ZAP Scan Report: Understanding Web App Vulnerabilities

Aug 8, 2025 by Sebastian Müller 55 views

ZAP Full Scan Report: Vulnerabilities in vulnerable-web-app-juanparra

Hey everyone! We've got a full scan report here from ZAP (Zed Attack Proxy) detailing some vulnerabilities found in the vulnerable-web-app-juanparra. This report highlights potential security risks, so let's dive in and break it down, making it super clear for everyone to understand.

Introduction to the ZAP Full Scan Report

This ZAP Full Scan Report is a comprehensive analysis of the security posture of the web application hosted at http://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com and https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com. ZAP, or Zed Attack Proxy, is a powerful open-source web application security scanner. It's designed to find vulnerabilities in web applications during development and testing phases. The scan report is crucial for identifying and addressing potential security weaknesses before they can be exploited by malicious actors. This detailed analysis ensures that the application is robust and secure, reducing the risk of cyberattacks. The report includes a variety of alerts, ranging from high-risk vulnerabilities like Cross-Site Scripting (XSS) to informational issues like missing security headers. Addressing these alerts is crucial for improving the overall security posture of the application. Understanding the severity and implications of each vulnerability allows developers and security professionals to prioritize remediation efforts effectively. This proactive approach to security helps maintain the integrity and availability of the web application, safeguarding user data and preventing potential breaches. The goal of this article is to simplify this report, making it easy to understand and actionable for developers and security enthusiasts alike.

Key Vulnerabilities Identified

Let's jump into the heart of the report. The key vulnerabilities identified include several types of Cross-Site Scripting (XSS), Content Security Policy (CSP) issues, missing security headers, and other security-related concerns. Understanding these vulnerabilities is crucial for effectively securing the web application. The first major category is Cross-Site Scripting (XSS), which is divided into two main types: DOM Based and Reflected XSS. DOM Based XSS vulnerabilities are particularly concerning because they occur on the client-side, making them harder to detect with traditional server-side scanning techniques. The report highlights several instances of DOM Based XSS, indicating that the application's JavaScript code might be mishandling user input or data from untrusted sources. Reflected XSS, on the other hand, occurs when malicious scripts are injected into the application through user inputs and then reflected back to the user's browser. This can lead to session hijacking, defacement of the website, or redirection to malicious sites. The report details multiple instances of Reflected XSS, emphasizing the need for robust input validation and output encoding. Another significant concern is the lack of proper Content Security Policy (CSP) implementation. CSP is a security standard that helps prevent XSS attacks by controlling the resources that the browser is allowed to load. The report identifies that the CSP header is not set in many parts of the application, leaving it vulnerable to script injection attacks. Furthermore, the report points out failures to define specific CSP directives, indicating a potential lack of fine-grained control over resource loading. Missing security headers, such as the Anti-clickjacking header and Strict-Transport-Security (HSTS) header, also pose a risk. Clickjacking attacks can trick users into performing unintended actions, while HSTS ensures that browsers only connect to the server over HTTPS, preventing man-in-the-middle attacks. The absence of these headers increases the application's vulnerability to various types of attacks. By addressing these key vulnerabilities, the application can significantly improve its security posture and protect against a wide range of potential threats. A proactive approach to remediation, including thorough testing and continuous monitoring, is essential for maintaining a secure web environment.

Cross-Site Scripting (DOM Based) [40026]

Cross-Site Scripting (DOM Based) is a client-side vulnerability that occurs when a website's JavaScript code mishandles user input, leading to the execution of malicious scripts within the user's browser. This type of XSS is particularly sneaky because the malicious payload doesn't necessarily touch the server directly. Instead, the vulnerability lies in how the client-side script processes the data. In the context of this report, four instances of DOM Based XSS were identified, highlighting a significant area of concern. The URLs listed in the report, such as https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/stored_xss#jaVasCript:/-//*\/'/"/**/(/* */oNcliCk=alert(5397) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(5397)//>\x3e, show that the application is vulnerable to script injection via the URL fragment. This means that the attacker can inject malicious scripts by manipulating the URL, which then gets executed in the user's browser. The injected script can perform various malicious actions, such as stealing cookies, redirecting the user to a phishing site, or defacing the website. To mitigate DOM Based XSS vulnerabilities, it's crucial to carefully sanitize and validate any data that is used to update the DOM (Document Object Model). This includes data from the URL, user input fields, and any other sources of client-side data. Developers should use secure coding practices, such as encoding output and avoiding the use of eval() or other unsafe JavaScript functions. Frameworks and libraries like React, Angular, and Vue.js often provide built-in mechanisms to prevent XSS attacks by automatically escaping potentially dangerous characters. Regular security testing and code reviews are also vital for identifying and fixing DOM Based XSS vulnerabilities. By addressing these issues proactively, developers can significantly reduce the risk of successful attacks and ensure a safer browsing experience for users.

Cross-Site Scripting (Reflected) [40012]

Cross-Site Scripting (Reflected), or Reflected XSS, occurs when user-supplied data is immediately outputted in a web page without proper validation or escaping. This allows attackers to inject malicious scripts into the application through query parameters or form inputs. The injected script then executes in the victim's browser when the page is loaded. In this report, five instances of Reflected XSS were identified, indicating a serious security gap. The listed URLs, such as https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/general?foo=%3CscrIpt%3Ealert%281%29%3B%3C%2FscRipt%3E, clearly demonstrate how script injection is possible via URL parameters. An attacker could craft a malicious URL and trick a user into clicking it, leading to the execution of the injected script. This can result in a variety of malicious outcomes, including session hijacking, cookie theft, and website defacement. The impact of Reflected XSS can be severe, as it can compromise user accounts and sensitive data. To prevent Reflected XSS, rigorous input validation and output encoding are essential. Input validation ensures that the application only accepts expected data, while output encoding prevents the browser from interpreting injected scripts. Developers should encode any user-supplied data before displaying it on a web page. This can be achieved using context-appropriate encoding functions provided by the programming language or web framework. For example, in HTML contexts, characters like <, >, and " should be encoded to their HTML entities (<, >, and "). Additionally, employing a Content Security Policy (CSP) can help mitigate the risk of XSS by controlling the sources from which the browser can load resources. CSP allows developers to define trusted sources for scripts, stylesheets, and other assets, reducing the attack surface for XSS vulnerabilities. Regular security assessments, including penetration testing and code reviews, are vital for identifying and addressing Reflected XSS vulnerabilities. By implementing robust security measures, applications can protect users from potential attacks and maintain a secure online environment.

CSP: Failure to Define Directive with No Fallback [10055]

Content Security Policy (CSP): Failure to Define Directive with No Fallback is a critical issue that arises when a CSP is implemented but lacks specific directives or a fallback mechanism. CSP is a vital security feature that allows web developers to control the resources that the browser is allowed to load for a given page, helping to prevent Cross-Site Scripting (XSS) attacks. However, if a directive is not properly defined or a fallback is missing, it can weaken the policy and leave the application vulnerable. The report identifies two instances where this issue occurs, specifically in the context of robots.txt and sitemap.xml. These files, while not directly rendering dynamic content, can still be targets for information leakage or manipulation. When a CSP is in place, but a necessary directive is missing, the browser's default behavior might allow resources to load from unexpected or untrusted sources. This undermines the purpose of CSP, which is to restrict resource loading to trusted origins. For instance, if a CSP is set but does not include a default-src directive, the browser might fall back to its own default settings, potentially allowing the execution of inline scripts or the loading of resources from any origin. This effectively bypasses the intended protections of the CSP. Similarly, if a directive like script-src is defined but lacks specific sources, it can create a loophole where malicious scripts can be injected and executed. To mitigate this issue, it is essential to define a comprehensive CSP with specific directives that cover all resource types, such as scripts, stylesheets, images, and fonts. The default-src directive should be used as a fallback mechanism to restrict the loading of resources from unknown origins. Each directive should be tailored to the application's specific needs, allowing only trusted sources while blocking potentially malicious ones. Regular review and updates of the CSP are also crucial to ensure it remains effective as the application evolves. Security testing tools and browser developer consoles can help identify CSP violations and misconfigurations. By addressing these issues and implementing a robust CSP, web applications can significantly reduce their risk of XSS attacks and other client-side vulnerabilities.

Content Security Policy (CSP) Header Not Set [10038]

The Content Security Policy (CSP) Header Not Set alert is a significant finding, indicating that the web application is missing a crucial security mechanism designed to mitigate Cross-Site Scripting (XSS) attacks. CSP is an HTTP response header that allows web developers to control the resources that the user agent is permitted to load for a given page. By defining a CSP, developers can restrict the sources from which scripts, stylesheets, images, and other assets can be loaded, thus reducing the attack surface for XSS vulnerabilities. The report identifies eleven instances where the CSP header is not set, meaning that these pages lack the protection offered by CSP. This omission leaves the application vulnerable to attackers who might inject malicious scripts into the page, potentially leading to data theft, session hijacking, or website defacement. The URLs listed in the report, such as https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/ and https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/auth_bypass, highlight that critical parts of the application are exposed. To address this issue, it is imperative to implement a CSP header for all pages of the web application. The CSP should be carefully crafted to allow only trusted sources for each type of resource. For example, the script-src directive should specify the origins from which JavaScript can be loaded, while the style-src directive should control the sources for CSS stylesheets. A basic CSP might include directives such as default-src 'self', which restricts resource loading to the application's own origin, and script-src 'self' https://trusted-cdn.com, which allows scripts from the application's origin and a trusted CDN. It is also beneficial to use the report-uri or report-to directives to configure a reporting endpoint where the browser can send CSP violation reports. These reports can help developers identify and address any CSP misconfigurations or potential XSS attacks. Implementing CSP is a proactive step towards enhancing the security posture of the web application and protecting users from malicious threats. Regular security testing and monitoring should be conducted to ensure the CSP remains effective and up-to-date with the application's needs.

Missing Anti-clickjacking Header [10020]

The Missing Anti-clickjacking Header vulnerability is a common web security issue that can expose users to clickjacking attacks. Clickjacking, also known as UI redress, is a malicious technique where an attacker tricks users into clicking something different from what they perceive, often by overlaying hidden or transparent elements on a legitimate web page. This can lead to users unintentionally performing actions such as changing account settings, making purchases, or disclosing confidential information. The report indicates that this vulnerability exists in eleven instances across the application, highlighting a significant security gap. The listed URLs, including https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/ and https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/auth_bypass, suggest that core functionalities are at risk. To mitigate clickjacking attacks, web applications should implement the X-Frame-Options or Content-Security-Policy (CSP) headers. The X-Frame-Options header has three possible values: DENY, SAMEORIGIN, and ALLOW-FROM uri. Setting the header to DENY prevents the page from being framed at all, while SAMEORIGIN allows framing only from the same origin. ALLOW-FROM uri is less commonly used due to browser compatibility issues. A more modern and flexible approach is to use the frame-ancestors directive within the CSP. This directive allows developers to specify a list of trusted origins that are permitted to embed the page in a frame. For example, Content-Security-Policy: frame-ancestors 'self' https://trusted-domain.com; would allow framing from the application's own origin and trusted-domain.com. Implementing an anti-clickjacking header is a crucial step in securing a web application against UI redress attacks. It is recommended to set either the X-Frame-Options header or the frame-ancestors directive in the CSP for all pages. Regular security testing and monitoring should be performed to ensure the header is correctly implemented and remains effective. By addressing this vulnerability, web applications can protect users from falling victim to clickjacking attacks and maintain the integrity of their user interface.

Cookie No HttpOnly Flag [10010]

The Cookie No HttpOnly Flag alert indicates a security vulnerability related to cookie management. The HttpOnly flag is an attribute that can be included in an HTTP cookie to prevent client-side scripts, such as JavaScript, from accessing the cookie's value. This is a crucial security measure because it helps mitigate the risk of Cross-Site Scripting (XSS) attacks, where an attacker might inject malicious scripts into a website to steal cookies and hijack user sessions. The report identifies four instances where cookies are being set without the HttpOnly flag, signaling a potential risk. The URLs listed, including https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/ and https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/csrf, suggest that session cookies or other sensitive information may be at risk. When a cookie is not marked with the HttpOnly flag, a malicious script injected through an XSS vulnerability can easily access the cookie's value. This allows the attacker to steal session identifiers, authentication tokens, or other sensitive data stored in the cookie, potentially compromising the user's account and the security of the application. To address this vulnerability, it is essential to set the HttpOnly flag for all cookies that do not need to be accessed by client-side scripts. This can typically be done in the server-side code when the cookie is being set, by adding the HttpOnly attribute to the cookie. For example, in a PHP application, this might look like setcookie('session_id', $session_id, ['httponly' => true]);. In other languages and frameworks, similar mechanisms are available to set the HttpOnly flag. Regular security audits and testing should be conducted to ensure that all cookies are properly configured with the HttpOnly flag. Additionally, developers should follow secure coding practices to prevent XSS vulnerabilities, which can further reduce the risk of cookie theft. By implementing these measures, web applications can significantly enhance their security posture and protect user data from potential attacks.

Cookie Without Secure Flag [10011]

The Cookie Without Secure Flag vulnerability is another critical issue related to cookie security. The Secure flag is an attribute that can be set on an HTTP cookie to instruct the browser to only transmit the cookie over HTTPS connections. This is a vital security measure because it helps prevent the cookie from being intercepted over insecure HTTP connections, thereby protecting sensitive information from man-in-the-middle attacks. The report identifies four instances where cookies are being set without the Secure flag, indicating a potential risk. The URLs listed, including https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/ and https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/csrf, suggest that session cookies or other sensitive data transmitted over these connections are at risk of exposure. When a cookie is not marked with the Secure flag, it can be transmitted over plain HTTP connections, which are vulnerable to eavesdropping. An attacker who can intercept the network traffic can then steal the cookie and potentially hijack the user's session or access sensitive data. This risk is particularly significant in environments where users might be connecting to the application over public Wi-Fi networks or other insecure connections. To address this vulnerability, it is crucial to set the Secure flag for all cookies that contain sensitive information, such as session identifiers, authentication tokens, or personal data. This can typically be done in the server-side code when the cookie is being set, by adding the Secure attribute to the cookie. For example, in a PHP application, this might look like setcookie('session_id', $session_id, ['secure' => true]);. In other languages and frameworks, similar mechanisms are available to set the Secure flag. It is also important to ensure that the web application is properly configured to enforce HTTPS connections for all sensitive operations. This can be achieved by configuring the web server to redirect HTTP requests to HTTPS or by using HTTP Strict Transport Security (HSTS) to instruct browsers to only connect to the server over HTTPS. Regular security assessments and testing should be conducted to ensure that all cookies are properly configured with the Secure flag and that the application is using HTTPS appropriately. By implementing these measures, web applications can significantly enhance their security posture and protect user data from potential interception.

Cookie without SameSite Attribute [10054]

The Cookie without SameSite Attribute alert points to a security vulnerability related to Cross-Site Request Forgery (CSRF) attacks. The SameSite attribute is a cookie setting that provides a defense against CSRF attacks by controlling when cookies are sent in cross-site requests. When a cookie lacks the SameSite attribute, it is sent with all requests, regardless of the site context, making it vulnerable to CSRF attacks. The report identifies four instances where cookies are being set without the SameSite attribute, indicating a potential risk. The URLs listed, including https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/ and https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/csrf, suggest that session cookies or other authentication-related cookies are at risk. CSRF attacks occur when an attacker tricks a user's browser into making requests to a web application on which the user is authenticated, without the user's knowledge or consent. This can lead to unintended actions, such as changing account settings, making purchases, or disclosing sensitive information. The SameSite attribute helps mitigate this risk by allowing developers to specify whether a cookie should be sent with cross-site requests. There are three possible values for the SameSite attribute: Strict, Lax, and None. Strict prevents the cookie from being sent with any cross-site requests, providing the strongest protection against CSRF attacks. Lax allows the cookie to be sent with top-level navigations (e.g., clicking a link) but not with other cross-site requests. None removes the SameSite restriction, but it requires the Secure attribute to be set, meaning the cookie must only be sent over HTTPS. To address this vulnerability, it is crucial to set the SameSite attribute for all cookies, especially those used for authentication and session management. The appropriate value for the attribute depends on the application's specific needs and security requirements. In most cases, setting SameSite=Strict provides the best protection against CSRF attacks. However, if the application requires cookies to be sent with cross-site requests, SameSite=Lax or SameSite=None can be used, but with the understanding that SameSite=None must be paired with the Secure attribute. This can typically be done in the server-side code when the cookie is being set, by adding the SameSite attribute to the cookie. For example, in a PHP application, this might look like setcookie('session_id', $session_id, ['samesite' => 'Strict']);. Regular security assessments and testing should be conducted to ensure that all cookies are properly configured with the SameSite attribute. By implementing these measures, web applications can significantly enhance their protection against CSRF attacks and maintain the integrity of user sessions.

HTTPS Content Available via HTTP [10047]

The vulnerability HTTPS Content Available via HTTP signifies a serious security risk where a web application serves content over HTTPS but also makes the same content accessible over insecure HTTP connections. This situation undermines the security benefits of using HTTPS, which is designed to encrypt data transmitted between the user's browser and the server, protecting it from eavesdropping and tampering. The report highlights fourteen instances where this vulnerability exists, indicating a pervasive issue within the application. The listed URLs, including https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com and https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/auth_bypass, suggest that core functionalities and potentially sensitive areas of the application are affected. When content is available over both HTTP and HTTPS, users might inadvertently access the application over an insecure HTTP connection, especially if they type the URL manually or follow an old bookmark. This allows attackers to intercept the traffic and potentially steal sensitive information, such as login credentials or session cookies. Additionally, it opens the door for man-in-the-middle attacks, where an attacker can modify the content being transmitted between the user and the server. To address this vulnerability, it is crucial to enforce HTTPS for all content served by the application. This can be achieved through several measures. First, the web server should be configured to redirect all HTTP requests to their HTTPS counterparts. This ensures that users who attempt to access the application over HTTP are automatically redirected to the secure HTTPS version. Second, HTTP Strict Transport Security (HSTS) should be implemented. HSTS is an HTTP header that instructs browsers to only connect to the server over HTTPS, preventing them from using insecure HTTP connections even if the user types http:// in the address bar. The HSTS header can be set with a max-age directive, specifying the duration for which the browser should remember to use HTTPS. For example, Strict-Transport-Security: max-age=31536000; includeSubDomains; preload instructs the browser to use HTTPS for one year, include subdomains, and allows the domain to be included in the HSTS preload list. Finally, it is important to ensure that all links and resources within the application use HTTPS URLs. This prevents mixed content warnings, which occur when a page served over HTTPS loads resources over HTTP, and further strengthens the application's security. Regular security testing and monitoring should be conducted to ensure that HTTPS is enforced consistently across the application. By implementing these measures, web applications can protect users from potential eavesdropping and man-in-the-middle attacks, maintaining the confidentiality and integrity of their data.

Insufficient Site Isolation Against Spectre Vulnerability [90004]

The Insufficient Site Isolation Against Spectre Vulnerability alert is a significant security concern related to speculative execution side-channel attacks, particularly Spectre. Spectre is a hardware vulnerability that allows attackers to potentially read sensitive data from other websites or even from the operating system by exploiting the speculative execution feature in modern processors. This vulnerability can be particularly challenging to mitigate because it requires changes at both the software and hardware levels. The report identifies twelve instances where the web application demonstrates insufficient site isolation, meaning that it does not adequately protect against Spectre attacks. The listed URLs, including https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/ and https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/fuzzing/fuzz.html, suggest that various parts of the application are at risk. To mitigate Spectre, browsers and web applications need to implement several defense mechanisms. One of the key techniques is Site Isolation, which isolates the processes of different websites, preventing them from sharing memory. This makes it more difficult for an attacker to exploit speculative execution to read data from other sites. Modern browsers like Chrome and Firefox have implemented Site Isolation features, but web applications also need to take steps to ensure they are fully utilized. One important step is to set the appropriate HTTP response headers, such as Cross-Origin-Opener-Policy (COOP) and Cross-Origin-Embedder-Policy (COEP). COOP isolates the browsing context by preventing a document from sharing a browsing context group with cross-origin documents. This can be set to same-origin, same-site, or unsafe-none. COEP requires that all cross-origin resources must either be CORS-enabled or loaded using the no-cors mode. This helps to further isolate the application from potentially malicious resources. To fully mitigate Spectre, it is essential to set both COOP and COEP headers. For example, a secure configuration might include Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Embedder-Policy: require-corp. Additionally, developers should ensure that their applications are up-to-date with the latest security patches and browser updates, as these often include mitigations for Spectre and other hardware vulnerabilities. Regular security assessments and testing should be conducted to verify that the application is effectively isolated and protected against Spectre attacks. By implementing these measures, web applications can significantly reduce their risk of exposure to speculative execution side-channel attacks and maintain the confidentiality of user data.

Permissions Policy Header Not Set [10063]

The Permissions Policy Header Not Set alert indicates that the web application is missing an important security feature that allows developers to control which browser features can be used in their application. The Permissions Policy, formerly known as Feature Policy, is an HTTP response header that provides a mechanism to selectively enable and disable browser features, such as access to the camera, microphone, geolocation, and other APIs. This helps to mitigate various security risks, such as clickjacking, XSS, and other attacks that exploit browser features. The report identifies twelve instances where the Permissions Policy header is not set, indicating a significant gap in the application's security posture. The listed URLs, including https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/ and https://vulnerable-web-app-juanparra-d1e6880be163.herokuapp.com/auth_bypass, suggest that core functionalities and potentially sensitive areas of the application are exposed. By not setting the Permissions Policy, the application is essentially allowing all browser features to be used, which can increase the attack surface. For example, if an attacker manages to inject malicious code into the application, they could potentially access the user's camera or microphone without explicit permission, if the Permissions Policy is not properly configured. To address this vulnerability, it is essential to implement the Permissions Policy header and carefully configure the directives to allow only the necessary browser features. The Permissions Policy header uses a directive-based syntax, where each directive specifies which origins are allowed to use a particular feature. For example, the camera directive controls access to the camera, while the microphone directive controls access to the microphone. A Permissions Policy header might look like this: Permissions-Policy: camera 'self'; microphone 'none'; geolocation 'self' https://trusted-domain.com. This policy allows the application's own origin to use the camera and geolocation, but it disables microphone access entirely and allows geolocation access from trusted-domain.com. It is important to review the application's requirements and determine which browser features are actually needed, and then configure the Permissions Policy accordingly. Features that are not needed should be disabled to reduce the risk of exploitation. Regular security assessments and testing should be conducted to ensure that the Permissions Policy is correctly implemented and remains effective. By implementing these measures, web applications can significantly enhance their security posture and protect users from potential attacks that exploit browser features.