From 07c5931745a888ece6679a0c2310e5ee662a9186 Mon Sep 17 00:00:00 2001 From: Nicholas Mucks Date: Sun, 21 Jul 2024 16:04:16 -0700 Subject: [PATCH] add zap --- spring-petclinic.yml | 14 ++- zap-report/zap-report.html | 222 +++++++++++++++++++++---------------- 2 files changed, 140 insertions(+), 96 deletions(-) diff --git a/spring-petclinic.yml b/spring-petclinic.yml index d79190c4b..3a61a2591 100644 --- a/spring-petclinic.yml +++ b/spring-petclinic.yml @@ -1,3 +1,5 @@ +version: '3' + services: petclinic: build: @@ -33,9 +35,19 @@ services: depends_on: - prometheus + zap: + image: ghcr.io/zaproxy/zaproxy:stable + command: zap-baseline.py -t http://petclinic:8080 -g gen.conf -r zap-report.html + volumes: + - ./zap-report:/zap/wrk:rw + networks: + - custom-network + depends_on: + - petclinic + volumes: prometheus_data: grafana_data: networks: - custom-network: \ No newline at end of file + custom-network: diff --git a/zap-report/zap-report.html b/zap-report/zap-report.html index 0fab1f74a..06a20f09c 100644 --- a/zap-report/zap-report.html +++ b/zap-report/zap-report.html @@ -122,12 +122,12 @@ td {

- Site: http://localhost:8080 + Site: http://petclinic:8080

- Generated on Sun, 21 Jul 2024 03:17:02 + Generated on Sun, 21 Jul 2024 23:02:25

@@ -245,7 +245,7 @@ td { X-Content-Type-Options Header Missing Low - 11 + 12 Information Disclosure - Suspicious Comments @@ -313,7 +313,7 @@ td { URL - http://localhost:8080/owners/find + http://petclinic:8080/owners/find URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new URL - http://localhost:8080/owners?lastName=ZAP + http://petclinic:8080/owners?lastName=ZAP URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new URL - http://localhost:8080 + http://petclinic:8080 URL - http://localhost:8080/ + http://petclinic:8080/ URL - http://localhost:8080/owners/find + http://petclinic:8080/owners/find URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new URL - http://localhost:8080/owners?lastName=ZAP + http://petclinic:8080/owners?lastName=ZAP URL - http://localhost:8080/vets.html + http://petclinic:8080/vets.html URL - http://localhost:8080/vets.html?page=1 + http://petclinic:8080/vets.html?page=1 URL - http://localhost:8080/vets.html?page=2 + http://petclinic:8080/vets.html?page=2 URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new URL - http://localhost:8080 + http://petclinic:8080 URL - http://localhost:8080/ + http://petclinic:8080/ URL - http://localhost:8080/owners/find + http://petclinic:8080/owners/find URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new URL - http://localhost:8080/owners?lastName=ZAP + http://petclinic:8080/owners?lastName=ZAP URL - http://localhost:8080/vets.html + http://petclinic:8080/vets.html URL - http://localhost:8080/vets.html?page=1 + http://petclinic:8080/vets.html?page=1 URL - http://localhost:8080/vets.html?page=2 + http://petclinic:8080/vets.html?page=2 URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new URL - http://localhost:8080 + http://petclinic:8080 URL - http://localhost:8080 + http://petclinic:8080 URL - http://localhost:8080/ + http://petclinic:8080/ URL - http://localhost:8080/ + http://petclinic:8080/ URL - http://localhost:8080/owners/find + http://petclinic:8080/owners/find URL - http://localhost:8080/owners/find + http://petclinic:8080/owners/find URL - http://localhost:8080/owners/new + http://petclinic:8080/owners?lastName=ZAP URL - http://localhost:8080/owners/new + http://petclinic:8080/owners?lastName=ZAP URL - http://localhost:8080/owners?lastName=ZAP + http://petclinic:8080/vets.html URL - http://localhost:8080/owners?lastName=ZAP + http://petclinic:8080/vets.html URL - http://localhost:8080/oups + http://petclinic:8080/oups URL - http://localhost:8080 + http://petclinic:8080 URL - http://localhost:8080 + http://petclinic:8080 URL - http://localhost:8080/ + http://petclinic:8080/ URL - http://localhost:8080/ + http://petclinic:8080/ URL - http://localhost:8080/owners/find + http://petclinic:8080/owners/find URL - http://localhost:8080/owners/find + http://petclinic:8080/owners/find URL - http://localhost:8080/owners/new + http://petclinic:8080/owners?lastName=ZAP URL - http://localhost:8080/owners/new + http://petclinic:8080/owners?lastName=ZAP URL - http://localhost:8080/owners?lastName=ZAP + http://petclinic:8080/vets.html URL - http://localhost:8080/owners?lastName=ZAP + http://petclinic:8080/vets.html URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new URL - http://localhost:8080/oups + http://petclinic:8080/oups URL - http://localhost:8080 + http://petclinic:8080 URL - http://localhost:8080/ + http://petclinic:8080/ URL - http://localhost:8080/owners/find + http://petclinic:8080/owners/find URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new URL - http://localhost:8080/owners?lastName=ZAP + http://petclinic:8080/owners?lastName=ZAP URL - http://localhost:8080/vets.html + http://petclinic:8080/vets.html URL - http://localhost:8080/vets.html?page=1 + http://petclinic:8080/vets.html?page=1 URL - http://localhost:8080/vets.html?page=2 + http://petclinic:8080/vets.html?page=2 URL - http://localhost:8080/webjars/bootstrap/5.3.3/dist/js/bootstrap.bundle.min.js + http://petclinic:8080/webjars/bootstrap/5.3.3/dist/js/bootstrap.bundle.min.js URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new URL - http://localhost:8080 + http://petclinic:8080 URL - http://localhost:8080/ + http://petclinic:8080/ URL - http://localhost:8080/owners/find + http://petclinic:8080/owners/find URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new URL - http://localhost:8080/owners?lastName=ZAP + http://petclinic:8080/owners?lastName=ZAP URL - http://localhost:8080/resources/css/petclinic.css + http://petclinic:8080/resources/css/petclinic.css URL - http://localhost:8080/resources/images/favicon.png + http://petclinic:8080/resources/images/favicon.png URL - http://localhost:8080/resources/images/pets.png + http://petclinic:8080/resources/images/pets.png URL - http://localhost:8080/resources/images/spring-logo.svg + http://petclinic:8080/resources/images/spring-logo.svg URL - http://localhost:8080/webjars/bootstrap/5.3.3/dist/js/bootstrap.bundle.min.js + http://petclinic:8080/vets.html URL - http://localhost:8080/webjars/font-awesome/4.7.0/css/font-awesome.min.css + http://petclinic:8080/webjars/bootstrap/5.3.3/dist/js/bootstrap.bundle.min.js + + + Method + GET + + + Parameter + x-content-type-options + + + Attack + + + + Evidence + + + + Other Info + This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses. + + + + URL + http://petclinic:8080/webjars/font-awesome/4.7.0/css/font-awesome.min.css Instances - 11 + 12 Solution @@ -2955,7 +2987,7 @@ At "High" threshold this scan rule will not alert on client or server URL - http://localhost:8080/webjars/bootstrap/5.3.3/dist/js/bootstrap.bundle.min.js + http://petclinic:8080/webjars/bootstrap/5.3.3/dist/js/bootstrap.bundle.min.js URL - http://localhost:8080/oups + http://petclinic:8080/oups URL - http://localhost:8080 + http://petclinic:8080 URL - http://localhost:8080/ + http://petclinic:8080/ URL - http://localhost:8080/owners/find + http://petclinic:8080/owners/find URL - http://localhost:8080/resources/css/petclinic.css + http://petclinic:8080/resources/css/petclinic.css URL - http://localhost:8080/resources/images/favicon.png + http://petclinic:8080/resources/images/favicon.png URL - http://localhost:8080/resources/images/pets.png + http://petclinic:8080/resources/images/pets.png URL - http://localhost:8080/resources/images/spring-logo.svg + http://petclinic:8080/resources/images/spring-logo.svg URL - http://localhost:8080/robots.txt + http://petclinic:8080/robots.txt URL - http://localhost:8080/sitemap.xml + http://petclinic:8080/sitemap.xml URL - http://localhost:8080/webjars/font-awesome/4.7.0/css/font-awesome.min.css + http://petclinic:8080/webjars/font-awesome/4.7.0/css/font-awesome.min.css URL - http://localhost:8080/owners?lastName=ZAP + http://petclinic:8080/owners?lastName=ZAP Other Info User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: -http://localhost:8080/owners?lastName=ZAP +http://petclinic:8080/owners?lastName=ZAP appears to include user input in: @@ -3583,7 +3615,7 @@ zap URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new class="indent2">Other Info User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: -http://localhost:8080/owners/new +http://petclinic:8080/owners/new appears to include user input in: @@ -3626,7 +3658,7 @@ The user-controlled value was: URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new Other Info User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: -http://localhost:8080/owners/new +http://petclinic:8080/owners/new appears to include user input in: @@ -3669,7 +3701,7 @@ east romaineburgh URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new class="indent2">Other Info User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: -http://localhost:8080/owners/new +http://petclinic:8080/owners/new appears to include user input in: @@ -3712,7 +3744,7 @@ zap URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new class="indent2">Other Info User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: -http://localhost:8080/owners/new +http://petclinic:8080/owners/new appears to include user input in: @@ -3755,7 +3787,7 @@ zap URL - http://localhost:8080/owners/new + http://petclinic:8080/owners/new class="indent2">Other Info User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: -http://localhost:8080/owners/new +http://petclinic:8080/owners/new appears to include user input in: