ZAP Full Scan Report

[github-actions]

• Site: https://py-sqli.onrender.com
  New Alerts
  • Cross Site Scripting (DOM Based) [40026] total: 4:
    • [https://py-sqli.onrender.com/xss-demo#jaVasCript:/-//*\/'/"/**/(/* /oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e](https://py-sqli.onrender.com/xss-demo#jaVasCript:/*-/*`/*\`/*'/*"/**/(/ */oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e)
    • [https://py-sqli.onrender.com/xss-demo?search=ZAP#jaVasCript:/-//*\/'/"/**/(/* /oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e](https://py-sqli.onrender.com/xss-demo?search=ZAP#jaVasCript:/*-/*`/*\`/*'/*"/**/(/ */oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e)
    • [https://py-sqli.onrender.com/xss-demo#jaVasCript:/-//*\/'/"/**/(/* /oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e](https://py-sqli.onrender.com/xss-demo#jaVasCript:/*-/*`/*\`/*'/*"/**/(/ */oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e)
    • [https://py-sqli.onrender.com/xss-demo?search=ZAP#jaVasCript:/-//*\/'/"/**/(/* /oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e](https://py-sqli.onrender.com/xss-demo?search=ZAP#jaVasCript:/*-/*`/*\`/*'/*"/**/(/ */oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e)
  • Cross Site Scripting (Reflected) [40012] total: 2:
    • https://py-sqli.onrender.com/xss-demo?search=%27%22%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E
    • https://py-sqli.onrender.com/xss-demo
  • Remote Code Execution - Shell Shock [10048] total: 1:
    • https://py-sqli.onrender.com/rce
  • Remote OS Command Injection [90020] total: 1:
    • https://py-sqli.onrender.com/rce
  • Remote OS Command Injection (Time Based) [90037] total: 1:
    • https://py-sqli.onrender.com/rce
  • SQL Injection [40018] total: 1:
    • https://py-sqli.onrender.com/login
  • Absence of Anti-CSRF Tokens [10202] total: 8:
    • https://py-sqli.onrender.com/create
    • https://py-sqli.onrender.com/login
    • https://py-sqli.onrender.com/rce
    • https://py-sqli.onrender.com/xss-demo
    • https://py-sqli.onrender.com/xss-demo?search=ZAP
    • ..
  • Anti-CSRF Tokens Check [20012] total: 5:
    • https://py-sqli.onrender.com/rce
    • https://py-sqli.onrender.com/xss-demo
    • https://py-sqli.onrender.com/xss-demo
    • https://py-sqli.onrender.com/xss-demo?search=ZAP
    • https://py-sqli.onrender.com/xss-demo?search=ZAP
  • Content Security Policy (CSP) Header Not Set [10038] total: 11:
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/cart
    • https://py-sqli.onrender.com/create
    • https://py-sqli.onrender.com/login
    • https://py-sqli.onrender.com/products
    • ..
  • Missing Anti-clickjacking Header [10020] total: 11:
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/cart
    • https://py-sqli.onrender.com/create
    • https://py-sqli.onrender.com/login
    • https://py-sqli.onrender.com/products
    • ..
  • Proxy Disclosure [40025] total: 24:
    • https://py-sqli.onrender.com
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/add-to-cart
    • https://py-sqli.onrender.com/add-to-cart/1
    • https://py-sqli.onrender.com/add-to-cart/2
    • ..
  • Sub Resource Integrity Attribute Missing [90003] total: 11:
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/products
    • ..
  • Cookie Slack Detector [90027] total: 19:
    • https://py-sqli.onrender.com
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/add-to-cart
    • https://py-sqli.onrender.com/add-to-cart/1
    • https://py-sqli.onrender.com/add-to-cart/2
    • ..
  • Cookie Without Secure Flag [10011] total: 7:
    • https://py-sqli.onrender.com/add-to-cart/1
    • https://py-sqli.onrender.com/add-to-cart/2
    • https://py-sqli.onrender.com/add-to-cart/3
    • https://py-sqli.onrender.com/add-to-cart/4
    • https://py-sqli.onrender.com/add-to-cart/5
    • ..
  • Cookie without SameSite Attribute [10054] total: 7:
    • https://py-sqli.onrender.com/add-to-cart/1
    • https://py-sqli.onrender.com/add-to-cart/2
    • https://py-sqli.onrender.com/add-to-cart/3
    • https://py-sqli.onrender.com/add-to-cart/4
    • https://py-sqli.onrender.com/add-to-cart/5
    • ..
  • Cross-Domain JavaScript Source File Inclusion [10017] total: 11:
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/products
    • https://py-sqli.onrender.com/products
    • ..
  • Dangerous JS Functions [10110] total: 4:
    • https://py-sqli.onrender.com/xss-demo
    • https://py-sqli.onrender.com/xss-demo?search=ZAP
    • https://py-sqli.onrender.com/xss-demo
    • https://py-sqli.onrender.com/xss-demo?search=ZAP
  • Insufficient Site Isolation Against Spectre Vulnerability [90004] total: 12:
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/products
    • https://py-sqli.onrender.com/rce
    • https://py-sqli.onrender.com/xss-demo
    • https://py-sqli.onrender.com/
    • ..
  • Permissions Policy Header Not Set [10063] total: 11:
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/cart
    • https://py-sqli.onrender.com/create
    • https://py-sqli.onrender.com/login
    • https://py-sqli.onrender.com/products
    • ..
  • Private IP Disclosure [2] total: 1:
    • https://py-sqli.onrender.com/rce
  • Strict-Transport-Security Header Not Set [10035] total: 11:
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/cart
    • https://py-sqli.onrender.com/create
    • https://py-sqli.onrender.com/login
    • https://py-sqli.onrender.com/products
    • ..
  • X-Content-Type-Options Header Missing [10021] total: 11:
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/cart
    • https://py-sqli.onrender.com/create
    • https://py-sqli.onrender.com/login
    • https://py-sqli.onrender.com/products
    • ..
  • Authentication Request Identified [10111] total: 1:
    • https://py-sqli.onrender.com/login
  • Cookie Slack Detector [90027] total: 5:
    • https://py-sqli.onrender.com/xss-demo
    • https://py-sqli.onrender.com/xss-demo?search=ZAP
    • https://py-sqli.onrender.com/create
    • https://py-sqli.onrender.com/xss-demo
    • https://py-sqli.onrender.com/xss-demo?search=ZAP
  • Modern Web Application [10109] total: 6:
    • https://py-sqli.onrender.com/rce
    • https://py-sqli.onrender.com/xss-demo
    • https://py-sqli.onrender.com/xss-demo?search=ZAP
    • https://py-sqli.onrender.com/rce
    • https://py-sqli.onrender.com/xss-demo
    • ..
  • Non-Storable Content [10049] total: 4:
    • https://py-sqli.onrender.com/add-to-cart/2
    • https://py-sqli.onrender.com/add-to-cart/4
    • https://py-sqli.onrender.com/add-to-cart/5
    • https://py-sqli.onrender.com/logout
  • Re-examine Cache-control Directives [10015] total: 8:
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/cart
    • https://py-sqli.onrender.com/create
    • https://py-sqli.onrender.com/login
    • https://py-sqli.onrender.com/products
    • ..
  • Session Management Response Identified [10112] total: 7:
    • https://py-sqli.onrender.com/add-to-cart/1
    • https://py-sqli.onrender.com/add-to-cart/2
    • https://py-sqli.onrender.com/add-to-cart/3
    • https://py-sqli.onrender.com/add-to-cart/4
    • https://py-sqli.onrender.com/add-to-cart/5
    • ..
  • Storable and Cacheable Content [10049] total: 7:
    • https://py-sqli.onrender.com/
    • https://py-sqli.onrender.com/cart
    • https://py-sqli.onrender.com/products
    • https://py-sqli.onrender.com/rce
    • https://py-sqli.onrender.com/robots.txt
    • ..
  • User Agent Fuzzer [10104] total: 132:
    • https://py-sqli.onrender.com/add-to-cart/1
    • https://py-sqli.onrender.com/add-to-cart/1
    • https://py-sqli.onrender.com/add-to-cart/1
    • https://py-sqli.onrender.com/add-to-cart/1
    • https://py-sqli.onrender.com/add-to-cart/1
    • ..

View the following link to download the report.
RunnerID:18904214700

---

ZAP by Checkmarx

[secure-code-warrior-for-github]

Micro-Learning Topic: OS command injection (Detected by phrase)

Matched on "OS Command Injection"

What is this? (2min video)

In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Command Injection - OWASP community page with comprehensive information about command injection, and links to various OWASP resources to help detect or prevent it.
• OWASP testing for Command Injection - This article is focused on providing testing techniques for identifying command injection flaws in your applications

Micro-Learning Topic: Clickjack (Detected by phrase)

Matched on "clickjack"

What is this? (2min video)

Clickjacking, which is also called UI redressing, is a trick which places an invisible panel or an identical control overlay in front of an existing application. The user clicking on that control or page is then used to perform some other action on behalf of that user i.e. Liking a social media page or posting a tweet. The click is then also passed on to the underlying application and the user is unaware that their identity has been misused.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Cross-site scripting (Detected by phrase)

Matched on "Cross Site Scripting"

Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context.

Try a challenge in Secure Code Warrior

Helpful references

• Prevent Cross-Site Scripting (XSS) in ASP.NET Core - A detailed Microsoft article on how to prevent cross-site scripting in ASP.NET Core.
• OWASP Cross Site Scripting (XSS) Software Attack - OWASP community page with comprehensive information about cross site scripting, and links to various OWASP resources to help detect or prevent it.
• OWASP Cross Site Scripting Prevention Cheat Sheet - This article provides a simple positive model for preventing XSS using output encoding properly.

Micro-Learning Topic: Cross-site request forgery (Detected by phrase)

Matched on "CSRF"

What is this? (2min video)

Session-related but not session-based, this attack is based on the ability of an attacker to force an action on a user’s browser (commonly in the form of a POST request) to perform an unauthorized action on behalf of the user. This can often occur without the user even noticing it… or only noticing when it is too late. The root cause is that browsers automatically send session cookies with all requests to a given domain, regardless of where the source of the request came from, and the application server cannot differentiate between a request that came from pages it served or a request that came from an unrelated page.

Try a challenge in Secure Code Warrior

Helpful references

• Securing Rails Applications - Cross-Site Request Forgery (CSRF) - A Rails Guide that describes common security problems in web applications and how to avoid them with Rails.
• Spring Security - Cross Site Request Forgery (CSRF) - A Spring Security article that describes Spring support for protecting against Cross Site Request Forgery attacks.
• csurf Node.js CSRF protection middleware - Documentation on CSRF protection provided by the csurf middleware for Express.
• XSRF/CSRF Prevention in ASP.NET MVC and Web Pages - A detailed Microsoft article on how to prevent cross-site request forgery in ASP.NET MVC and Web Pages.
• Django Documentation - Cross Site Request Forgery protection - Documentation on CSRF protection provided by the Django framework.
• OWASP Cross-Site Request Forgery Prevention Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing cross-site request forgery flaws in your applications.
• Laravel Docs - CSRF Protection - Documentation on CSRF protection provided by the Laravel framework.
• OWASP Cross Site Request Forgery (CSRF) - OWASP community page with comprehensive information about cross-site request forgery, and links to various OWASP resources to help detect or prevent it.
• Preventing Cross-Site Request Forgery (CSRF) Attacks in ASP.NET MVC Application - A detailed Microsoft article on how to prevent cross-site request forgery in ASP.NET MVC.

Micro-Learning Topic: SQL injection (Detected by phrase)

Matched on "SQL Injection"

What is this? (2min video)

This is probably one of the two most exploited vulnerabilities in web applications and has led to a number of high profile company breaches. It occurs when an application fails to sanitize or validate input before using it to dynamically construct a statement. An attacker that exploits this vulnerability will be able to gain access to the underlying database and view or modify data without permission.

Try a challenge in Secure Code Warrior

Helpful references

• PHP SQL Injection Page - A detailed page on SQL injection in the online PHP manual.
• OWASP SQL Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing SQL Injection flaws in your applications.
• OWASP SQL Injection - OWASP community page with comprehensive information about SQL injection, and links to various OWASP resources to help detect or prevent it.
• OWASP Query Parameterization Cheat Sheet - A derivative work of the OWASP SQL Injection Prevention Cheat Sheet focused on SQL query parameterization.
• Preventing SQL Injection Attacks With Python - A tutorial on crafting parameterized queries, SQL composition and safe query execution in Python.

[github-actions]

• Site: https://py-sqli.onrender.com
  New Alerts

  • Cross Site Scripting (Persistent) [40014] total: 2:
    • https://py-sqli.onrender.com/xss-demo
    • https://py-sqli.onrender.com/xss-demo
  • SQL Injection - SQLite (Time Based) [40024] total: 2:
    • https://py-sqli.onrender.com/rce
    • https://py-sqli.onrender.com/search-user
  • Information Disclosure - Suspicious Comments [10027] total: 2:
    • https://py-sqli.onrender.com/search-user
    • https://py-sqli.onrender.com/search-user

  Resolved Alerts

  • SQL Injection [40018] total: 1:

View the following link to download the report.
RunnerID:18906098767

[secure-code-warrior-for-github]

Micro-Learning Topic: Information disclosure (Detected by phrase)

Matched on "Information Disclosure"

Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior