total: 4:
  - https://10.1.234.1/7.5.0-125/web-apps/apps/documenteditor/main/app.js
  - https://10.1.234.1/7.5.0-125/web-apps/apps/presentationeditor/main/app.js
  - https://10.1.234.1/7.5.0-125/web-apps/apps/spreadsheeteditor/main/app.js
  - https://10.1.234.1/example/javascripts/jquery-ui.js
- XSLT Injection [90017] total: 11:
  - https://10.1.234.1/example/editor?fileExt=%3Cxsl%3Avalue-of+select%3D%22system-property%28%27xsl%3Avendor%27%29%22%2F%3E
  - https://10.1.234.1/example/editor?fileExt=%3Cxsl%3Avalue-of+select%3D%22system-property%28%27xsl%3Avendor%27%29%22%2F%3E&sample=true&userid=uid-1&lang=pt-PT&directUrl=false
  - https://10.1.234.1/example/editor?fileExt=%3Cxsl%3Avalue-of+select%3D%22system-property%28%27xsl%3Avendor%27%29%22%2F%3E&userid=uid-1&lang=da&directUrl=true
  - https://10.1.234.1/example/editor?fileExt=docx&sample=%3Cxsl%3Avalue-of+select%3D%22system-property%28%27xsl%3Avendor%27%29%22%2F%3E&userid=uid-1&lang=pt-PT&directUrl=false
  - https://10.1.234.1/example/editor?fileExt=docx&sample=true&userid=%3Cxsl%3Avalue-of+select%3D%22system-property%28%27xsl%3Avendor%27%29%22%2F%3E&lang=pt-PT&directUrl=false
  - ..
- Application Error Disclosure [90022] total: 4:
  - https://10.1.234.1/example/wopi-action/new%20(1).docx?action=editnew
  - https://10.1.234.1/example/wopi-action/new%20(1).docxf?action=editnew
  - https://10.1.234.1/example/wopi-action/new%20(1).pptx?action=editnew
  - https://10.1.234.1/example/wopi-action/new%20(1).xlsx?action=editnew
- Dangerous JS Functions [10110] total: 5:
  - https://10.1.234.1/7.5.0-125/web-apps/apps/documenteditor/main/app.js
  - https://10.1.234.1/7.5.0-125/web-apps/apps/documenteditor/main/app.js
  - https://10.1.234.1/7.5.0-125/web-apps/vendor/requirejs/require.js
  - https://10.1.234.1/example/javascripts/jquery-3.6.4.min.js
  - https://10.1.234.1/example/javascripts/jquery-ui.js
- Insufficient Site Isolation Against Spectre Vulnerability [90004] total: 1:
  - https://10.1.234.1/7.5.0-125/web-apps/apps/documenteditor/main/app.js
- Permissions Policy Header Not Set [10063] total: 11:
  - https://10.1.234.1/example/
  - https://10.1.234.1/example/editor?fileName=new.docx
  - https://10.1.234.1/example/editor?fileName=new.docxf
  - https://10.1.234.1/example/editor?fileName=new.pptx
  - https://10.1.234.1/example/editor?fileName=new.xlsx
  - ..
- Strict-Transport-Security Header Not Set [10035] total: 5:
  - https://10.1.234.1/example/wopi-action/new%20(1).docx?action=editnew
  - https://10.1.234.1/example/wopi-action/new%20(1).docxf?action=editnew
  - https://10.1.234.1/example/wopi-action/new%20(1).pptx?action=editnew
  - https://10.1.234.1/example/wopi-action/new%20(1).xlsx?action=editnew
  - https://10.1.234.1/sitemap.xml
- Information Disclosure - Sensitive Information in URL [10024] total: 12:
  - https://10.1.234.1/example/?userid=uid-1&lang=da&directUrl=true
  - https://10.1.234.1/example/?userid=uid-1&lang=ja&directUrl=false
  - https://10.1.234.1/example/?userid=uid-1&lang=pt-PT&directUrl=false
  - https://10.1.234.1/example/editor?fileExt=docx&sample=true&userid=uid-1&lang=pt-PT&directUrl=false
  - https://10.1.234.1/example/editor?fileExt=docx&userid=uid-1&lang=ja&directUrl=false
  - ..
- Information Disclosure - Suspicious Comments [10027] total: 14:
  - https://10.1.234.1/example/editor?fileName=new.docx
  - https://10.1.234.1/example/editor?fileName=new.docxf
  - https://10.1.234.1/example/editor?fileName=new.pptx
  - https://10.1.234.1/example/editor?fileName=new.xlsx
  - https://10.1.234.1/example/javascripts/jquery-3.6.4.min.js
  - ..
- Modern Web Application [10109] total: 10:
  - https://10.1.234.1/7.5.0-125/web-apps/apps/documenteditor/main/index.html?_dc=7.5.0-125&lang=pt-PT&customer=ONLYOFFICE&frameEditorId=iframeEditor&parentOrigin=https://10.1.234.1&fileType=docx
  - https://10.1.234.1/example/
  - https://10.1.234.1/example/?userid=uid-1&lang=pt-PT&directUrl=false
  - https://10.1.234.1/example/editor?fileName=new.docx
  - https://10.1.234.1/example/editor?fileName=new.docxf
  - ..
- Non-Storable Content [10049] total: 10:
  - https://10.1.234.1/
  - https://10.1.234.1/example/
  - https://10.1.234.1/example/editor?fileExt=docx
  - https://10.1.234.1/example/editor?fileExt=pptx
  - https://10.1.234.1/robots.txt
  - ..
- Re-examine Cache-control Directives [10015] total: 8:
  - https://10.1.234.1/example/
  - https://10.1.234.1/example/editor?fileName=new.docx
  - https://10.1.234.1/example/editor?fileName=new.docxf
  - https://10.1.234.1/example/editor?fileName=new.pptx
  - https://10.1.234.1/example/editor?fileName=new.xlsx
  - ..
- User Agent Fuzzer [10104] total: 744:
  - https://10.1.234.1
  - https://10.1.234.1
  - https://10.1.234.1
  - https://10.1.234.1
  - https://10.1.234.1
  - ..
- User Controllable HTML Element Attribute (Potential XSS) [10031] total: 13:
  - https://10.1.234.1/7.5.0-125/web-apps/apps/spreadsheeteditor/main/index.html?_dc=7.5.0-125&lang=da&customer=ONLYOFFICE&frameEditorId=iframeEditor&parentOrigin=https://10.1.234.1&fileType=xlsx
  - https://10.1.234.1/7.5.0-125/web-apps/apps/spreadsheeteditor/main/index.html?_dc=7.5.0-125&lang=da&customer=ONLYOFFICE&frameEditorId=iframeEditor&parentOrigin=https://10.1.234.1&fileType=xlsx
  - https://10.1.234.1/7.5.0-125/web-apps/apps/spreadsheeteditor/main/index.html?_dc=7.5.0-125&lang=da&customer=ONLYOFFICE&frameEditorId=iframeEditor&parentOrigin=https://10.1.234.1&fileType=xlsx
  - https://10.1.234.1/7.5.0-125/web-apps/apps/spreadsheeteditor/main/index.html?_dc=7.5.0-125&lang=da&customer=ONLYOFFICE&frameEditorId=iframeEditor&parentOrigin=https://10.1.234.1&fileType=xlsx
  - https://10.1.234.1/7.5.0-125/web-apps/apps/spreadsheeteditor/main/index.html?_dc=7.5.0-125&lang=da&customer=ONLYOFFICE&frameEditorId=iframeEditor&parentOrigin=https://10.1.234.1&fileType=xlsx
  - ..

View the following link to download the report.
RunnerID:6722529760