Skip to content

Instantly share code, notes, and snippets.

@kmcquade

kmcquade/explanation.md

Last active July 25, 2021 17:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kmcquade/61339bba9fe0ff5f4349944cbe5f5ed0 to your computer and use it in GitHub Desktop.
Save kmcquade/61339bba9fe0ff5f4349944cbe5f5ed0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
explanation.md

This explains a current issue in the ZAP Automation Framework where ZAP will perform tests even when they are explicitly excluded from the scan results - that is, even when you set defaultThreshold (which is supposed to apply as the default for all scan rules) or threshold (rule-specific settings) to 'Off', the checks are still performed.

Instructions

  • mkdir -p /tmp/zap/
  • Save the template.yaml YAML file to /tmp/zap/template.yaml
  • Run these commands to trigger the scan:
alias zap-docker="docker run -v $(pwd):/zap/wrk/:rw -v /tmp/zap:/tmp/zap/:rw -t owasp/zap2docker-weekly"
zap-docker zap.sh -cmd -autorun /tmp/zap/template.yaml -dir /tmp/zap -quickprogress
  • This will generate a file at the path: /tmp/zap/2021-07-25-ZAP-Report-zero.webappsecurity.com.json
  • Open the file in your text editor of choice

The issue with the output

  • Observe that the findings Anti-CSRF Tokens Check, Hidden File Finder, Proxy Disclosure, and User Agent Fuzzer are all included in the results.
    • Also observe that the above mentioned findings are marked with Off threshold in the YAML automation template above, so they should not be in the results

What the output should include

  • The results should only show Expression Language Injection, not the other stuff mentioned above

I've included the JSON results here as well so you can see what I mean (see zap-results.json)

Raw
template.yaml
--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.org/docs/automate/automation-framework/
env: # The environment, mandatory
contexts : # List of 1 or more contexts, mandatory
- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
urls: # A mandatory list of top level urls, everything under each url will be included
- http://zero.webappsecurity.com
includePaths: # An optional list of regexes to include
excludePaths: # An optional list of regexes to exclude
authentication: # TBA: In time to cover all auth configs
vars: # List of 1 or more variables, can be used throughout the config
parameters:
failOnError: true # If set exit on an error
failOnWarning: false # If set exit on a warning
progressToStdout: true # If set will write job progress to stdout
jobs:
- type: addOns # Add-on management
parameters:
updateAddOns: false # Update any add-ons that have new versions
install: # A list of non standard add-ons to install from the ZAP Marketplace
- ascanrules
- ascanrulesAlpha
- ascanrulesBeta
- automation
uninstall: # A list of standard add-ons to uninstall
# Spider templates
- type: spider # The traditional spider - fast but doesnt handle modern apps so well
parameters:
context: # String: Name of the context to spider, default: first context
url: # String: Url to start spidering from, default: first context URL
userAgent: # String: The user agent to use in requests, default: '' - use the default ZAP one
maxDuration: # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited
maxDepth: # Int: The maximum tree depth to explore
maxChildren: # Int: The maximum number of children to add to each node in the tree
tests:
- name: 'At least X URLs found' # String: Name of the test, default: statistic + operator + value
type: 'stats' # String: Type of test, only 'stats' is supported for now
statistic: 'automation.spider.urls.added' # String: Name of an integer / long statistic, currently supported: 'automation.spider.urls.added'
operator: '>=' # String ['==', '!=', '>=', '>', '<', '<=']: Operator used for testing
value: 100 # Int: Change this to the number of URLs you expect to find
onFail: 'info' # String [warn, error, info]: Change this to 'warn' or 'error' for the test to take effect
# Active scan templates
- type: activeScan # The active scanner - this actively attacks the target so should only be used with permission
parameters:
context: # String: Name of the context to attack, default: first context
policy: # String: Name of the scan policy to be used, default: Default Policy
maxRuleDurationInMins: 10 # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited
maxScanDurationInMins: 10 # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimiteds
delayInMs: # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0
policyDefinition: # The policy definition - only used if the 'policy' is not set
defaultStrength: Low # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium
defaultThreshold: Off # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium
rules: # A list of one or more active scan rules and associated settings which override the defaults
# This should appear in the report
- id: 90025
name: Expression Language Injection
threshold: Medium
strength: Medium
# These should not appear in the report
- id: 20012
name: Anti-CSRF Tokens Check
threshold: Off
strength: Low
- id: 40035
name: Hidden File Finder
threshold: Off
strength: Low
- id: 40025
name: Proxy Disclosure
threshold: Off
strength: Low
- id: 10104
name: User Agent Fuzzer
threshold: Off
strength: Low
# Output templates
- type: outputSummary # Print summary to stdout, primarily to mimic the behaviour of the packaged scans
parameters:
format: None # String: The format of the output, one of None, Short, Long, default: None
summaryFile: # String: The full path of a file into which will be written a JSON summary of the scan, default empty
- type: report # Report generation
parameters:
template: traditional-json # String: The template id, default : traditional-html
reportDir: /tmp/zap/ # String: The directory into which the report will be written
reportFile: # String: The report file name pattern, default: {yyyy-MM-dd}-ZAP-Report-[[site]]
reportTitle: # String: The report title
reportDescription: # String: The report description
displayReport: # Boolean: Display the report when generated, default: false
risks: # List: The risks to include in this report, default all
- high
- medium
- low
- info
confidences: # List: The confidences to include in this report, default all
- high
- medium
- low
- falsepositive
sections: # List: The template sections to include in this report - see the relevant template, default all
Raw
zap-results.json
{
"@version": "D-2021-06-28",
"@generated": "Sun, 25 Jul 2021 17:30:05",
"site":[
{
"@name": "http://zero.webappsecurity.com",
"@host": "zero.webappsecurity.com",
"@port": "80",
"@ssl": "false",
"alerts": [
{
"pluginid": "20012",
"alertRef": "20012",
"alert": "Anti-CSRF Tokens Check",
"name": "Anti-CSRF Tokens Check",
"riskcode": "3",
"confidence": "2",
"riskdesc": "High (Medium)",
"desc": "<p>A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.</p><p></p><p>CSRF attacks are effective in a number of situations, including:</p><p> * The victim has an active session on the target site.</p><p> * The victim is authenticated via HTTP auth on the target site.</p><p> * The victim is on the same local network as the target site.</p><p></p><p>CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.</p>",
"instances":[
{
"uri": "http://zero.webappsecurity.com",
"method": "GET",
"param": "",
"attack": "",
"evidence": "<form action=\"/search.html\"\r\n class=\"navbar-search pull-right\" style=\"padding-right: 20px\">"
},
{
"uri": "http://zero.webappsecurity.com/",
"method": "GET",
"param": "",
"attack": "",
"evidence": "<form action=\"/search.html\"\r\n class=\"navbar-search pull-right\" style=\"padding-right: 20px\">"
},
{
"uri": "http://zero.webappsecurity.com/index.html",
"method": "GET",
"param": "",
"attack": "",
"evidence": "<form action=\"/search.html\"\r\n class=\"navbar-search pull-right\" style=\"padding-right: 20px\">"
},
{
"uri": "http://zero.webappsecurity.com/search.html?searchTerm=ZAP",
"method": "GET",
"param": "",
"attack": "",
"evidence": "<form action=\"/search.html\"\r\n class=\"navbar-search pull-right\" style=\"padding-right: 20px\">"
}
],
"count": "4",
"solution": "<p>Phase: Architecture and Design</p><p>Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.</p><p>For example, use anti-CSRF packages such as the OWASP CSRFGuard.</p><p></p><p>Phase: Implementation</p><p>Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.</p><p></p><p>Phase: Architecture and Design</p><p>Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).</p><p>Note that this can be bypassed using XSS.</p><p></p><p>Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.</p><p>Note that this can be bypassed using XSS.</p><p></p><p>Use the ESAPI Session Management control.</p><p>This control includes a component for CSRF.</p><p></p><p>Do not use the GET method for any request that triggers a state change.</p><p></p><p>Phase: Implementation</p><p>Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.</p>",
"otherinfo": "",
"reference": "<p>http://projects.webappsec.org/Cross-Site-Request-Forgery</p><p>http://cwe.mitre.org/data/definitions/352.html</p>",
"cweid": "352",
"wascid": "9",
"sourceid": "301"
},
{
"pluginid": "90025",
"alertRef": "90025",
"alert": "Expression Language Injection",
"name": "Expression Language Injection",
"riskcode": "3",
"confidence": "2",
"riskdesc": "High (Medium)",
"desc": "<p>The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended EL statement before it is executed. In certain versions of Spring 3.0.5 and earlier, there was a vulnerability (CVE-2011-2730) in which Expression Language tags would be evaluated twice, which effectively exposed any application to EL injection. However, even for later versions, this weakness is still possible depending on configuration.</p>",
"instances":[
{
"uri": "http://zero.webappsecurity.com/search.html?searchTerm=%24%7B201058%2B575849%7D",
"method": "GET",
"param": "searchTerm",
"attack": "${201058+575849}",
"evidence": "776907"
}
],
"count": "1",
"solution": "<p>Perform data validation best practice against untrusted input and to ensure that output encoding is applied when data arrives on the EL layer, so that no metacharacter is found by the interpreter within the user content before evaluation. The most obvious patterns to detect include ${ and #{, but it may be possible to encode or fragment this data.</p>",
"otherinfo": "",
"reference": "<p>https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection</p><p>http://cwe.mitre.org/data/definitions/917.html</p>",
"cweid": "917",
"wascid": "20",
"sourceid": "637"
},
{
"pluginid": "40025",
"alertRef": "40025",
"alert": "Proxy Disclosure",
"name": "Proxy Disclosure",
"riskcode": "3",
"confidence": "2",
"riskdesc": "High (Medium)",
"desc": "<p>1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine </p><p> - A list of targets for an attack against the application.</p><p> - Potential vulnerabilities on the proxy servers that service the application.</p><p> - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. </p>",
"instances":[
{
"uri": "http://zero.webappsecurity.com",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/index.html",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/css",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/css/bootstrap.min.css",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/css/font-awesome.css",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/css/main.css",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/img",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/img/main_carousel_1.jpg",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/img/main_carousel_2.jpg",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/img/main_carousel_3.jpg",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/js",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/js/bootstrap.min.js",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/js/jquery-1.8.2.min.js",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/js/placeholders.min.js",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/robots.txt",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/search.html?searchTerm=ZAP",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/sitemap.xml",
"method": "GET",
"param": "",
"attack": "TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.",
"evidence": ""
}
],
"count": "19",
"solution": "<p>Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.</p><p>Disable the 'OPTIONS' method on the proxy servers, as well as the origin web/application server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).</p><p>Configure the web and application servers with custom error pages, to prevent 'fingerprintable' product-specific error pages being leaked to the user in the event of HTTP errors, such as 'TRACK' requests for non-existent pages.</p><p>Configure all proxies, application servers, and web servers to prevent disclosure of the technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.</p><p></p>",
"otherinfo": "<p>Using the TRACE, OPTIONS, and TRACK methods, the following proxy servers have been identified between OWASP ZAP and the application/web server: </p><p>- Apache/2.2.6 (Win32) mod_ssl/2.2.6 OpenSSL/0.9.8e mod_jk/1.2.40</p><p>The following web/application server has been identified: </p><p>- Apache-Coyote/1.1</p><p>The 'TRACE' method is enabled on one or more of the proxy servers, or on the origin server. This method leaks all information submitted from the web browser and proxies back to the user agent. This may facilitate 'Cross Site Tracing' attacks. </p>",
"reference": "<p>https://tools.ietf.org/html/rfc7231#section-5.1.2</p>",
"cweid": "200",
"wascid": "45",
"sourceid": "991"
},
{
"pluginid": "40035",
"alertRef": "40035",
"alert": "Hidden File Found",
"name": "Hidden File Found",
"riskcode": "2",
"confidence": "3",
"riskdesc": "Medium (High)",
"desc": "<p>A sensitive file was identified as accessible or available. This may leak administrative, configuration, or credential information which can be leveraged by a malicious individual to further attack the system or conduct social engineering efforts.</p>",
"instances":[
{
"uri": "http://zero.webappsecurity.com/server-status",
"method": "GET",
"param": "",
"attack": "",
"evidence": "HTTP/1.1 200 OK"
}
],
"count": "1",
"solution": "<p>Consider whether or not the component is actually required in production, if it isn't then disable it. If it is then ensure access to it requires appropriate authentication and authorization, or limit exposure to internal systems or specific source IPs, etc.</p>",
"otherinfo": "<p>apache_server_status</p>",
"reference": "<p>https://blog.hboeck.de/archives/892-Introducing-Snallygaster-a-Tool-to-Scan-for-Secrets-on-Web-Servers.html</p><p>https://httpd.apache.org/docs/current/mod/mod_status.html</p>",
"cweid": "538",
"wascid": "13",
"sourceid": "1144"
},
{
"pluginid": "10104",
"alertRef": "10104",
"alert": "User Agent Fuzzer",
"name": "User Agent Fuzzer",
"riskcode": "0",
"confidence": "2",
"riskdesc": "Informational (Medium)",
"desc": "<p>Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.</p>",
"instances":[
{
"uri": "http://zero.webappsecurity.com/resources",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources",
"method": "GET",
"param": "Header User-Agent",
"attack": "msnbot/1.1 (+http://search.msn.com/msnbot.htm)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/css",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/css",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/css",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/css",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/css",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/css",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/css",
"method": "GET",
"param": "Header User-Agent",
"attack": "msnbot/1.1 (+http://search.msn.com/msnbot.htm)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/img",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/img",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/img",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/img",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/img",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/img",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/img",
"method": "GET",
"param": "Header User-Agent",
"attack": "msnbot/1.1 (+http://search.msn.com/msnbot.htm)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/js",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/js",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/js",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/js",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/js",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/js",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16",
"evidence": ""
},
{
"uri": "http://zero.webappsecurity.com/resources/js",
"method": "GET",
"param": "Header User-Agent",
"attack": "msnbot/1.1 (+http://search.msn.com/msnbot.htm)",
"evidence": ""
}
],
"count": "28",
"solution": "",
"otherinfo": "",
"reference": "<p>https://owasp.org/wstg</p>",
"cweid": "0",
"wascid": "0",
"sourceid": "1241"
}
]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment