ZAP by Checkmarx Scanning Report

About this report

Report parameters

Contexts

No contexts were selected, so all contexts were included by default.

Sites

The following sites were included:

https://whitej20.eastus.cloudapp.azure.com

(If no sites were selected, all sites were included by default.)

An included site must also be within one of the included contexts for its data to be included in the report.

Risk levels

Included: High, Medium, Low, Informational

Excluded: None

Confidence levels

Included: User Confirmed, High, Medium, Low

Excluded: User Confirmed, High, Medium, Low, False Positive

Summaries

Alert counts by risk and confidence

This table shows the number of alerts for each level of risk and confidence included in the report.

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)
		User Confirmed	High	Medium	Low	Total
		Confidence
Risk	High	0 (0.0%)	0 (0.0%)	0 (0.0%)	0 (0.0%)	0 (0.0%)
	Medium	0 (0.0%)	1 (11.1%)	1 (11.1%)	1 (11.1%)	3 (33.3%)
	Low	0 (0.0%)	2 (22.2%)	1 (11.1%)	0 (0.0%)	3 (33.3%)
	Informational	0 (0.0%)	1 (11.1%)	1 (11.1%)	1 (11.1%)	3 (33.3%)
	Total	0 (0.0%)	4 (44.4%)	3 (33.3%)	2 (22.2%)	9 (100%)

Alert counts by site and risk

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

Alerts with a confidence level of "False Positive" have been excluded from these counts.

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)
		High (= High)	Medium (>= Medium)	Low (>= Low)	Informational (>= Informational)
		Risk
Site	https://whitej20.eastus.cloudapp.azure.com	0 (0)	3 (3)	3 (6)	3 (9)

Alert counts by alert type

This table shows the number of alerts of each alert type, together with the alert type's risk level.

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)
Alert type	Risk	Count
Absence of Anti-CSRF Tokens	Medium	1 (11.1%)
Content Security Policy (CSP) Header Not Set	Medium	4 (44.4%)
Missing Anti-clickjacking Header	Medium	2 (22.2%)
Server Leaks Version Information via "Server" HTTP Response Header Field	Low	4 (44.4%)
Strict-Transport-Security Header Not Set	Low	4 (44.4%)
X-Content-Type-Options Header Missing	Low	2 (22.2%)
GET for POST	Informational	1 (11.1%)
Re-examine Cache-control Directives	Informational	1 (11.1%)
User Agent Fuzzer	Informational	12 (133.3%)
Total		9

Alerts

Risk=Medium, Confidence=High (1)

https://whitej20.eastus.cloudapp.azure.com (1)

Content Security Policy (CSP) Header Not Set (1)

GET https://whitej20.eastus.cloudapp.azure.com/robots.txt

Alert tags	CWE-693 OWASP_2021_A05 OWASP_2017_A06
Alert description	Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
Request	Request line and header section (249 bytes) `GET https://whitej20.eastus.cloudapp.azure.com/robots.txt HTTP/1.1 host: whitej20.eastus.cloudapp.azure.com user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 pragma: no-cache cache-control: no-cache` Request body (0 bytes)
Response	Status line and header section (161 bytes) `HTTP/1.1 404 Not Found Date: Sat, 16 Nov 2024 01:36:41 GMT Server: Apache/2.4.58 (Ubuntu) Content-Length: 297 Content-Type: text/html; charset=iso-8859-1` Response body (297 bytes) `<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache/2.4.58 (Ubuntu) Server at whitej20.eastus.cloudapp.azure.com Port 443</address> </body></html>`
Solution	Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

Risk=Medium, Confidence=Medium (1)

https://whitej20.eastus.cloudapp.azure.com (1)

Missing Anti-clickjacking Header (1)

GET https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/

Alert tags	WSTG-v42-CLNT-09 OWASP_2021_A05 OWASP_2017_A06 CWE-1021
Alert description	The response does not protect against 'ClickJacking' attacks. It should include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options.
Request	Request line and header section (267 bytes) `GET https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/ HTTP/1.1 host: whitej20.eastus.cloudapp.azure.com user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 pragma: no-cache cache-control: no-cache` Request body (0 bytes)
Response	Status line and header section (173 bytes) `HTTP/1.1 200 OK Date: Sat, 16 Nov 2024 01:36:41 GMT Server: Apache/2.4.58 (Ubuntu) Vary: Accept-Encoding Content-Length: 4048 Content-Type: text/html; charset=UTF-8` Response body (4048 bytes) <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Weather and Holidays</title> <style> body { font-family: Arial, sans-serif; margin: 0; padding: 0; display: flex; justify-content: center; align-items: center; min-height: 100vh; background-color: #f4f4f4; } .container { display: grid; grid-template-rows: auto 1fr 1fr; grid-template-columns: 1fr; row-gap: 20px; width: 90%; max-width: 800px; text-align: center; } .current-weather { background-color: #4d8eff; border-radius: 15px; padding: 20px; display: flex; flex-direction: column; justify-content: center; align-items: center; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); color: white; text-align: center; /* cursor: pointer; / } .forecast { display: grid; grid-template-columns: repeat(4, 1fr); gap: 15px; } .forecast-day { background-color: #66c2ff; border-radius: 10px; padding: 10px; text-align: center; color: white; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); } .forecast-day h3 { margin-top: 0; } / Mobile responsiveness / @media (max-width: 600px) { button{ width: 100%; font-size: 16px; } .forecast { grid-template-columns: 1fr 1fr; grid-template-rows: 1fr 1fr; } } / Styling the button */ .fetch-button { padding: 10px 20px; font-size: 16px; background-color: #0027d4; color: white; border: none; border-radius: 10px; cursor: pointer; transition: background-color 0.3s ease; } .fetch-button:hover { background-color: #0056b3; } </style> </head> <body> <div class="container"> <!-- Weather Fetch Button --> <form id="weather-form" method="post"> <button type="submit" name="fetch_weather" class="fetch-button">Fetch Weather</button> </form> <div id="current-weather" class="current-weather"> <h1 id="current-date">Current Weather in Troy, NY</h1> <p id="current-temp">Temperature: --°F</p> <p id="current-condition">Condition: --</p> <p id="current-holiday">Holiday: --</p> </div> <div class="forecast"> <div class="forecast-day"> <h3 id="day1-date">Day 1</h3> <p id="day1-high">High: --°F</p> <p id="day1-low">Low: --°F</p> <p id="day1-condition">Condition: --</p> <p id="day1-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day2-date">Day 2</h3> <p id="day2-high">High: --°F</p> <p id="day2-low">Low: --°F</p> <p id="day2-condition">Condition: --</p> <p id="day2-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day3-date">Day 3</h3> <p id="day3-high">High: --°F</p> <p id="day3-low">Low: --°F</p> <p id="day3-condition">Condition: --</p> <p id="day3-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day4-date">Day 4</h3> <p id="day4-high">High: --°F</p> <p id="day4-low">Low: --°F</p> <p id="day4-condition">Condition: --</p> <p id="day4-holiday">Holiday: --</p> </div> </div> </div> </body> </html>
Parameter	`x-frame-options`
Solution	Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app. If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.

Risk=Medium, Confidence=Low (1)

https://whitej20.eastus.cloudapp.azure.com (1)

Absence of Anti-CSRF Tokens (1)

POST https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/

Alert tags	OWASP_2021_A01 WSTG-v42-SESS-05 OWASP_2017_A05 CWE-352
Alert description	No Anti-CSRF tokens were found in a HTML submission form. A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf. CSRF attacks are effective in a number of situations, including: * The victim has an active session on the target site. * The victim is authenticated via HTTP auth on the target site. * The victim is on the same local network as the target site. CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.
Other info	No known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret, __csrf_magic, CSRF, _token, _csrf_token] was found in the following HTML form: [Form 1: "" ].
Request	Request line and header section (418 bytes) `POST https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/ HTTP/1.1 host: whitej20.eastus.cloudapp.azure.com user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 pragma: no-cache cache-control: no-cache content-type: application/x-www-form-urlencoded referer: https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/ content-length: 0` Request body (0 bytes)
Response	Status line and header section (173 bytes) `HTTP/1.1 200 OK Date: Sat, 16 Nov 2024 01:36:41 GMT Server: Apache/2.4.58 (Ubuntu) Vary: Accept-Encoding Content-Length: 4048 Content-Type: text/html; charset=UTF-8` Response body (4048 bytes) <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Weather and Holidays</title> <style> body { font-family: Arial, sans-serif; margin: 0; padding: 0; display: flex; justify-content: center; align-items: center; min-height: 100vh; background-color: #f4f4f4; } .container { display: grid; grid-template-rows: auto 1fr 1fr; grid-template-columns: 1fr; row-gap: 20px; width: 90%; max-width: 800px; text-align: center; } .current-weather { background-color: #4d8eff; border-radius: 15px; padding: 20px; display: flex; flex-direction: column; justify-content: center; align-items: center; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); color: white; text-align: center; /* cursor: pointer; / } .forecast { display: grid; grid-template-columns: repeat(4, 1fr); gap: 15px; } .forecast-day { background-color: #66c2ff; border-radius: 10px; padding: 10px; text-align: center; color: white; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); } .forecast-day h3 { margin-top: 0; } / Mobile responsiveness / @media (max-width: 600px) { button{ width: 100%; font-size: 16px; } .forecast { grid-template-columns: 1fr 1fr; grid-template-rows: 1fr 1fr; } } / Styling the button */ .fetch-button { padding: 10px 20px; font-size: 16px; background-color: #0027d4; color: white; border: none; border-radius: 10px; cursor: pointer; transition: background-color 0.3s ease; } .fetch-button:hover { background-color: #0056b3; } </style> </head> <body> <div class="container"> <!-- Weather Fetch Button --> <form id="weather-form" method="post"> <button type="submit" name="fetch_weather" class="fetch-button">Fetch Weather</button> </form> <div id="current-weather" class="current-weather"> <h1 id="current-date">Current Weather in Troy, NY</h1> <p id="current-temp">Temperature: --°F</p> <p id="current-condition">Condition: --</p> <p id="current-holiday">Holiday: --</p> </div> <div class="forecast"> <div class="forecast-day"> <h3 id="day1-date">Day 1</h3> <p id="day1-high">High: --°F</p> <p id="day1-low">Low: --°F</p> <p id="day1-condition">Condition: --</p> <p id="day1-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day2-date">Day 2</h3> <p id="day2-high">High: --°F</p> <p id="day2-low">Low: --°F</p> <p id="day2-condition">Condition: --</p> <p id="day2-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day3-date">Day 3</h3> <p id="day3-high">High: --°F</p> <p id="day3-low">Low: --°F</p> <p id="day3-condition">Condition: --</p> <p id="day3-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day4-date">Day 4</h3> <p id="day4-high">High: --°F</p> <p id="day4-low">Low: --°F</p> <p id="day4-condition">Condition: --</p> <p id="day4-holiday">Holiday: --</p> </div> </div> </div> </body> </html>
Evidence	`<form id="weather-form" method="post">`
Solution	Phase: Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, use anti-CSRF packages such as the OWASP CSRFGuard. Phase: Implementation Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script. Phase: Architecture and Design Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). Note that this can be bypassed using XSS. Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation. Note that this can be bypassed using XSS. Use the ESAPI Session Management control. This control includes a component for CSRF. Do not use the GET method for any request that triggers a state change. Phase: Implementation Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.

Risk=Low, Confidence=High (2)

https://whitej20.eastus.cloudapp.azure.com (2)

Server Leaks Version Information via "Server" HTTP Response Header Field (1)

GET https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/

Alert tags	OWASP_2021_A05 OWASP_2017_A06 WSTG-v42-INFO-02 CWE-200
Alert description	The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.
Request	Request line and header section (267 bytes) `GET https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/ HTTP/1.1 host: whitej20.eastus.cloudapp.azure.com user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 pragma: no-cache cache-control: no-cache` Request body (0 bytes)
Response	Status line and header section (173 bytes) `HTTP/1.1 200 OK Date: Sat, 16 Nov 2024 01:36:41 GMT Server: Apache/2.4.58 (Ubuntu) Vary: Accept-Encoding Content-Length: 4048 Content-Type: text/html; charset=UTF-8` Response body (4048 bytes) <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Weather and Holidays</title> <style> body { font-family: Arial, sans-serif; margin: 0; padding: 0; display: flex; justify-content: center; align-items: center; min-height: 100vh; background-color: #f4f4f4; } .container { display: grid; grid-template-rows: auto 1fr 1fr; grid-template-columns: 1fr; row-gap: 20px; width: 90%; max-width: 800px; text-align: center; } .current-weather { background-color: #4d8eff; border-radius: 15px; padding: 20px; display: flex; flex-direction: column; justify-content: center; align-items: center; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); color: white; text-align: center; /* cursor: pointer; / } .forecast { display: grid; grid-template-columns: repeat(4, 1fr); gap: 15px; } .forecast-day { background-color: #66c2ff; border-radius: 10px; padding: 10px; text-align: center; color: white; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); } .forecast-day h3 { margin-top: 0; } / Mobile responsiveness / @media (max-width: 600px) { button{ width: 100%; font-size: 16px; } .forecast { grid-template-columns: 1fr 1fr; grid-template-rows: 1fr 1fr; } } / Styling the button */ .fetch-button { padding: 10px 20px; font-size: 16px; background-color: #0027d4; color: white; border: none; border-radius: 10px; cursor: pointer; transition: background-color 0.3s ease; } .fetch-button:hover { background-color: #0056b3; } </style> </head> <body> <div class="container"> <!-- Weather Fetch Button --> <form id="weather-form" method="post"> <button type="submit" name="fetch_weather" class="fetch-button">Fetch Weather</button> </form> <div id="current-weather" class="current-weather"> <h1 id="current-date">Current Weather in Troy, NY</h1> <p id="current-temp">Temperature: --°F</p> <p id="current-condition">Condition: --</p> <p id="current-holiday">Holiday: --</p> </div> <div class="forecast"> <div class="forecast-day"> <h3 id="day1-date">Day 1</h3> <p id="day1-high">High: --°F</p> <p id="day1-low">Low: --°F</p> <p id="day1-condition">Condition: --</p> <p id="day1-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day2-date">Day 2</h3> <p id="day2-high">High: --°F</p> <p id="day2-low">Low: --°F</p> <p id="day2-condition">Condition: --</p> <p id="day2-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day3-date">Day 3</h3> <p id="day3-high">High: --°F</p> <p id="day3-low">Low: --°F</p> <p id="day3-condition">Condition: --</p> <p id="day3-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day4-date">Day 4</h3> <p id="day4-high">High: --°F</p> <p id="day4-low">Low: --°F</p> <p id="day4-condition">Condition: --</p> <p id="day4-holiday">Holiday: --</p> </div> </div> </div> </body> </html>
Evidence	`Apache/2.4.58 (Ubuntu)`
Solution	Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.

Strict-Transport-Security Header Not Set (1)

GET https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/

Alert tags	OWASP_2021_A05 OWASP_2017_A06 CWE-319
Alert description	HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.
Request	Request line and header section (267 bytes) `GET https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/ HTTP/1.1 host: whitej20.eastus.cloudapp.azure.com user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 pragma: no-cache cache-control: no-cache` Request body (0 bytes)
Response	Status line and header section (173 bytes) `HTTP/1.1 200 OK Date: Sat, 16 Nov 2024 01:36:41 GMT Server: Apache/2.4.58 (Ubuntu) Vary: Accept-Encoding Content-Length: 4048 Content-Type: text/html; charset=UTF-8` Response body (4048 bytes) <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Weather and Holidays</title> <style> body { font-family: Arial, sans-serif; margin: 0; padding: 0; display: flex; justify-content: center; align-items: center; min-height: 100vh; background-color: #f4f4f4; } .container { display: grid; grid-template-rows: auto 1fr 1fr; grid-template-columns: 1fr; row-gap: 20px; width: 90%; max-width: 800px; text-align: center; } .current-weather { background-color: #4d8eff; border-radius: 15px; padding: 20px; display: flex; flex-direction: column; justify-content: center; align-items: center; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); color: white; text-align: center; /* cursor: pointer; / } .forecast { display: grid; grid-template-columns: repeat(4, 1fr); gap: 15px; } .forecast-day { background-color: #66c2ff; border-radius: 10px; padding: 10px; text-align: center; color: white; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); } .forecast-day h3 { margin-top: 0; } / Mobile responsiveness / @media (max-width: 600px) { button{ width: 100%; font-size: 16px; } .forecast { grid-template-columns: 1fr 1fr; grid-template-rows: 1fr 1fr; } } / Styling the button */ .fetch-button { padding: 10px 20px; font-size: 16px; background-color: #0027d4; color: white; border: none; border-radius: 10px; cursor: pointer; transition: background-color 0.3s ease; } .fetch-button:hover { background-color: #0056b3; } </style> </head> <body> <div class="container"> <!-- Weather Fetch Button --> <form id="weather-form" method="post"> <button type="submit" name="fetch_weather" class="fetch-button">Fetch Weather</button> </form> <div id="current-weather" class="current-weather"> <h1 id="current-date">Current Weather in Troy, NY</h1> <p id="current-temp">Temperature: --°F</p> <p id="current-condition">Condition: --</p> <p id="current-holiday">Holiday: --</p> </div> <div class="forecast"> <div class="forecast-day"> <h3 id="day1-date">Day 1</h3> <p id="day1-high">High: --°F</p> <p id="day1-low">Low: --°F</p> <p id="day1-condition">Condition: --</p> <p id="day1-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day2-date">Day 2</h3> <p id="day2-high">High: --°F</p> <p id="day2-low">Low: --°F</p> <p id="day2-condition">Condition: --</p> <p id="day2-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day3-date">Day 3</h3> <p id="day3-high">High: --°F</p> <p id="day3-low">Low: --°F</p> <p id="day3-condition">Condition: --</p> <p id="day3-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day4-date">Day 4</h3> <p id="day4-high">High: --°F</p> <p id="day4-low">Low: --°F</p> <p id="day4-condition">Condition: --</p> <p id="day4-holiday">Holiday: --</p> </div> </div> </div> </body> </html>
Solution	Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.

Risk=Low, Confidence=Medium (1)

https://whitej20.eastus.cloudapp.azure.com (1)

X-Content-Type-Options Header Missing (1)

POST https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/

Alert tags	CWE-693 OWASP_2021_A05 OWASP_2017_A06
Alert description	The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
Other info	This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. At "High" threshold this scan rule will not alert on client or server error responses.
Request	Request line and header section (418 bytes) `POST https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/ HTTP/1.1 host: whitej20.eastus.cloudapp.azure.com user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 pragma: no-cache cache-control: no-cache content-type: application/x-www-form-urlencoded referer: https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/ content-length: 0` Request body (0 bytes)
Response	Status line and header section (173 bytes) `HTTP/1.1 200 OK Date: Sat, 16 Nov 2024 01:36:41 GMT Server: Apache/2.4.58 (Ubuntu) Vary: Accept-Encoding Content-Length: 4048 Content-Type: text/html; charset=UTF-8` Response body (4048 bytes) <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Weather and Holidays</title> <style> body { font-family: Arial, sans-serif; margin: 0; padding: 0; display: flex; justify-content: center; align-items: center; min-height: 100vh; background-color: #f4f4f4; } .container { display: grid; grid-template-rows: auto 1fr 1fr; grid-template-columns: 1fr; row-gap: 20px; width: 90%; max-width: 800px; text-align: center; } .current-weather { background-color: #4d8eff; border-radius: 15px; padding: 20px; display: flex; flex-direction: column; justify-content: center; align-items: center; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); color: white; text-align: center; /* cursor: pointer; / } .forecast { display: grid; grid-template-columns: repeat(4, 1fr); gap: 15px; } .forecast-day { background-color: #66c2ff; border-radius: 10px; padding: 10px; text-align: center; color: white; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); } .forecast-day h3 { margin-top: 0; } / Mobile responsiveness / @media (max-width: 600px) { button{ width: 100%; font-size: 16px; } .forecast { grid-template-columns: 1fr 1fr; grid-template-rows: 1fr 1fr; } } / Styling the button */ .fetch-button { padding: 10px 20px; font-size: 16px; background-color: #0027d4; color: white; border: none; border-radius: 10px; cursor: pointer; transition: background-color 0.3s ease; } .fetch-button:hover { background-color: #0056b3; } </style> </head> <body> <div class="container"> <!-- Weather Fetch Button --> <form id="weather-form" method="post"> <button type="submit" name="fetch_weather" class="fetch-button">Fetch Weather</button> </form> <div id="current-weather" class="current-weather"> <h1 id="current-date">Current Weather in Troy, NY</h1> <p id="current-temp">Temperature: --°F</p> <p id="current-condition">Condition: --</p> <p id="current-holiday">Holiday: --</p> </div> <div class="forecast"> <div class="forecast-day"> <h3 id="day1-date">Day 1</h3> <p id="day1-high">High: --°F</p> <p id="day1-low">Low: --°F</p> <p id="day1-condition">Condition: --</p> <p id="day1-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day2-date">Day 2</h3> <p id="day2-high">High: --°F</p> <p id="day2-low">Low: --°F</p> <p id="day2-condition">Condition: --</p> <p id="day2-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day3-date">Day 3</h3> <p id="day3-high">High: --°F</p> <p id="day3-low">Low: --°F</p> <p id="day3-condition">Condition: --</p> <p id="day3-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day4-date">Day 4</h3> <p id="day4-high">High: --°F</p> <p id="day4-low">Low: --°F</p> <p id="day4-condition">Condition: --</p> <p id="day4-holiday">Holiday: --</p> </div> </div> </div> </body> </html>
Parameter	`x-content-type-options`
Solution	Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages. If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Risk=Informational, Confidence=High (1)

https://whitej20.eastus.cloudapp.azure.com (1)

GET for POST (1)

GET https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/

Alert tags	WSTG-v42-CONF-06 OWASP_2021_A04 OWASP_2017_A06 CWE-16
Alert description	A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible.
Request	Request line and header section (398 bytes) `GET https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/ HTTP/1.1 host: whitej20.eastus.cloudapp.azure.com user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 pragma: no-cache cache-control: no-cache content-type: application/x-www-form-urlencoded referer: https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/` Request body (0 bytes)
Response	Status line and header section (173 bytes) `HTTP/1.1 200 OK Date: Sat, 16 Nov 2024 01:37:07 GMT Server: Apache/2.4.58 (Ubuntu) Vary: Accept-Encoding Content-Length: 4048 Content-Type: text/html; charset=UTF-8` Response body (4048 bytes) <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Weather and Holidays</title> <style> body { font-family: Arial, sans-serif; margin: 0; padding: 0; display: flex; justify-content: center; align-items: center; min-height: 100vh; background-color: #f4f4f4; } .container { display: grid; grid-template-rows: auto 1fr 1fr; grid-template-columns: 1fr; row-gap: 20px; width: 90%; max-width: 800px; text-align: center; } .current-weather { background-color: #4d8eff; border-radius: 15px; padding: 20px; display: flex; flex-direction: column; justify-content: center; align-items: center; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); color: white; text-align: center; /* cursor: pointer; / } .forecast { display: grid; grid-template-columns: repeat(4, 1fr); gap: 15px; } .forecast-day { background-color: #66c2ff; border-radius: 10px; padding: 10px; text-align: center; color: white; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); } .forecast-day h3 { margin-top: 0; } / Mobile responsiveness / @media (max-width: 600px) { button{ width: 100%; font-size: 16px; } .forecast { grid-template-columns: 1fr 1fr; grid-template-rows: 1fr 1fr; } } / Styling the button */ .fetch-button { padding: 10px 20px; font-size: 16px; background-color: #0027d4; color: white; border: none; border-radius: 10px; cursor: pointer; transition: background-color 0.3s ease; } .fetch-button:hover { background-color: #0056b3; } </style> </head> <body> <div class="container"> <!-- Weather Fetch Button --> <form id="weather-form" method="post"> <button type="submit" name="fetch_weather" class="fetch-button">Fetch Weather</button> </form> <div id="current-weather" class="current-weather"> <h1 id="current-date">Current Weather in Troy, NY</h1> <p id="current-temp">Temperature: --°F</p> <p id="current-condition">Condition: --</p> <p id="current-holiday">Holiday: --</p> </div> <div class="forecast"> <div class="forecast-day"> <h3 id="day1-date">Day 1</h3> <p id="day1-high">High: --°F</p> <p id="day1-low">Low: --°F</p> <p id="day1-condition">Condition: --</p> <p id="day1-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day2-date">Day 2</h3> <p id="day2-high">High: --°F</p> <p id="day2-low">Low: --°F</p> <p id="day2-condition">Condition: --</p> <p id="day2-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day3-date">Day 3</h3> <p id="day3-high">High: --°F</p> <p id="day3-low">Low: --°F</p> <p id="day3-condition">Condition: --</p> <p id="day3-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day4-date">Day 4</h3> <p id="day4-high">High: --°F</p> <p id="day4-low">Low: --°F</p> <p id="day4-condition">Condition: --</p> <p id="day4-holiday">Holiday: --</p> </div> </div> </div> </body> </html>
Evidence	`GET https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/ HTTP/1.1`
Solution	Ensure that only POST is accepted where POST is expected.

Risk=Informational, Confidence=Medium (1)

https://whitej20.eastus.cloudapp.azure.com (1)

User Agent Fuzzer (1)

GET https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4

Alert tags
Alert description	Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.
Request	Request line and header section (236 bytes) `GET https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4 HTTP/1.1 host: whitej20.eastus.cloudapp.azure.com user-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) pragma: no-cache cache-control: no-cache` Request body (0 bytes)
Response	Status line and header section (173 bytes) `HTTP/1.1 200 OK Date: Sat, 16 Nov 2024 01:37:07 GMT Server: Apache/2.4.58 (Ubuntu) Vary: Accept-Encoding Content-Length: 4048 Content-Type: text/html; charset=UTF-8` Response body (4048 bytes) <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Weather and Holidays</title> <style> body { font-family: Arial, sans-serif; margin: 0; padding: 0; display: flex; justify-content: center; align-items: center; min-height: 100vh; background-color: #f4f4f4; } .container { display: grid; grid-template-rows: auto 1fr 1fr; grid-template-columns: 1fr; row-gap: 20px; width: 90%; max-width: 800px; text-align: center; } .current-weather { background-color: #4d8eff; border-radius: 15px; padding: 20px; display: flex; flex-direction: column; justify-content: center; align-items: center; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); color: white; text-align: center; /* cursor: pointer; / } .forecast { display: grid; grid-template-columns: repeat(4, 1fr); gap: 15px; } .forecast-day { background-color: #66c2ff; border-radius: 10px; padding: 10px; text-align: center; color: white; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); } .forecast-day h3 { margin-top: 0; } / Mobile responsiveness / @media (max-width: 600px) { button{ width: 100%; font-size: 16px; } .forecast { grid-template-columns: 1fr 1fr; grid-template-rows: 1fr 1fr; } } / Styling the button */ .fetch-button { padding: 10px 20px; font-size: 16px; background-color: #0027d4; color: white; border: none; border-radius: 10px; cursor: pointer; transition: background-color 0.3s ease; } .fetch-button:hover { background-color: #0056b3; } </style> </head> <body> <div class="container"> <!-- Weather Fetch Button --> <form id="weather-form" method="post"> <button type="submit" name="fetch_weather" class="fetch-button">Fetch Weather</button> </form> <div id="current-weather" class="current-weather"> <h1 id="current-date">Current Weather in Troy, NY</h1> <p id="current-temp">Temperature: --°F</p> <p id="current-condition">Condition: --</p> <p id="current-holiday">Holiday: --</p> </div> <div class="forecast"> <div class="forecast-day"> <h3 id="day1-date">Day 1</h3> <p id="day1-high">High: --°F</p> <p id="day1-low">Low: --°F</p> <p id="day1-condition">Condition: --</p> <p id="day1-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day2-date">Day 2</h3> <p id="day2-high">High: --°F</p> <p id="day2-low">Low: --°F</p> <p id="day2-condition">Condition: --</p> <p id="day2-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day3-date">Day 3</h3> <p id="day3-high">High: --°F</p> <p id="day3-low">Low: --°F</p> <p id="day3-condition">Condition: --</p> <p id="day3-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day4-date">Day 4</h3> <p id="day4-high">High: --°F</p> <p id="day4-low">Low: --°F</p> <p id="day4-condition">Condition: --</p> <p id="day4-holiday">Holiday: --</p> </div> </div> </div> </body> </html>
Parameter	`Header User-Agent`
Attack	`Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)`

Risk=Informational, Confidence=Low (1)

https://whitej20.eastus.cloudapp.azure.com (1)

Re-examine Cache-control Directives (1)

GET https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/

Alert tags	WSTG-v42-ATHN-06 CWE-525
Alert description	The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
Request	Request line and header section (267 bytes) `GET https://whitej20.eastus.cloudapp.azure.com/ITWS-2110-F24-whitej20/lab4/ HTTP/1.1 host: whitej20.eastus.cloudapp.azure.com user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0 pragma: no-cache cache-control: no-cache` Request body (0 bytes)
Response	Status line and header section (173 bytes) `HTTP/1.1 200 OK Date: Sat, 16 Nov 2024 01:36:41 GMT Server: Apache/2.4.58 (Ubuntu) Vary: Accept-Encoding Content-Length: 4048 Content-Type: text/html; charset=UTF-8` Response body (4048 bytes) <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Weather and Holidays</title> <style> body { font-family: Arial, sans-serif; margin: 0; padding: 0; display: flex; justify-content: center; align-items: center; min-height: 100vh; background-color: #f4f4f4; } .container { display: grid; grid-template-rows: auto 1fr 1fr; grid-template-columns: 1fr; row-gap: 20px; width: 90%; max-width: 800px; text-align: center; } .current-weather { background-color: #4d8eff; border-radius: 15px; padding: 20px; display: flex; flex-direction: column; justify-content: center; align-items: center; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); color: white; text-align: center; /* cursor: pointer; / } .forecast { display: grid; grid-template-columns: repeat(4, 1fr); gap: 15px; } .forecast-day { background-color: #66c2ff; border-radius: 10px; padding: 10px; text-align: center; color: white; box-shadow: 0px 4px 10px rgba(0, 0, 0, 0.1); } .forecast-day h3 { margin-top: 0; } / Mobile responsiveness / @media (max-width: 600px) { button{ width: 100%; font-size: 16px; } .forecast { grid-template-columns: 1fr 1fr; grid-template-rows: 1fr 1fr; } } / Styling the button */ .fetch-button { padding: 10px 20px; font-size: 16px; background-color: #0027d4; color: white; border: none; border-radius: 10px; cursor: pointer; transition: background-color 0.3s ease; } .fetch-button:hover { background-color: #0056b3; } </style> </head> <body> <div class="container"> <!-- Weather Fetch Button --> <form id="weather-form" method="post"> <button type="submit" name="fetch_weather" class="fetch-button">Fetch Weather</button> </form> <div id="current-weather" class="current-weather"> <h1 id="current-date">Current Weather in Troy, NY</h1> <p id="current-temp">Temperature: --°F</p> <p id="current-condition">Condition: --</p> <p id="current-holiday">Holiday: --</p> </div> <div class="forecast"> <div class="forecast-day"> <h3 id="day1-date">Day 1</h3> <p id="day1-high">High: --°F</p> <p id="day1-low">Low: --°F</p> <p id="day1-condition">Condition: --</p> <p id="day1-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day2-date">Day 2</h3> <p id="day2-high">High: --°F</p> <p id="day2-low">Low: --°F</p> <p id="day2-condition">Condition: --</p> <p id="day2-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day3-date">Day 3</h3> <p id="day3-high">High: --°F</p> <p id="day3-low">Low: --°F</p> <p id="day3-condition">Condition: --</p> <p id="day3-holiday">Holiday: --</p> </div> <div class="forecast-day"> <h3 id="day4-date">Day 4</h3> <p id="day4-high">High: --°F</p> <p id="day4-low">Low: --°F</p> <p id="day4-condition">Condition: --</p> <p id="day4-holiday">Holiday: --</p> </div> </div> </div> </body> </html>
Parameter	`cache-control`
Solution	For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".

Appendix

Alert types

This section contains additional information on the types of alerts in the report.

Absence of Anti-CSRF Tokens

Source	raised by a passive scanner (Absence of Anti-CSRF Tokens)
CWE ID	352
WASC ID	9
Reference	https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html https://cwe.mitre.org/data/definitions/352.html

Content Security Policy (CSP) Header Not Set

Source	raised by a passive scanner (Content Security Policy (CSP) Header Not Set)
CWE ID	693
WASC ID	15
Reference	https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html https://www.w3.org/TR/CSP/ https://w3c.github.io/webappsec-csp/ https://web.dev/articles/csp https://caniuse.com/#feat=contentsecuritypolicy https://content-security-policy.com/

Missing Anti-clickjacking Header

Source	raised by a passive scanner (Anti-clickjacking Header)
CWE ID	1021
WASC ID	15
Reference	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Server Leaks Version Information via "Server" HTTP Response Header Field

Source	raised by a passive scanner (HTTP Server Response Header)
CWE ID	200
WASC ID	13
Reference	https://httpd.apache.org/docs/current/mod/core.html#servertokens https://learn.microsoft.com/en-us/previous-versions/msp-n-p/ff648552(v=pandp.10) https://www.troyhunt.com/shhh-dont-let-your-response-headers/

Strict-Transport-Security Header Not Set

Source	raised by a passive scanner (Strict-Transport-Security Header)
CWE ID	319
WASC ID	15
Reference	https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html https://owasp.org/www-community/Security_Headers https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security https://caniuse.com/stricttransportsecurity https://datatracker.ietf.org/doc/html/rfc6797

X-Content-Type-Options Header Missing

Source	raised by a passive scanner (X-Content-Type-Options Header Missing)
CWE ID	693
WASC ID	15
Reference	https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85) https://owasp.org/www-community/Security_Headers

GET for POST

Source	raised by an active scanner (GET for POST)
CWE ID	16
WASC ID	20

Re-examine Cache-control Directives

Source	raised by a passive scanner (Re-examine Cache-control Directives)
CWE ID	525
WASC ID	13
Reference	https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control https://grayduck.mn/2021/09/13/cache-control-recommendations/

User Agent Fuzzer

Source	raised by an active scanner (User Agent Fuzzer)
Reference	https://owasp.org/wstg

Contents

About this report

Report parameters

Contexts

Sites

Risk levels

Confidence levels

Summaries

Alert counts by risk and confidence

Alert counts by site and risk

Alert counts by alert type

Alerts

Risk=Medium, Confidence=High (1)

https://whitej20.eastus.cloudapp.azure.com (1)

Content Security Policy (CSP) Header Not Set (1)

Risk=Medium, Confidence=Medium (1)

https://whitej20.eastus.cloudapp.azure.com (1)

Missing Anti-clickjacking Header (1)

Risk=Medium, Confidence=Low (1)

https://whitej20.eastus.cloudapp.azure.com (1)

Absence of Anti-CSRF Tokens (1)

Risk=Low, Confidence=High (2)

https://whitej20.eastus.cloudapp.azure.com (2)

Server Leaks Version Information via "Server" HTTP Response Header Field (1)

Strict-Transport-Security Header Not Set (1)

Risk=Low, Confidence=Medium (1)

https://whitej20.eastus.cloudapp.azure.com (1)

X-Content-Type-Options Header Missing (1)

Risk=Informational, Confidence=High (1)

https://whitej20.eastus.cloudapp.azure.com (1)

GET for POST (1)

Risk=Informational, Confidence=Medium (1)

https://whitej20.eastus.cloudapp.azure.com (1)

User Agent Fuzzer (1)

Risk=Informational, Confidence=Low (1)

https://whitej20.eastus.cloudapp.azure.com (1)

Re-examine Cache-control Directives (1)

Appendix

Alert types

Absence of Anti-CSRF Tokens

Content Security Policy (CSP) Header Not Set

Missing Anti-clickjacking Header

Server Leaks Version Information via "Server" HTTP Response Header Field

Strict-Transport-Security Header Not Set

X-Content-Type-Options Header Missing

GET for POST

Re-examine Cache-control Directives

User Agent Fuzzer