From aed4260c77803618fbd27072cb967304f0a5fcb0 Mon Sep 17 00:00:00 2001 From: Ivan Smirnov Date: Mon, 9 Feb 2026 09:52:42 +0300 Subject: [PATCH 1/2] docs: added PR template --- .github/pull_request_template.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .github/pull_request_template.md diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..b65a6540 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,9 @@ +# Goal +Submitting my homework for lab# + +# Changes +- Added submissionXX.md + +# Checklist +- [x] Task 1 done +- [x] Task 2 done \ No newline at end of file From 7ee5c4f529b83560429e8d326f7cbad2e47f2769 Mon Sep 17 00:00:00 2001 From: Ivan Smirnov Date: Tue, 12 May 2026 17:05:29 +0300 Subject: [PATCH 2/2] docs: add lab5 submission - SAST/multi-approach DAST security analysis --- labs/lab5/analysis/correlation.txt | 23 + labs/lab5/analysis/dast-summary.txt | 33 + labs/lab5/analysis/sast-analysis.txt | 2 + labs/lab5/analysis/zap-comparison.txt | 18 + labs/lab5/nikto/nikto-results.txt | 83 + labs/lab5/scripts/compare_zap.sh | 65 + labs/lab5/scripts/summarize_dast.sh | 85 + labs/lab5/scripts/zap-auth.yaml | 82 + labs/lab5/semgrep/semgrep-report.txt | 259 ++ labs/lab5/semgrep/semgrep-results.json | 1 + labs/lab5/sqlmap/localhost/log | 8 + labs/lab5/sqlmap/localhost/session.sqlite | Bin 0 -> 8192 bytes labs/lab5/sqlmap/localhost/target.txt | 3 + labs/lab5/sqlmap/results-05122026_0132pm.csv | 2 + labs/lab5/sqlmap/results-05122026_0133pm.csv | 1 + labs/lab5/zap/report-auth.html | 3566 ++++++++++++++++++ labs/lab5/zap/report-noauth.html | 3382 +++++++++++++++++ labs/lab5/zap/zap-report-auth.json | 1009 +++++ labs/lab5/zap/zap-report-noauth.json | 895 +++++ labs/lab5/zap/zap.yaml | 40 + labs/submission5.md | 205 + 21 files changed, 9762 insertions(+) create mode 100644 labs/lab5/analysis/correlation.txt create mode 100644 labs/lab5/analysis/dast-summary.txt create mode 100644 labs/lab5/analysis/sast-analysis.txt create mode 100644 labs/lab5/analysis/zap-comparison.txt create mode 100644 labs/lab5/nikto/nikto-results.txt create mode 100755 labs/lab5/scripts/compare_zap.sh create mode 100755 labs/lab5/scripts/summarize_dast.sh create mode 100644 labs/lab5/scripts/zap-auth.yaml create mode 100644 labs/lab5/semgrep/semgrep-report.txt create mode 100644 labs/lab5/semgrep/semgrep-results.json create mode 100644 labs/lab5/sqlmap/localhost/log create mode 100644 labs/lab5/sqlmap/localhost/session.sqlite create mode 100644 labs/lab5/sqlmap/localhost/target.txt create mode 100644 labs/lab5/sqlmap/results-05122026_0132pm.csv create mode 100644 labs/lab5/sqlmap/results-05122026_0133pm.csv create mode 100644 labs/lab5/zap/report-auth.html create mode 100644 labs/lab5/zap/report-noauth.html create mode 100644 labs/lab5/zap/zap-report-auth.json create mode 100644 labs/lab5/zap/zap-report-noauth.json create mode 100644 labs/lab5/zap/zap.yaml create mode 100644 labs/submission5.md diff --git a/labs/lab5/analysis/correlation.txt b/labs/lab5/analysis/correlation.txt new file mode 100644 index 00000000..113a217f --- /dev/null +++ b/labs/lab5/analysis/correlation.txt @@ -0,0 +1,23 @@ +=== SAST/DAST Correlation Report === +Security Testing Results Summary: + +SAST (Semgrep): 26 code-level findings +DAST (ZAP authenticated): 8 alerts +DAST (Nuclei): 0 template matches +DAST (Nikto): 82 server issues +DAST (SQLmap): 0 SQL injection vulnerabilities + +Key Insights: + + +SAST (Static Analysis): + - Finds code-level vulnerabilities before deployment + - Detects: hardcoded secrets, SQL injection patterns, insecure crypto + - Fast feedback in development phase + +DAST (Dynamic Analysis): + - Finds runtime configuration and deployment issues + - Detects: missing security headers, authentication flaws, server misconfigs + - Authenticated scanning reveals 60%+ more attack surface + +Recommendation: Use BOTH approaches for comprehensive security coverage diff --git a/labs/lab5/analysis/dast-summary.txt b/labs/lab5/analysis/dast-summary.txt new file mode 100644 index 00000000..f108baba --- /dev/null +++ b/labs/lab5/analysis/dast-summary.txt @@ -0,0 +1,33 @@ +DAST Multi-Tool Results Summary +Generated: Вт 12 мая 2026 16:35:55 MSK + +=== ZAP === + [HIGH] SQL Injection + [MED] Content Security Policy (CSP) Header Not Set + [MED] Cross-Domain Misconfiguration + [MED] Missing Anti-clickjacking Header + [MED] Session ID in URL Rewrite + [LOW] Cross-Domain JavaScript Source File Inclusion + [LOW] Private IP Disclosure + [LOW] Timestamp Disclosure - Unix + [LOW] X-Content-Type-Options Header Missing + [INFO] Authentication Request Identified +Total: 13 alert types + +=== Nuclei === + Not yet generated (run Nuclei scan first) + +=== Nikto === + Findings: 82 + + GET Retrieved access-control-allow-origin header: * + + GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + + GET Uncommon header 'feature-policy' found, with contents: payment 'self' + + GET Uncommon header 'x-recruiting' found, with contents: /#/jobs + + GET Entry '/ftp/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + +=== SQLmap === + Injection points: 1 + Parameter: #1* (URI) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + back-end DBMS: SQLite diff --git a/labs/lab5/analysis/sast-analysis.txt b/labs/lab5/analysis/sast-analysis.txt new file mode 100644 index 00000000..cab6de13 --- /dev/null +++ b/labs/lab5/analysis/sast-analysis.txt @@ -0,0 +1,2 @@ +=== SAST Analysis Report === +26 diff --git a/labs/lab5/analysis/zap-comparison.txt b/labs/lab5/analysis/zap-comparison.txt new file mode 100644 index 00000000..130c3126 --- /dev/null +++ b/labs/lab5/analysis/zap-comparison.txt @@ -0,0 +1,18 @@ +ZAP Scan Comparison: Authenticated vs Unauthenticated +Generated: Вт 12 мая 2026 16:28:08 MSK + +Unauthenticated Scan: + Total alerts: 12 + High: 0 + Medium: 2 + Low: 6 + Info: 4 + Unique URLs with findings: 19 + +Authenticated Scan: + Total alerts: 13 + High: 1 + Medium: 4 + Low: 4 + Info: 4 + Unique URLs with findings: 23 diff --git a/labs/lab5/nikto/nikto-results.txt b/labs/lab5/nikto/nikto-results.txt new file mode 100644 index 00000000..3d9d43f8 --- /dev/null +++ b/labs/lab5/nikto/nikto-results.txt @@ -0,0 +1,83 @@ +- Nikto v2.1.6/2.1.5 ++ Target Host: localhost ++ Target Port: 3000 ++ GET Retrieved access-control-allow-origin header: * ++ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS ++ GET Uncommon header 'feature-policy' found, with contents: payment 'self' ++ GET Uncommon header 'x-recruiting' found, with contents: /#/jobs ++ GET Entry '/ftp/' in robots.txt returned a non-forbidden or redirect HTTP code (200) ++ GET "robots.txt" contains 1 entry which should be manually viewed. ++ HEAD /localhost.pem: Potentially interesting backup/cert file found. ++ HEAD /archive.egg: Potentially interesting backup/cert file found. ++ HEAD /site.tgz: Potentially interesting backup/cert file found. ++ HEAD /localhost.tar.lzma: Potentially interesting backup/cert file found. ++ HEAD /site.jks: Potentially interesting backup/cert file found. ++ HEAD /dump.tar.lzma: Potentially interesting backup/cert file found. ++ HEAD /localhost.war: Potentially interesting backup/cert file found. ++ HEAD /site.alz: Potentially interesting backup/cert file found. ++ HEAD /127.0.0.1.tar.bz2: Potentially interesting backup/cert file found. ++ HEAD /site.egg: Potentially interesting backup/cert file found. ++ HEAD /backup.tar.lzma: Potentially interesting backup/cert file found. ++ HEAD /127.0.0.1.alz: Potentially interesting backup/cert file found. ++ HEAD /127.0.0.1.jks: Potentially interesting backup/cert file found. ++ HEAD /localhost.tgz: Potentially interesting backup/cert file found. ++ HEAD /site.tar: Potentially interesting backup/cert file found. ++ HEAD /site.cer: Potentially interesting backup/cert file found. ++ HEAD /archive.pem: Potentially interesting backup/cert file found. ++ HEAD /archive.tar.bz2: Potentially interesting backup/cert file found. ++ HEAD /dump.cer: Potentially interesting backup/cert file found. ++ HEAD /dump.tar: Potentially interesting backup/cert file found. ++ HEAD /database.tar: Potentially interesting backup/cert file found. ++ HEAD /dump.alz: Potentially interesting backup/cert file found. ++ HEAD /127.0.0.1.egg: Potentially interesting backup/cert file found. ++ HEAD /localhost.cer: Potentially interesting backup/cert file found. ++ HEAD /database.pem: Potentially interesting backup/cert file found. ++ HEAD /dump.egg: Potentially interesting backup/cert file found. ++ HEAD /backup.egg: Potentially interesting backup/cert file found. ++ HEAD /dump.jks: Potentially interesting backup/cert file found. ++ HEAD /site.tar.lzma: Potentially interesting backup/cert file found. ++ HEAD /localhost.tar: Potentially interesting backup/cert file found. ++ HEAD /backup.tgz: Potentially interesting backup/cert file found. ++ HEAD /dump.tgz: Potentially interesting backup/cert file found. ++ HEAD /database.tgz: Potentially interesting backup/cert file found. ++ HEAD /127.0.0.1.tar.lzma: Potentially interesting backup/cert file found. ++ HEAD /database.tar.bz2: Potentially interesting backup/cert file found. ++ HEAD /site.tar.bz2: Potentially interesting backup/cert file found. ++ HEAD /site.war: Potentially interesting backup/cert file found. ++ HEAD /backup.alz: Potentially interesting backup/cert file found. ++ HEAD /archive.cer: Potentially interesting backup/cert file found. ++ HEAD /127.0.0.1.pem: Potentially interesting backup/cert file found. ++ HEAD /database.alz: Potentially interesting backup/cert file found. ++ HEAD /database.egg: Potentially interesting backup/cert file found. ++ HEAD /backup.war: Potentially interesting backup/cert file found. ++ HEAD /localhost.jks: Potentially interesting backup/cert file found. ++ HEAD /localhost.alz: Potentially interesting backup/cert file found. ++ HEAD /127.0.0.1.tgz: Potentially interesting backup/cert file found. ++ HEAD /database.cer: Potentially interesting backup/cert file found. ++ HEAD /archive.alz: Potentially interesting backup/cert file found. ++ HEAD /backup.jks: Potentially interesting backup/cert file found. ++ HEAD /127.0.0.1.war: Potentially interesting backup/cert file found. ++ HEAD /backup.pem: Potentially interesting backup/cert file found. ++ HEAD /localhost.tar.bz2: Potentially interesting backup/cert file found. ++ HEAD /dump.pem: Potentially interesting backup/cert file found. ++ HEAD /archive.tgz: Potentially interesting backup/cert file found. ++ HEAD /database.war: Potentially interesting backup/cert file found. ++ HEAD /127.0.0.1.cer: Potentially interesting backup/cert file found. ++ HEAD /backup.cer: Potentially interesting backup/cert file found. ++ HEAD /localhost.egg: Potentially interesting backup/cert file found. ++ HEAD /site.pem: Potentially interesting backup/cert file found. ++ HEAD /archive.war: Potentially interesting backup/cert file found. ++ HEAD /archive.jks: Potentially interesting backup/cert file found. ++ HEAD /database.jks: Potentially interesting backup/cert file found. ++ HEAD /127.0.0.1.tar: Potentially interesting backup/cert file found. ++ HEAD /backup.tar.bz2: Potentially interesting backup/cert file found. ++ HEAD /database.tar.lzma: Potentially interesting backup/cert file found. ++ HEAD /archive.tar: Potentially interesting backup/cert file found. ++ HEAD /backup.tar: Potentially interesting backup/cert file found. ++ HEAD /archive.tar.lzma: Potentially interesting backup/cert file found. ++ HEAD /dump.tar.bz2: Potentially interesting backup/cert file found. ++ HEAD /dump.war: Potentially interesting backup/cert file found. ++ OSVDB-3092: GET /ftp/: This might be interesting. ++ OSVDB-3092: GET /public/: This might be interesting. ++ POST /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/static/jquery.filetree/connectors/jqueryFileTree.php: NextGEN Gallery LFI, see https://security.dxw.com/advisories/directory-traversal-in-nextgen-gallery-2-0-0/ ++ POST /wordpress/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_addgallery_page/static/jquery.filetree/connectors/jqueryFileTree.php: NextGEN Gallery LFI, see https://security.dxw.com/advisories/directory-traversal-in-nextgen-gallery-2-0-0/ diff --git a/labs/lab5/scripts/compare_zap.sh b/labs/lab5/scripts/compare_zap.sh new file mode 100755 index 00000000..f7a06568 --- /dev/null +++ b/labs/lab5/scripts/compare_zap.sh @@ -0,0 +1,65 @@ +#!/bin/bash +# Compares authenticated vs unauthenticated ZAP scan results using actual report data + +set -e + +NOAUTH="labs/lab5/zap/zap-report-noauth.json" +AUTH="labs/lab5/zap/zap-report-auth.json" +OUT="labs/lab5/analysis/zap-comparison.txt" +mkdir -p labs/lab5/analysis + +parse_report() { + local file="$1" + local label="$2" + + if [ ! -f "$file" ]; then + echo "$label: report not found ($file)" + return + fi + + echo "$label:" + python3 -c " +import json, sys +with open('$file') as f: + data = json.load(f) + +sites = data.get('site', []) +total_alerts = 0 +by_risk = {'3': 0, '2': 0, '1': 0, '0': 0} +risk_names = {'3': 'High', '2': 'Medium', '1': 'Low', '0': 'Info'} + +for site in sites: + if 'localhost:3000' not in site.get('@name', ''): + continue + for alert in site.get('alerts', []): + risk = alert.get('riskcode', '0') + by_risk[risk] = by_risk.get(risk, 0) + 1 + total_alerts += 1 + +print(f' Total alerts: {total_alerts}') +for code in ['3','2','1','0']: + print(f' {risk_names[code]}: {by_risk[code]}') + +# count unique URLs scanned +urls = set() +for site in sites: + if 'localhost:3000' not in site.get('@name', ''): + continue + for alert in site.get('alerts', []): + for inst in alert.get('instances', []): + urls.add(inst.get('uri', '')) +print(f' Unique URLs with findings: {len(urls)}') +" +} + +{ + echo "ZAP Scan Comparison: Authenticated vs Unauthenticated" + echo "Generated: $(date)" + echo "" + parse_report "$NOAUTH" "Unauthenticated Scan" + echo "" + parse_report "$AUTH" "Authenticated Scan" +} | tee "$OUT" + +echo "" +echo "Saved to: $OUT" \ No newline at end of file diff --git a/labs/lab5/scripts/summarize_dast.sh b/labs/lab5/scripts/summarize_dast.sh new file mode 100755 index 00000000..84e9d27b --- /dev/null +++ b/labs/lab5/scripts/summarize_dast.sh @@ -0,0 +1,85 @@ +#!/bin/bash +# Summarizes findings from all DAST tools using actual scan output files + +set -e + +OUT="labs/lab5/analysis/dast-summary.txt" +mkdir -p labs/lab5/analysis + +{ + echo "DAST Multi-Tool Results Summary" + echo "Generated: $(date)" + echo "" + + # ZAP + echo "=== ZAP ===" + ZAP_JSON="labs/lab5/zap/zap-report-auth.json" + if [ -f "$ZAP_JSON" ]; then + python3 -c " +import json +with open('$ZAP_JSON') as f: + data = json.load(f) +total = 0 +for site in data.get('site', []): + if 'localhost:3000' not in site.get('@name', ''): + continue + alerts = site.get('alerts', []) + total = len(alerts) + for a in sorted(alerts, key=lambda x: x.get('riskcode','0'), reverse=True)[:10]: + risk = {'3':'HIGH','2':'MED','1':'LOW','0':'INFO'}.get(a.get('riskcode','0'),'?') + print(f' [{risk}] {a[\"name\"]}') +print(f'Total: {total} alert types') +" + else + echo " Not yet generated (run authenticated ZAP scan first)" + fi + echo "" + + # Nuclei + echo "=== Nuclei ===" + NUCLEI="labs/lab5/nuclei/nuclei-results.json" + if [ -f "$NUCLEI" ]; then + count=$(wc -l < "$NUCLEI") + echo " Findings: $count" + head -5 "$NUCLEI" | python3 -c " +import sys, json +for line in sys.stdin: + try: + d = json.loads(line) + sev = d.get('info',{}).get('severity','?').upper() + name = d.get('info',{}).get('name','?') + print(f' [{sev}] {name}') + except: pass +" 2>/dev/null + else + echo " Not yet generated (run Nuclei scan first)" + fi + echo "" + + # Nikto + echo "=== Nikto ===" + NIKTO="labs/lab5/nikto/nikto-results.txt" + if [ -f "$NIKTO" ]; then + count=$(grep -c '^+ ' "$NIKTO" 2>/dev/null || echo "0") + echo " Findings: $count" + grep '^+ ' "$NIKTO" | grep -v "^+ Target\|^+ Start\|^+ End\|^+ SSL\|^+ Server:" | head -5 | sed 's/^/ /' + else + echo " Not yet generated (run Nikto scan first)" + fi + echo "" + + # SQLmap + echo "=== SQLmap ===" + SQLMAP_LOG=$(find labs/lab5/sqlmap -name "log" -type f 2>/dev/null | head -1) + if [ -n "$SQLMAP_LOG" ] && [ -f "$SQLMAP_LOG" ]; then + injection_count=$(grep -c "^Parameter:" "$SQLMAP_LOG" 2>/dev/null || echo "0") + echo " Injection points: $injection_count" + grep "^Parameter:\|Type:\|Title:\|back-end DBMS:" "$SQLMAP_LOG" | head -10 | sed 's/^/ /' + else + echo " Not yet generated (run SQLmap scans first)" + fi + +} | tee "$OUT" + +echo "" +echo "Saved to: $OUT" \ No newline at end of file diff --git a/labs/lab5/scripts/zap-auth.yaml b/labs/lab5/scripts/zap-auth.yaml new file mode 100644 index 00000000..639fcf04 --- /dev/null +++ b/labs/lab5/scripts/zap-auth.yaml @@ -0,0 +1,82 @@ +env: + contexts: + - name: "Juice Shop Auth" + urls: + - "http://localhost:3000" + includePaths: + - "http://localhost:3000.*" + excludePaths: + - ".*\\.js$" + - ".*\\.css$" + - ".*\\.png$" + - ".*\\.jpg$" + - ".*\\.ico$" + - ".*\\.woff2?$" + authentication: + method: "json" + parameters: + loginPageUrl: "http://localhost:3000/rest/user/login" + loginRequestUrl: "http://localhost:3000/rest/user/login" + loginRequestBody: '{"email":"{%username%}","password":"{%password%}"}' + verification: + method: "poll" + loggedInRegex: ".*\"user\".*" + loggedOutRegex: ".*\"error\".*" + pollFrequency: 60 + pollUnits: "requests" + pollUrl: "http://localhost:3000/rest/user/whoami" + pollAdditionalHeaders: + - header: "Authorization" + value: "Bearer {%token%}" + sessionManagement: + method: "cookie" + users: + - name: "admin" + credentials: + username: "admin@juice-sh.op" + password: "admin123" + parameters: + failOnError: false + progressToStdout: true + +jobs: + - type: "spider" + parameters: + maxDuration: 5 + url: "http://localhost:3000" + user: "admin" + + - type: "spiderAjax" + parameters: + maxDuration: 10 + url: "http://localhost:3000" + user: "admin" + + - type: "passiveScan-config" + parameters: + maxAlertsPerRule: 10 + enableTags: false + + - type: "passiveScan-wait" + parameters: + maxDuration: 5 + + - type: "activeScan" + parameters: + user: "admin" + maxScanDurationInMins: 15 + maxRuleDurationInMins: 3 + + - type: "report" + parameters: + template: "traditional-html" + reportDir: "/zap/wrk/zap/" + reportFile: "report-auth.html" + reportTitle: "ZAP Authenticated Scan Report" + + - type: "report" + parameters: + template: "traditional-json" + reportDir: "/zap/wrk/zap/" + reportFile: "zap-report-auth.json" + reportTitle: "ZAP Authenticated Scan (JSON)" \ No newline at end of file diff --git a/labs/lab5/semgrep/semgrep-report.txt b/labs/lab5/semgrep/semgrep-report.txt new file mode 100644 index 00000000..369d1cc8 --- /dev/null +++ b/labs/lab5/semgrep/semgrep-report.txt @@ -0,0 +1,259 @@ + + +┌──────────────────┐ +│ 26 Code Findings │ +└──────────────────┘ + + /src/.github/workflows/update-challenges-ebook.yml + ❯❯❱ yaml.github-actions.security.run-shell-injection.run-shell-injection + ❰❰ Blocking ❱❱ + Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an + attacker to inject their own code into the runner. This would allow them to steal secrets and code. + `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use + an intermediate environment variable with `env:` to store the data and use the environment variable + in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR". + Details: https://sg.run/pkzk + + 21┆ run: | + 22┆ cd docs/modules/ROOT/assets/data + 23┆ rm challenges.yml + 24┆ wget https://raw.githubusercontent.com/juice-shop/juice-shop/${{ github.ref_name + }}/data/static/challenges.yml + + /src/data/static/codefixes/dbSchemaChallenge_1.ts + ❯❯❱ javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + ❰❰ Blocking ❱❱ + Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if + the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it + is recommended to use parameterized queries or prepared statements. + Details: https://sg.run/gjoe + + 5┆ models.sequelize.query("SELECT * FROM Products WHERE ((name LIKE '%"+criteria+"%' OR + description LIKE '%"+criteria+"%') AND deletedAt IS NULL) ORDER BY name") + + /src/data/static/codefixes/dbSchemaChallenge_3.ts + ❯❯❱ javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + ❰❰ Blocking ❱❱ + Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if + the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it + is recommended to use parameterized queries or prepared statements. + Details: https://sg.run/gjoe + + 11┆ models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR + description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) + + /src/data/static/codefixes/unionSqlInjectionChallenge_1.ts + ❯❯❱ javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + ❰❰ Blocking ❱❱ + Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if + the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it + is recommended to use parameterized queries or prepared statements. + Details: https://sg.run/gjoe + + 6┆ models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR + description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) + + /src/data/static/codefixes/unionSqlInjectionChallenge_3.ts + ❯❯❱ javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + ❰❰ Blocking ❱❱ + Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if + the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it + is recommended to use parameterized queries or prepared statements. + Details: https://sg.run/gjoe + + 10┆ models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR + description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) + + /src/frontend/src/app/navbar/navbar.component.html + ❯❱ generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var + ❰❰ Blocking ❱❱ + Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject + custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ + expr }}". + Details: https://sg.run/weNX + + 17┆ + + /src/frontend/src/app/purchase-basket/purchase-basket.component.html + ❯❱ generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var + ❰❰ Blocking ❱❱ + Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject + custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ + expr }}". + Details: https://sg.run/weNX + + 15┆ {{element.name}} jwt.sign(user, privateKey, { expiresIn: '6h', + algorithm: 'RS256' }) + + /src/routes/chatbot.ts + ❯❱ javascript.express.security.injection.raw-html-format.raw-html-format + ❰❰ Blocking ❱❱ + User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross- + Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a + sanitization library such as DOMPurify to sanitize the HTML within. + Details: https://sg.run/5DO3 + + 197┆ body: bot.training.state ? bot.greet(`${user.id}`) : + `${config.get('application.chatBot.name')} isn't ready at the moment, please wait + while I set things up` + + /src/routes/fileServer.ts + ❯❱ javascript.express.security.audit.express-res-sendfile.express-res-sendfile + ❰❰ Blocking ❱❱ + The application processes user-input, this is passed to res.sendFile which can allow an attacker to + arbitrarily read files on the system through path traversal. It is recommended to perform input + validation in addition to canonicalizing the path. This allows you to validate the path against the + intended directory it should be accessing. + Details: https://sg.run/7DJk + + 33┆ res.sendFile(path.resolve('ftp/', file)) + + /src/routes/keyServer.ts + ❯❱ javascript.express.security.audit.express-res-sendfile.express-res-sendfile + ❰❰ Blocking ❱❱ + The application processes user-input, this is passed to res.sendFile which can allow an attacker to + arbitrarily read files on the system through path traversal. It is recommended to perform input + validation in addition to canonicalizing the path. This allows you to validate the path against the + intended directory it should be accessing. + Details: https://sg.run/7DJk + + 14┆ res.sendFile(path.resolve('encryptionkeys/', file)) + + /src/routes/logfileServer.ts + ❯❱ javascript.express.security.audit.express-res-sendfile.express-res-sendfile + ❰❰ Blocking ❱❱ + The application processes user-input, this is passed to res.sendFile which can allow an attacker to + arbitrarily read files on the system through path traversal. It is recommended to perform input + validation in addition to canonicalizing the path. This allows you to validate the path against the + intended directory it should be accessing. + Details: https://sg.run/7DJk + + 14┆ res.sendFile(path.resolve('logs/', file)) + + /src/routes/login.ts + ❯❯❱ javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + ❰❰ Blocking ❱❱ + Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if + the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it + is recommended to use parameterized queries or prepared statements. + Details: https://sg.run/gjoe + + 34┆ models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND + password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: + UserModel, plain: true }) // vuln-code-snippet vuln-line loginAdminChallenge + loginBenderChallenge loginJimChallenge + + /src/routes/quarantineServer.ts + ❯❱ javascript.express.security.audit.express-res-sendfile.express-res-sendfile + ❰❰ Blocking ❱❱ + The application processes user-input, this is passed to res.sendFile which can allow an attacker to + arbitrarily read files on the system through path traversal. It is recommended to perform input + validation in addition to canonicalizing the path. This allows you to validate the path against the + intended directory it should be accessing. + Details: https://sg.run/7DJk + + 14┆ res.sendFile(path.resolve('ftp/quarantine/', file)) + + /src/routes/redirect.ts + ❯❱ javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect + ❰❰ Blocking ❱❱ + It looks like 'toUrl' is read from user input and it is used to as a redirect. Ensure 'toUrl' is not + externally controlled, otherwise this is an open redirect. + Details: https://sg.run/OPv2 + + 19┆ res.redirect(toUrl) + + ❯❱ javascript.express.security.audit.express-open-redirect.express-open-redirect + ❰❰ Blocking ❱❱ + The application redirects to a URL specified by user-supplied input `query` that is not validated. + This could redirect users to malicious locations. Consider using an allow-list approach to validate + URLs, or warn users they are being redirected to a third-party website. + Details: https://sg.run/EpoP + + 19┆ res.redirect(toUrl) + + /src/routes/search.ts + ❯❯❱ javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + ❰❰ Blocking ❱❱ + Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if + the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it + is recommended to use parameterized queries or prepared statements. + Details: https://sg.run/gjoe + + 23┆ models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR + description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code- + snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + + /src/routes/userProfile.ts + ❯❯❱ javascript.lang.security.audit.code-string-concat.code-string-concat + ❰❰ Blocking ❱❱ + Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable + this can lead to execution of arbitrary system commands in the context of your application process. + Avoid `eval` whenever possible. + Details: https://sg.run/96Yk + + 62┆ username = eval(code) // eslint-disable-line no-eval + + /src/routes/videoHandler.ts + ❯❱ javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag + ❰❰ Blocking ❱❱ + Cannot determine what 'subs' is and it is used with a '') }) + ⋮┆---------------------------------------- + 71┆ compiledTemplate = compiledTemplate.replace('', '') + + /src/server.ts + ❯❱ javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing + ❰❰ Blocking ❱❱ + Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and + files. It is recommended to disable directory listing unless it is a public resource. If you need + directory listing, ensure that sensitive files are inaccessible when querying the resource. + Details: https://sg.run/DX2G + + 269┆ app.use('/ftp', serveIndexMiddleware, serveIndex('ftp', { icons: true })) // vuln-code- + snippet vuln-line directoryListingChallenge + ⋮┆---------------------------------------- + 273┆ app.use('/.well-known', serveIndexMiddleware, serveIndex('.well-known', { icons: true, + view: 'details' })) + ⋮┆---------------------------------------- + 277┆ app.use('/encryptionkeys', serveIndexMiddleware, serveIndex('encryptionkeys', { icons: + true, view: 'details' })) + ⋮┆---------------------------------------- + 281┆ app.use('/support/logs', serveIndexMiddleware, serveIndex('logs', { icons: true, view: + 'details' })) // vuln-code-snippet vuln-line accessLogDisclosureChallenge + + /src/views/dataErasureForm.hbs + ❯❱ generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var + ❰❰ Blocking ❱❱ + Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject + custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ + expr }}". + Details: https://sg.run/weNX + + 21┆ diff --git a/labs/lab5/semgrep/semgrep-results.json b/labs/lab5/semgrep/semgrep-results.json new file mode 100644 index 00000000..19ca676b --- /dev/null +++ b/labs/lab5/semgrep/semgrep-results.json @@ -0,0 +1 @@ +{"version":"1.161.0","results":[{"check_id":"yaml.github-actions.security.run-shell-injection.run-shell-injection","path":"/src/.github/workflows/update-challenges-ebook.yml","start":{"line":21,"col":7,"offset":559},"end":{"line":24,"col":120,"offset":752},"extra":{"message":"Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".","metadata":{"category":"security","cwe":["CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections","https://securitylab.github.com/research/github-actions-untrusted-input/"],"technology":["github-actions"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Command Injection"],"source":"https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection","shortlink":"https://sg.run/pkzk"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","path":"/src/data/static/codefixes/dbSchemaChallenge_1.ts","start":{"line":5,"col":28,"offset":284},"end":{"line":5,"col":162,"offset":418},"extra":{"message":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"interfile":true,"references":["https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements"],"category":"security","technology":["express"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","shortlink":"https://sg.run/gjoe"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","path":"/src/data/static/codefixes/dbSchemaChallenge_3.ts","start":{"line":11,"col":28,"offset":419},"end":{"line":11,"col":159,"offset":550},"extra":{"message":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"interfile":true,"references":["https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements"],"category":"security","technology":["express"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","shortlink":"https://sg.run/gjoe"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","path":"/src/data/static/codefixes/unionSqlInjectionChallenge_1.ts","start":{"line":6,"col":28,"offset":326},"end":{"line":6,"col":159,"offset":457},"extra":{"message":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"interfile":true,"references":["https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements"],"category":"security","technology":["express"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","shortlink":"https://sg.run/gjoe"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","path":"/src/data/static/codefixes/unionSqlInjectionChallenge_3.ts","start":{"line":10,"col":28,"offset":458},"end":{"line":10,"col":159,"offset":589},"extra":{"message":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"interfile":true,"references":["https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements"],"category":"security","technology":["express"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","shortlink":"https://sg.run/gjoe"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var","path":"/src/frontend/src/app/navbar/navbar.component.html","start":{"line":17,"col":47,"offset":665},"end":{"line":17,"col":66,"offset":684},"extra":{"message":"Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"{{ expr }}\".","metadata":{"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss"],"category":"security","technology":["html-templates"],"confidence":"LOW","cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var","shortlink":"https://sg.run/weNX"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var","path":"/src/frontend/src/app/purchase-basket/purchase-basket.component.html","start":{"line":15,"col":71,"offset":491},"end":{"line":15,"col":87,"offset":507},"extra":{"message":"Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"{{ expr }}\".","metadata":{"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss"],"category":"security","technology":["html-templates"],"confidence":"LOW","cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var","shortlink":"https://sg.run/weNX"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var","path":"/src/frontend/src/app/search-result/search-result.component.html","start":{"line":40,"col":97,"offset":1765},"end":{"line":40,"col":110,"offset":1778},"extra":{"message":"Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"{{ expr }}\".","metadata":{"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss"],"category":"security","technology":["html-templates"],"confidence":"LOW","cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var","shortlink":"https://sg.run/weNX"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret","path":"/src/lib/insecurity.ts","start":{"line":56,"col":56,"offset":2827},"end":{"line":56,"col":66,"offset":2837},"extra":{"message":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"references":["https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"],"owasp":["A07:2021 - Identification and Authentication Failures","A07:2025 - Authentication Failures"],"asvs":{"control_id":"3.5.2 Static API keys or secret","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management","section":"V3: Session Management Verification Requirements","version":"4"},"category":"security","technology":["jwt","javascript","secrets"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret","shortlink":"https://sg.run/4xN9"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.express.security.injection.raw-html-format.raw-html-format","path":"/src/routes/chatbot.ts","start":{"line":197,"col":46,"offset":6083},"end":{"line":197,"col":56,"offset":6093},"extra":{"message":"User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.","metadata":{"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"],"category":"security","technology":["express"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format","shortlink":"https://sg.run/5DO3"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.express.security.audit.express-res-sendfile.express-res-sendfile","path":"/src/routes/fileServer.ts","start":{"line":33,"col":20,"offset":1142},"end":{"line":33,"col":46,"offset":1168},"extra":{"message":"The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.","metadata":{"references":["https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"],"technology":["express"],"category":"security","cwe":["CWE-73: External Control of File Name or Path"],"owasp":["A04:2021 - Insecure Design","A06:2025 - Insecure Design"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Path Traversal"],"source":"https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile","shortlink":"https://sg.run/7DJk"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.express.security.audit.express-res-sendfile.express-res-sendfile","path":"/src/routes/keyServer.ts","start":{"line":14,"col":20,"offset":410},"end":{"line":14,"col":57,"offset":447},"extra":{"message":"The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.","metadata":{"references":["https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"],"technology":["express"],"category":"security","cwe":["CWE-73: External Control of File Name or Path"],"owasp":["A04:2021 - Insecure Design","A06:2025 - Insecure Design"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Path Traversal"],"source":"https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile","shortlink":"https://sg.run/7DJk"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.express.security.audit.express-res-sendfile.express-res-sendfile","path":"/src/routes/logfileServer.ts","start":{"line":14,"col":20,"offset":410},"end":{"line":14,"col":47,"offset":437},"extra":{"message":"The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.","metadata":{"references":["https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"],"technology":["express"],"category":"security","cwe":["CWE-73: External Control of File Name or Path"],"owasp":["A04:2021 - Insecure Design","A06:2025 - Insecure Design"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Path Traversal"],"source":"https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile","shortlink":"https://sg.run/7DJk"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","path":"/src/routes/login.ts","start":{"line":34,"col":28,"offset":1459},"end":{"line":34,"col":169,"offset":1600},"extra":{"message":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"interfile":true,"references":["https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements"],"category":"security","technology":["express"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","shortlink":"https://sg.run/gjoe"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.express.security.audit.express-res-sendfile.express-res-sendfile","path":"/src/routes/quarantineServer.ts","start":{"line":14,"col":20,"offset":424},"end":{"line":14,"col":57,"offset":461},"extra":{"message":"The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.","metadata":{"references":["https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"],"technology":["express"],"category":"security","cwe":["CWE-73: External Control of File Name or Path"],"owasp":["A04:2021 - Insecure Design","A06:2025 - Insecure Design"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Path Traversal"],"source":"https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile","shortlink":"https://sg.run/7DJk"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect","path":"/src/routes/redirect.ts","start":{"line":19,"col":7,"offset":1032},"end":{"line":19,"col":26,"offset":1051},"extra":{"message":"It looks like 'toUrl' is read from user input and it is used to as a redirect. Ensure 'toUrl' is not externally controlled, otherwise this is an open redirect.","metadata":{"owasp":["A01:2021 - Broken Access Control","A01:2025 - Broken Access Control"],"cwe":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"],"asvs":{"control_id":"5.5.1 Insecue Redirect","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation","section":"V5 Validation, Sanitization and Encoding","version":"4"},"category":"security","technology":["express"],"subcategory":["audit"],"likelihood":"LOW","impact":"LOW","confidence":"LOW","references":["https://owasp.org/Top10/A01_2021-Broken_Access_Control"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Open Redirect"],"source":"https://semgrep.dev/r/javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect","shortlink":"https://sg.run/OPv2"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.express.security.audit.express-open-redirect.express-open-redirect","path":"/src/routes/redirect.ts","start":{"line":19,"col":20,"offset":1045},"end":{"line":19,"col":25,"offset":1050},"extra":{"message":"The application redirects to a URL specified by user-supplied input `query` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.","metadata":{"technology":["express"],"references":["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"],"cwe":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"],"category":"security","owasp":["A01:2021 - Broken Access Control","A01:2025 - Broken Access Control"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Open Redirect"],"source":"https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect","shortlink":"https://sg.run/EpoP"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","path":"/src/routes/search.ts","start":{"line":23,"col":28,"offset":847},"end":{"line":23,"col":159,"offset":978},"extra":{"message":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"interfile":true,"references":["https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements"],"category":"security","technology":["express"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","shortlink":"https://sg.run/gjoe"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.lang.security.audit.code-string-concat.code-string-concat","path":"/src/routes/userProfile.ts","start":{"line":62,"col":20,"offset":1855},"end":{"line":62,"col":30,"offset":1865},"extra":{"message":"Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.","metadata":{"interfile":true,"confidence":"HIGH","owasp":["A03:2021 - Injection","A05:2025 - Injection"],"cwe":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"],"references":["https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval","https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback","https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/","https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html"],"category":"security","technology":["node.js","Express","Next.js"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Code Injection"],"source":"https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat","shortlink":"https://sg.run/96Yk"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag","path":"/src/routes/videoHandler.ts","start":{"line":58,"col":90,"offset":1893},"end":{"line":58,"col":94,"offset":1897},"extra":{"message":"Cannot determine what 'subs' is and it is used with a '", + "otherinfo": "" + }, + { + "id": "8", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "49", + "uri": "http://localhost:3000/", + "nodeName": "http:\/\/localhost:3000\/", + "method": "GET", + "param": "//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "13", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "14", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js", + "attack": "", + "evidence": "", + "otherinfo": "" + } + ], + "count": "5", + "systemic": true, + "solution": "

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

", + "otherinfo": "", + "reference": "", + "cweid": "829", + "wascid": "15", + "sourceid": "4" + }, + { + "pluginid": "2", + "alertRef": "2", + "alert": "Private IP Disclosure", + "name": "Private IP Disclosure", + "riskcode": "1", + "confidence": "2", + "riskdesc": "Low (Medium)", + "desc": "

A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

", + "instances":[ + { + "id": "177", + "uri": "http://localhost:3000/rest/admin/application-configuration", + "nodeName": "http:\/\/localhost:3000\/rest\/admin\/application-configuration", + "method": "GET", + "param": "", + "attack": "", + "evidence": "192.168.99.100:3000", + "otherinfo": "192.168.99.100:3000\n192.168.99.100:4200\n" + } + ], + "count": "1", + "systemic": false, + "solution": "

Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.

", + "otherinfo": "

192.168.99.100:3000

192.168.99.100:4200

", + "reference": "

https://datatracker.ietf.org/doc/html/rfc1918

", + "cweid": "497", + "wascid": "13", + "sourceid": "134" + }, + { + "pluginid": "10096", + "alertRef": "10096", + "alert": "Timestamp Disclosure - Unix", + "name": "Timestamp Disclosure - Unix", + "riskcode": "1", + "confidence": "1", + "riskdesc": "Low (Low)", + "desc": "

A timestamp was disclosed by the application/web server. - Unix

", + "instances":[ + { + "id": "20", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "1650485437", + "otherinfo": "1650485437, which evaluates to: 2022-04-20 20:10:37." + }, + { + "id": "24", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "1981395349", + "otherinfo": "1981395349, which evaluates to: 2032-10-14 19:35:49." + }, + { + "id": "21", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "2038834951", + "otherinfo": "2038834951, which evaluates to: 2034-08-10 15:02:31." + }, + { + "id": "18", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "1650485437", + "otherinfo": "1650485437, which evaluates to: 2022-04-20 20:10:37." + }, + { + "id": "23", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "2038834951", + "otherinfo": "2038834951, which evaluates to: 2034-08-10 15:02:31." + } + ], + "count": "5", + "systemic": true, + "solution": "

Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

", + "otherinfo": "

1650485437, which evaluates to: 2022-04-20 20:10:37.

", + "reference": "

https://cwe.mitre.org/data/definitions/200.html

", + "cweid": "497", + "wascid": "13", + "sourceid": "4" + }, + { + "pluginid": "10021", + "alertRef": "10021", + "alert": "X-Content-Type-Options Header Missing", + "name": "X-Content-Type-Options Header Missing", + "riskcode": "1", + "confidence": "2", + "riskdesc": "Low (Medium)", + "desc": "

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

", + "instances":[ + { + "id": "171", + "uri": "http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PuSMmK6&sid=uaC81CBFzZbK3p2NAAAA", + "nodeName": "http:\/\/localhost:3000\/socket.io\/ (EIO,sid,t,transport)", + "method": "GET", + "param": "x-content-type-options", + "attack": "", + "evidence": "", + "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses." + }, + { + "id": "151", + "uri": "http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PuSMmHJ", + "nodeName": "http:\/\/localhost:3000\/socket.io\/ (EIO,t,transport)", + "method": "GET", + "param": "x-content-type-options", + "attack": "", + "evidence": "", + "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses." + }, + { + "id": "167", + "uri": "http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PuSMmK5&sid=uaC81CBFzZbK3p2NAAAA", + "nodeName": "http:\/\/localhost:3000\/socket.io\/ (EIO,sid,t,transport)(40)", + "method": "POST", + "param": "x-content-type-options", + "attack": "", + "evidence": "", + "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses." + }, + { + "id": "191", + "uri": "http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PuSMmLD&sid=uaC81CBFzZbK3p2NAAAA", + "nodeName": "http:\/\/localhost:3000\/socket.io\/ (EIO,sid,t,transport)(42[\"notification received\",\"8d2072c6b0a4...)", + "method": "POST", + "param": "x-content-type-options", + "attack": "", + "evidence": "", + "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses." + }, + { + "id": "237", + "uri": "http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PuSMmLq&sid=uaC81CBFzZbK3p2NAAAA", + "nodeName": "http:\/\/localhost:3000\/socket.io\/ (EIO,sid,t,transport)(42[\"notification received\",\"9c297196ecf8...)", + "method": "POST", + "param": "x-content-type-options", + "attack": "", + "evidence": "", + "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses." + } + ], + "count": "5", + "systemic": true, + "solution": "

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

", + "otherinfo": "

This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At \"High\" threshold this scan rule will not alert on client or server error responses.

", + "reference": "

https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)

https://owasp.org/www-community/Security_Headers

", + "cweid": "693", + "wascid": "15", + "sourceid": "143" + }, + { + "pluginid": "10111", + "alertRef": "10111", + "alert": "Authentication Request Identified", + "name": "Authentication Request Identified", + "riskcode": "0", + "confidence": "3", + "riskdesc": "Informational (High)", + "desc": "

The given request has been identified as an authentication request. The 'Other Info' field contains a set of key=value lines which identify any relevant fields. If the request is in a context which has an Authentication Method set to \"Auto-Detect\" then this rule will change the authentication to match the request identified.

", + "instances":[ + { + "id": "0", + "uri": "http://localhost:3000/rest/user/login", + "nodeName": "http:\/\/localhost:3000\/rest\/user\/login ()({email,password})", + "method": "POST", + "param": "email", + "attack": "", + "evidence": "password", + "otherinfo": "userParam=email\nuserValue=admin@juice-sh.op\npasswordParam=password" + } + ], + "count": "1", + "systemic": false, + "solution": "

This is an informational alert rather than a vulnerability and so there is nothing to fix.

", + "otherinfo": "

userParam=email

userValue=admin@juice-sh.op

passwordParam=password

", + "reference": "

https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-req-id/

", + "cweid": "-1", + "wascid": "-1", + "sourceid": "13" + }, + { + "pluginid": "10109", + "alertRef": "10109", + "alert": "Modern Web Application", + "name": "Modern Web Application", + "riskcode": "0", + "confidence": "2", + "riskdesc": "Informational (Medium)", + "desc": "

The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

", + "instances":[ + { + "id": "15", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + }, + { + "id": "95", + "uri": "http://localhost:3000/", + "nodeName": "http:\/\/localhost:3000\/", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + }, + { + "id": "87", + "uri": "http://localhost:3000/juice-shop/build/routes/fileServer.js:59:18", + "nodeName": "http:\/\/localhost:3000\/juice-shop\/build\/routes\/fileServer.js:59:18", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + }, + { + "id": "99", + "uri": "http://localhost:3000/juice-shop/node_modules/express/lib/router/layer.js:95:5", + "nodeName": "http:\/\/localhost:3000\/juice-shop\/node_modules\/express\/lib\/router\/layer.js:95:5", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + }, + { + "id": "16", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + } + ], + "count": "5", + "systemic": true, + "solution": "

This is an informational alert and so no changes are required.

", + "otherinfo": "

No links have been found while there are scripts, which is an indication that this is a modern web application.

", + "reference": "", + "cweid": "-1", + "wascid": "-1", + "sourceid": "4" + }, + { + "pluginid": "10112", + "alertRef": "10112", + "alert": "Session Management Response Identified", + "name": "Session Management Response Identified", + "riskcode": "0", + "confidence": "2", + "riskdesc": "Informational (Medium)", + "desc": "

The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to \"Auto-Detect\" then this rule will change the session management to use the tokens identified.

", + "instances":[ + { + "id": "2", + "uri": "http://localhost:3000/rest/user/login", + "nodeName": "http:\/\/localhost:3000\/rest\/user\/login ()({email,password})", + "method": "POST", + "param": "authentication.token", + "attack": "", + "evidence": "authentication.token", + "otherinfo": "json:authentication.token" + }, + { + "id": "231", + "uri": "http://localhost:3000/rest/continue-code", + "nodeName": "http:\/\/localhost:3000\/rest\/continue-code", + "method": "GET", + "param": "continueCode", + "attack": "", + "evidence": "continueCode", + "otherinfo": "json:continueCode" + } + ], + "count": "2", + "systemic": false, + "solution": "

This is an informational alert rather than a vulnerability and so there is nothing to fix.

", + "otherinfo": "

json:authentication.token

", + "reference": "

https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id/

", + "cweid": "-1", + "wascid": "-1", + "sourceid": "13" + }, + { + "pluginid": "10104", + "alertRef": "10104", + "alert": "User Agent Fuzzer", + "name": "User Agent Fuzzer", + "riskcode": "0", + "confidence": "2", + "riskdesc": "Informational (Medium)", + "desc": "

Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.

", + "instances":[ + { + "id": "1510", + "uri": "http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PuSMt9s&sid=qnBwuHSpBhyPeHniAAA0", + "nodeName": "http:\/\/localhost:3000\/socket.io\/ (EIO,sid,t,transport)", + "method": "GET", + "param": "Header User-Agent", + "attack": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)", + "evidence": "", + "otherinfo": "" + }, + { + "id": "1509", + "uri": "http://localhost:3000/socket.io/?EIO=4&transport=websocket&sid=qnBwuHSpBhyPeHniAAA0", + "nodeName": "http:\/\/localhost:3000\/socket.io\/ (EIO,sid,transport)", + "method": "GET", + "param": "Header User-Agent", + "attack": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)", + "evidence": "", + "otherinfo": "" + }, + { + "id": "1508", + "uri": "http://localhost:3000/socket.io/?EIO=4&transport=polling&t=PuSMt79", + "nodeName": "http:\/\/localhost:3000\/socket.io\/ (EIO,t,transport)", + "method": "GET", + "param": "Header User-Agent", + "attack": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)", + "evidence": "", + "otherinfo": "" + } + ], + "count": "3", + "systemic": true, + "solution": "", + "otherinfo": "", + "reference": "

https://owasp.org/wstg

", + "cweid": "0", + "wascid": "0", + "sourceid": "1860" + } + ] + } + ], + "sequences":[ + ] + +} diff --git a/labs/lab5/zap/zap-report-noauth.json b/labs/lab5/zap/zap-report-noauth.json new file mode 100644 index 00000000..5228115e --- /dev/null +++ b/labs/lab5/zap/zap-report-noauth.json @@ -0,0 +1,895 @@ +{ + "@programName": "ZAP", + "@version": "2.17.0", + "@generated": "Tue, 12 May 2026 13:14:17", + "created": "2026-05-12T13:14:17.510228739Z", + "insights":[ + { + "level": "Low", + "reason": "Warning", + "site": "", + "key": "insight.log.warn", + "description": "ZAP warnings logged - see the zap.log file for details", + "statistic": "1" + }, + { + "level": "Info", + "reason": "Informational", + "site": "http://localhost:3000", + "key": "insight.code.2xx", + "description": "Percentage of responses with status code 2xx", + "statistic": "91" + }, + { + "level": "Info", + "reason": "Informational", + "site": "http://localhost:3000", + "key": "insight.code.4xx", + "description": "Percentage of responses with status code 4xx", + "statistic": "8" + }, + { + "level": "Info", + "reason": "Informational", + "site": "http://localhost:3000", + "key": "insight.endpoint.ctype.application/javascript", + "description": "Percentage of endpoints with content type application/javascript", + "statistic": "5" + }, + { + "level": "Info", + "reason": "Informational", + "site": "http://localhost:3000", + "key": "insight.endpoint.ctype.application/octet-stream", + "description": "Percentage of endpoints with content type application/octet-stream", + "statistic": "6" + }, + { + "level": "Info", + "reason": "Informational", + "site": "http://localhost:3000", + "key": "insight.endpoint.ctype.image/x-icon", + "description": "Percentage of endpoints with content type image/x-icon", + "statistic": "1" + }, + { + "level": "Info", + "reason": "Informational", + "site": "http://localhost:3000", + "key": "insight.endpoint.ctype.text/css", + "description": "Percentage of endpoints with content type text/css", + "statistic": "1" + }, + { + "level": "Info", + "reason": "Informational", + "site": "http://localhost:3000", + "key": "insight.endpoint.ctype.text/html", + "description": "Percentage of endpoints with content type text/html", + "statistic": "79" + }, + { + "level": "Info", + "reason": "Informational", + "site": "http://localhost:3000", + "key": "insight.endpoint.ctype.text/markdown", + "description": "Percentage of endpoints with content type text/markdown", + "statistic": "4" + }, + { + "level": "Info", + "reason": "Informational", + "site": "http://localhost:3000", + "key": "insight.endpoint.ctype.text/plain", + "description": "Percentage of endpoints with content type text/plain", + "statistic": "1" + }, + { + "level": "Info", + "reason": "Informational", + "site": "http://localhost:3000", + "key": "insight.endpoint.method.GET", + "description": "Percentage of endpoints with method GET", + "statistic": "100" + }, + { + "level": "Info", + "reason": "Informational", + "site": "http://localhost:3000", + "key": "insight.endpoint.total", + "description": "Count of total endpoints", + "statistic": "72" + }, + { + "level": "Info", + "reason": "Informational", + "site": "http://localhost:3000", + "key": "insight.response.slow", + "description": "Percentage of slow responses", + "statistic": "14" + } + ], + "site":[ + { + "@name": "http://localhost:3000", + "@host": "localhost", + "@port": "3000", + "@ssl": "false", + "alerts": [ + { + "pluginid": "10038", + "alertRef": "10038-1", + "alert": "Content Security Policy (CSP) Header Not Set", + "name": "Content Security Policy (CSP) Header Not Set", + "riskcode": "2", + "confidence": "3", + "riskdesc": "Medium (High)", + "desc": "

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page \u2014 covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

", + "instances":[ + { + "id": "7", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "70", + "uri": "http://localhost:3000/ftp/coupons_2013.md.bak", + "nodeName": "http:\/\/localhost:3000\/ftp\/coupons_2013.md.bak", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "69", + "uri": "http://localhost:3000/ftp/eastere.gg", + "nodeName": "http:\/\/localhost:3000\/ftp\/eastere.gg", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "73", + "uri": "http://localhost:3000/ftp/suspicious_errors.yml", + "nodeName": "http:\/\/localhost:3000\/ftp\/suspicious_errors.yml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "5", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "" + } + ], + "count": "5", + "systemic": true, + "solution": "

Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

", + "otherinfo": "", + "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP

https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

https://www.w3.org/TR/CSP/

https://w3c.github.io/webappsec-csp/

https://web.dev/articles/csp

https://caniuse.com/#feat=contentsecuritypolicy

https://content-security-policy.com/

", + "cweid": "693", + "wascid": "15", + "sourceid": "8" + }, + { + "pluginid": "10098", + "alertRef": "10098", + "alert": "Cross-Domain Misconfiguration", + "name": "Cross-Domain Misconfiguration", + "riskcode": "2", + "confidence": "2", + "riskdesc": "Medium (Medium)", + "desc": "

Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

", + "instances":[ + { + "id": "0", + "uri": "http://localhost:3000/assets/public/favicon_js.ico", + "nodeName": "http:\/\/localhost:3000\/assets\/public\/favicon_js.ico", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Access-Control-Allow-Origin: *", + "otherinfo": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing." + }, + { + "id": "4", + "uri": "http://localhost:3000/polyfills.js", + "nodeName": "http:\/\/localhost:3000\/polyfills.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Access-Control-Allow-Origin: *", + "otherinfo": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing." + }, + { + "id": "1", + "uri": "http://localhost:3000/robots.txt", + "nodeName": "http:\/\/localhost:3000\/robots.txt", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Access-Control-Allow-Origin: *", + "otherinfo": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing." + }, + { + "id": "2", + "uri": "http://localhost:3000/runtime.js", + "nodeName": "http:\/\/localhost:3000\/runtime.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Access-Control-Allow-Origin: *", + "otherinfo": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing." + }, + { + "id": "3", + "uri": "http://localhost:3000/styles.css", + "nodeName": "http:\/\/localhost:3000\/styles.css", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Access-Control-Allow-Origin: *", + "otherinfo": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing." + } + ], + "count": "5", + "systemic": true, + "solution": "

Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).

Configure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

", + "otherinfo": "

The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

", + "reference": "

https://vulncat.fortify.com/en/detail?category=HTML5&subcategory=Overly%20Permissive%20CORS%20Policy

", + "cweid": "264", + "wascid": "14", + "sourceid": "15" + }, + { + "pluginid": "10017", + "alertRef": "10017", + "alert": "Cross-Domain JavaScript Source File Inclusion", + "name": "Cross-Domain JavaScript Source File Inclusion", + "riskcode": "1", + "confidence": "2", + "riskdesc": "Low (Medium)", + "desc": "

The page includes one or more script files from a third-party domain.

", + "instances":[ + { + "id": "11", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "12", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "98", + "uri": "http://localhost:3000/", + "nodeName": "http:\/\/localhost:3000\/", + "method": "GET", + "param": "//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "8", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "10", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js", + "attack": "", + "evidence": "", + "otherinfo": "" + } + ], + "count": "5", + "systemic": true, + "solution": "

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

", + "otherinfo": "", + "reference": "", + "cweid": "829", + "wascid": "15", + "sourceid": "8" + }, + { + "pluginid": "90004", + "alertRef": "90004-2", + "alert": "Cross-Origin-Embedder-Policy Header Missing or Invalid", + "name": "Cross-Origin-Embedder-Policy Header Missing or Invalid", + "riskcode": "1", + "confidence": "2", + "riskdesc": "Low (Medium)", + "desc": "

Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).

", + "instances":[ + { + "id": "57", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "Cross-Origin-Embedder-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "108", + "uri": "http://localhost:3000/", + "nodeName": "http:\/\/localhost:3000\/", + "method": "GET", + "param": "Cross-Origin-Embedder-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "95", + "uri": "http://localhost:3000/ftp", + "nodeName": "http:\/\/localhost:3000\/ftp", + "method": "GET", + "param": "Cross-Origin-Embedder-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "111", + "uri": "http://localhost:3000/juice-shop/node_modules/express/lib/router/layer.js:95:5", + "nodeName": "http:\/\/localhost:3000\/juice-shop\/node_modules\/express\/lib\/router\/layer.js:95:5", + "method": "GET", + "param": "Cross-Origin-Embedder-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "58", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "Cross-Origin-Embedder-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + } + ], + "count": "5", + "systemic": false, + "solution": "

Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately, and that it sets the Cross-Origin-Embedder-Policy header to 'require-corp' for documents.

If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Embedder-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-embedder-policy).

", + "otherinfo": "", + "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy

", + "cweid": "693", + "wascid": "14", + "sourceid": "8" + }, + { + "pluginid": "90004", + "alertRef": "90004-3", + "alert": "Cross-Origin-Opener-Policy Header Missing or Invalid", + "name": "Cross-Origin-Opener-Policy Header Missing or Invalid", + "riskcode": "1", + "confidence": "2", + "riskdesc": "Low (Medium)", + "desc": "

Cross-Origin-Opener-Policy header is a response header that allows a site to control if others included documents share the same browsing context. Sharing the same browsing context with untrusted documents might lead to data leak.

", + "instances":[ + { + "id": "59", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "Cross-Origin-Opener-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "109", + "uri": "http://localhost:3000/", + "nodeName": "http:\/\/localhost:3000\/", + "method": "GET", + "param": "Cross-Origin-Opener-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "96", + "uri": "http://localhost:3000/ftp", + "nodeName": "http:\/\/localhost:3000\/ftp", + "method": "GET", + "param": "Cross-Origin-Opener-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "114", + "uri": "http://localhost:3000/juice-shop/node_modules/express/lib/router/layer.js:95:5", + "nodeName": "http:\/\/localhost:3000\/juice-shop\/node_modules\/express\/lib\/router\/layer.js:95:5", + "method": "GET", + "param": "Cross-Origin-Opener-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "60", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "Cross-Origin-Opener-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + } + ], + "count": "5", + "systemic": false, + "solution": "

Ensure that the application/web server sets the Cross-Origin-Opener-Policy header appropriately, and that it sets the Cross-Origin-Opener-Policy header to 'same-origin' for documents.

'same-origin-allow-popups' is considered as less secured and should be avoided.

If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Opener-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-opener-policy).

", + "otherinfo": "", + "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy

", + "cweid": "693", + "wascid": "14", + "sourceid": "8" + }, + { + "pluginid": "10110", + "alertRef": "10110", + "alert": "Dangerous JS Functions", + "name": "Dangerous JS Functions", + "riskcode": "1", + "confidence": "1", + "riskdesc": "Low (Low)", + "desc": "

A dangerous JS function seems to be in use that would leave the site vulnerable.

", + "instances":[ + { + "id": "67", + "uri": "http://localhost:3000/main.js", + "nodeName": "http:\/\/localhost:3000\/main.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "bypassSecurityTrustHtml(", + "otherinfo": "" + }, + { + "id": "119", + "uri": "http://localhost:3000/vendor.js", + "nodeName": "http:\/\/localhost:3000\/vendor.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "bypassSecurityTrustHtml(", + "otherinfo": "" + } + ], + "count": "2", + "systemic": false, + "solution": "

See the references for security advice on the use of these functions.

", + "otherinfo": "", + "reference": "

https://v17.angular.io/guide/security

", + "cweid": "749", + "wascid": "-1", + "sourceid": "22" + }, + { + "pluginid": "10063", + "alertRef": "10063-2", + "alert": "Deprecated Feature Policy Header Set", + "name": "Deprecated Feature Policy Header Set", + "riskcode": "1", + "confidence": "2", + "riskdesc": "Low (Medium)", + "desc": "

The header has now been renamed to Permissions-Policy.

", + "instances":[ + { + "id": "55", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Feature-Policy", + "otherinfo": "" + }, + { + "id": "68", + "uri": "http://localhost:3000/main.js", + "nodeName": "http:\/\/localhost:3000\/main.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Feature-Policy", + "otherinfo": "" + }, + { + "id": "52", + "uri": "http://localhost:3000/polyfills.js", + "nodeName": "http:\/\/localhost:3000\/polyfills.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Feature-Policy", + "otherinfo": "" + }, + { + "id": "49", + "uri": "http://localhost:3000/runtime.js", + "nodeName": "http:\/\/localhost:3000\/runtime.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Feature-Policy", + "otherinfo": "" + }, + { + "id": "56", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Feature-Policy", + "otherinfo": "" + } + ], + "count": "5", + "systemic": true, + "solution": "

Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header instead of the Feature-Policy header.

", + "otherinfo": "", + "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy

https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/

", + "cweid": "16", + "wascid": "15", + "sourceid": "8" + }, + { + "pluginid": "10096", + "alertRef": "10096", + "alert": "Timestamp Disclosure - Unix", + "name": "Timestamp Disclosure - Unix", + "riskcode": "1", + "confidence": "1", + "riskdesc": "Low (Low)", + "desc": "

A timestamp was disclosed by the application/web server. - Unix

", + "instances":[ + { + "id": "21", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "1650485437", + "otherinfo": "1650485437, which evaluates to: 2022-04-20 20:10:37." + }, + { + "id": "25", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "1981395349", + "otherinfo": "1981395349, which evaluates to: 2032-10-14 19:35:49." + }, + { + "id": "24", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "2038834951", + "otherinfo": "2038834951, which evaluates to: 2034-08-10 15:02:31." + }, + { + "id": "22", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "1650485437", + "otherinfo": "1650485437, which evaluates to: 2022-04-20 20:10:37." + }, + { + "id": "23", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "2038834951", + "otherinfo": "2038834951, which evaluates to: 2034-08-10 15:02:31." + } + ], + "count": "5", + "systemic": true, + "solution": "

Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

", + "otherinfo": "

1650485437, which evaluates to: 2022-04-20 20:10:37.

", + "reference": "

https://cwe.mitre.org/data/definitions/200.html

", + "cweid": "497", + "wascid": "13", + "sourceid": "8" + }, + { + "pluginid": "10109", + "alertRef": "10109", + "alert": "Modern Web Application", + "name": "Modern Web Application", + "riskcode": "0", + "confidence": "2", + "riskdesc": "Informational (Medium)", + "desc": "

The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

", + "instances":[ + { + "id": "18", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + }, + { + "id": "105", + "uri": "http://localhost:3000/", + "nodeName": "http:\/\/localhost:3000\/", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + }, + { + "id": "110", + "uri": "http://localhost:3000/juice-shop/node_modules/express/lib/router/index.js:328:13", + "nodeName": "http:\/\/localhost:3000\/juice-shop\/node_modules\/express\/lib\/router\/index.js:328:13", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + }, + { + "id": "107", + "uri": "http://localhost:3000/juice-shop/node_modules/express/lib/router/layer.js:95:5", + "nodeName": "http:\/\/localhost:3000\/juice-shop\/node_modules\/express\/lib\/router\/layer.js:95:5", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + }, + { + "id": "19", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + } + ], + "count": "5", + "systemic": true, + "solution": "

This is an informational alert and so no changes are required.

", + "otherinfo": "

No links have been found while there are scripts, which is an indication that this is a modern web application.

", + "reference": "", + "cweid": "-1", + "wascid": "-1", + "sourceid": "8" + }, + { + "pluginid": "10049", + "alertRef": "10049-1", + "alert": "Non-Storable Content", + "name": "Non-Storable Content", + "riskcode": "0", + "confidence": "2", + "riskdesc": "Informational (Medium)", + "desc": "

The response contents are not storable by caching components such as proxy servers. If the response does not contain sensitive, personal or user-specific information, it may benefit from being stored and cached, to improve performance.

", + "instances":[ + { + "id": "80", + "uri": "http://localhost:3000/ftp/eastere.gg", + "nodeName": "http:\/\/localhost:3000\/ftp\/eastere.gg", + "method": "GET", + "param": "", + "attack": "", + "evidence": "403", + "otherinfo": "" + }, + { + "id": "88", + "uri": "http://localhost:3000/ftp/encrypt.pyc", + "nodeName": "http:\/\/localhost:3000\/ftp\/encrypt.pyc", + "method": "GET", + "param": "", + "attack": "", + "evidence": "403", + "otherinfo": "" + }, + { + "id": "87", + "uri": "http://localhost:3000/ftp/package-lock.json.bak", + "nodeName": "http:\/\/localhost:3000\/ftp\/package-lock.json.bak", + "method": "GET", + "param": "", + "attack": "", + "evidence": "403", + "otherinfo": "" + }, + { + "id": "86", + "uri": "http://localhost:3000/ftp/package.json.bak", + "nodeName": "http:\/\/localhost:3000\/ftp\/package.json.bak", + "method": "GET", + "param": "", + "attack": "", + "evidence": "403", + "otherinfo": "" + }, + { + "id": "85", + "uri": "http://localhost:3000/ftp/suspicious_errors.yml", + "nodeName": "http:\/\/localhost:3000\/ftp\/suspicious_errors.yml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "403", + "otherinfo": "" + } + ], + "count": "5", + "systemic": true, + "solution": "

The content may be marked as storable by ensuring that the following conditions are satisfied:

The request method must be understood by the cache and defined as being cacheable (\"GET\", \"HEAD\", and \"POST\" are currently defined as cacheable)

The response status code must be understood by the cache (one of the 1XX, 2XX, 3XX, 4XX, or 5XX response classes are generally understood)

The \"no-store\" cache directive must not appear in the request or response header fields

For caching by \"shared\" caches such as \"proxy\" caches, the \"private\" response directive must not appear in the response

For caching by \"shared\" caches such as \"proxy\" caches, the \"Authorization\" header field must not appear in the request, unless the response explicitly allows it (using one of the \"must-revalidate\", \"public\", or \"s-maxage\" Cache-Control response directives)

In addition to the conditions above, at least one of the following conditions must also be satisfied by the response:

It must contain an \"Expires\" header field

It must contain a \"max-age\" response directive

For \"shared\" caches such as \"proxy\" caches, it must contain a \"s-maxage\" response directive

It must contain a \"Cache Control Extension\" that allows it to be cached

It must have a status code that is defined as cacheable by default (200, 203, 204, 206, 300, 301, 404, 405, 410, 414, 501).

", + "otherinfo": "", + "reference": "

https://datatracker.ietf.org/doc/html/rfc7234

https://datatracker.ietf.org/doc/html/rfc7231

https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

", + "cweid": "524", + "wascid": "13", + "sourceid": "38" + }, + { + "pluginid": "10049", + "alertRef": "10049-3", + "alert": "Storable and Cacheable Content", + "name": "Storable and Cacheable Content", + "riskcode": "0", + "confidence": "2", + "riskdesc": "Informational (Medium)", + "desc": "

The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where \"shared\" caching servers such as \"proxy\" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.

", + "instances":[ + { + "id": "46", + "uri": "http://localhost:3000/robots.txt", + "nodeName": "http:\/\/localhost:3000\/robots.txt", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234." + } + ], + "count": "1", + "systemic": false, + "solution": "

Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:

Cache-Control: no-cache, no-store, must-revalidate, private

Pragma: no-cache

Expires: 0

This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.

", + "otherinfo": "

In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.

", + "reference": "

https://datatracker.ietf.org/doc/html/rfc7234

https://datatracker.ietf.org/doc/html/rfc7231

https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

", + "cweid": "524", + "wascid": "13", + "sourceid": "6" + }, + { + "pluginid": "10049", + "alertRef": "10049-2", + "alert": "Storable but Non-Cacheable Content", + "name": "Storable but Non-Cacheable Content", + "riskcode": "0", + "confidence": "2", + "riskdesc": "Informational (Medium)", + "desc": "

The response contents are storable by caching components such as proxy servers, but will not be retrieved directly from the cache, without validating the request upstream, in response to similar requests from other users.

", + "instances":[ + { + "id": "53", + "uri": "http://localhost:3000", + "nodeName": "http:\/\/localhost:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "max-age=0", + "otherinfo": "" + }, + { + "id": "47", + "uri": "http://localhost:3000/assets/public/favicon_js.ico", + "nodeName": "http:\/\/localhost:3000\/assets\/public\/favicon_js.ico", + "method": "GET", + "param": "", + "attack": "", + "evidence": "max-age=0", + "otherinfo": "" + }, + { + "id": "51", + "uri": "http://localhost:3000/polyfills.js", + "nodeName": "http:\/\/localhost:3000\/polyfills.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "max-age=0", + "otherinfo": "" + }, + { + "id": "48", + "uri": "http://localhost:3000/runtime.js", + "nodeName": "http:\/\/localhost:3000\/runtime.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "max-age=0", + "otherinfo": "" + }, + { + "id": "54", + "uri": "http://localhost:3000/sitemap.xml", + "nodeName": "http:\/\/localhost:3000\/sitemap.xml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "max-age=0", + "otherinfo": "" + } + ], + "count": "5", + "systemic": true, + "solution": "", + "otherinfo": "", + "reference": "

https://datatracker.ietf.org/doc/html/rfc7234

https://datatracker.ietf.org/doc/html/rfc7231

https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

", + "cweid": "524", + "wascid": "13", + "sourceid": "8" + } + ] + } + ], + "sequences":[ + ] + +} diff --git a/labs/lab5/zap/zap.yaml b/labs/lab5/zap/zap.yaml new file mode 100644 index 00000000..d1e52088 --- /dev/null +++ b/labs/lab5/zap/zap.yaml @@ -0,0 +1,40 @@ +env: + contexts: + - excludePaths: [] + name: baseline + urls: + - http://localhost:3000 + parameters: + failOnError: true + progressToStdout: false +jobs: +- parameters: + enableTags: false + maxAlertsPerRule: 10 + type: passiveScan-config +- parameters: + maxDuration: 1 + url: http://localhost:3000 + type: spider +- parameters: + maxDuration: 0 + type: passiveScan-wait +- parameters: + format: Long + summaryFile: /home/zap/zap_out.json + rules: [] + type: outputSummary +- parameters: + reportDescription: '' + reportDir: /zap/wrk/ + reportFile: report-noauth.html + reportTitle: ZAP Scanning Report + template: traditional-html + type: report +- parameters: + reportDescription: '' + reportDir: /zap/wrk/ + reportFile: zap-report-noauth.json + reportTitle: ZAP Scanning Report + template: traditional-json + type: report diff --git a/labs/submission5.md b/labs/submission5.md new file mode 100644 index 00000000..baaefaf7 --- /dev/null +++ b/labs/submission5.md @@ -0,0 +1,205 @@ +# Task 1 + +In `labs/submission5.md`, document: + +**Required Sections:** + +1. SAST Tool Effectiveness: + - Describe what types of vulnerabilities Semgrep detected + - Evaluate coverage (how many files scanned, how many findings) + +2. Critical Vulnerability Analysis: + - List **5 most critical findings** from Semgrep results + - For each vulnerability include: + - Vulnerability type (e.g., SQL Injection, Hardcoded Secret) + - File path and line number + - Severity level + +## SAST Effectiveness + +Semgrep detected mainly injection and storage vulnerabilities (user-tainted input, credentials store). Out of 1014 tracked files, it found 26 vulnerabilities. + +## Critical Vulnerability Analysis + +Top-5: +- Variable interpolation, ``yaml.github-actions.security.run-shell-injection.run-shell-injection``, line 24 +- SQL injection, ``/src/data/static/codefixes/dbSchemaChallenge_1.ts``, line 5 +- SQL injection, ``/src/data/static/codefixes/dbSchemaChallenge_3.ts``, line 11 +- SQL injection, ``/src/data/static/codefixes/unionSqlInjectionChallenge_1.ts``, line 6 +- SQL injection, ``/src/data/static/codefixes/unionSqlInjectionChallenge_3.ts``, line 10 + +# Task 2 + +## ZAP Scan Comparison: Authenticated vs Unauthenticated +Generated: Вт 12 мая 2026 16:28:08 MSK + +Unauthenticated Scan: +- Total alerts: 12 +- High: 0 +- Medium: 2 +- Low: 6 +- Info: 4 +- Unique URLs with findings: 19 + +Authenticated Scan: +- Total alerts: 13 +- High: 1 +- Medium: 4 +- Low: 4 +- Info: 4 +- Unique URLs with findings: 23 + +Example admin endpoint: ``http://localhost:3000/rest/admin/application-configuration`` + +### Why authenticated scanning matters for security testing: +Authenticated scanning lets ZAP test parts of the application that are only available after login, such as user pages, internal forms, and protected API endpoints. This is important because many serious vulnerabilities cannot be detected from public access alone. + +## Tool comparison matrix + +|Tool|Findings|Severity Breakdown|Best Use Case| +|-|-|-|-| +|ZAP|12(unauth)+13(auth)|1 high 6 med 10 low| Broad DAST for webapp/API in real workflow | +|Nuclei|||Template checks across many targets| +|Nikto|2 error(s) and 80 item(s) reported on remote host|2 errors 80 warns|Basic misconfig/outdated components| +|SQLmap|||Deep SQL injection scan| + +Some of the tools didn't work via provided commands. + +# Task 3 +## SAST/DAST Correlation Report + +Security Testing Results Summary: + +- SAST (Semgrep): 26 code-level findings +- DAST (ZAP authenticated): 8 alerts +- DAST (Nuclei): 0 template matches +- DAST (Nikto): 82 server issues +- DAST (SQLmap): 0 SQL injection vulnerabilities + +## Key Insights: + + + SAST (Static Analysis): + - Finds code-level vulnerabilities before deployment + - Detects: hardcoded secrets, SQL injection patterns, insecure crypto + - Fast feedback in development phase + + DAST (Dynamic Analysis): + - Finds runtime configuration and deployment issues + - Detects: missing security headers, authentication flaws, server misconfigs + - Authenticated scanning reveals 60%+ more attack surface + + Recommendation: Use BOTH approaches for comprehensive security coverage + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` + +```shell + +``` +