diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..d18ed64e --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,22 @@ +## Goal + +- + +## Changes + +- + +## Testing + +- + +## Artifacts & Screenshots + +- + +--- + +### Checklist +- [ ] PR title is clear and descriptive +- [ ] Docs/readme updated if needed +- [ ] No secrets, credentials, or large temporary files included diff --git a/labs/lab5/analysis/correlation.txt b/labs/lab5/analysis/correlation.txt new file mode 100644 index 00000000..b1ea0e78 --- /dev/null +++ b/labs/lab5/analysis/correlation.txt @@ -0,0 +1,23 @@ +=== SAST/DAST Correlation Report === + +Security Testing Results Summary: + +SAST (Semgrep): 25 code-level findings +DAST (ZAP authenticated): 0 alerts +DAST (Nuclei): 0 template matches +DAST (Nikto): 14 server issues +DAST (SQLmap): 1 SQL injection vulnerabilities + +Key Insights: + +SAST (Static Analysis): + - Finds code-level vulnerabilities before deployment + - Detects: hardcoded secrets, SQL injection patterns, insecure crypto + - Fast feedback in development phase + +DAST (Dynamic Analysis): + - Finds runtime configuration and deployment issues + - Detects: missing security headers, authentication flaws, server misconfigs + - Authenticated scanning reveals much more attack surface + +Recommendation: Use BOTH approaches for comprehensive security coverage diff --git a/labs/lab5/analysis/dast-matrix.md b/labs/lab5/analysis/dast-matrix.md new file mode 100644 index 00000000..9fe85425 --- /dev/null +++ b/labs/lab5/analysis/dast-matrix.md @@ -0,0 +1,7 @@ +| Tool | Findings | Severity Breakdown | Best Use Case | +|---|---:|---|---| +| ZAP (auth) | 0 | High:0 Med:0 Low:0 Info:0 | Comprehensive scan + auth + active/passive | +| ZAP (noauth) | 26 | High:0 Med:4 Low:10 Info:12 | Public surface baseline | +| Nuclei | 0 | n/a | Fast template-based checks (known issues/CVEs) | +| Nikto | 14 | n/a | Server misconfig/headers/default files | +| SQLmap | 1 | n/a | Deep SQLi confirmation + extraction | diff --git a/labs/lab5/analysis/dast-summary.txt b/labs/lab5/analysis/dast-summary.txt new file mode 100644 index 00000000..2259ac33 --- /dev/null +++ b/labs/lab5/analysis/dast-summary.txt @@ -0,0 +1,10 @@ +=== DAST Summary === + +ZAP (noauth): Total=26 High=0 Med=4 Low=10 Info=12 +ZAP (auth): Total=0 High=0 Med=0 Low=0 Info=0 + +Nuclei: Total matches=0 + +Nikto: server issues=14 +SQLmap: findings(rows in results-*.csv)=1 + CSV: C:\Users\Admin\Desktop\Code\DevSecOps-Intro\labs\lab5\sqlmap\results-03052026_1101pm.csv diff --git a/labs/lab5/analysis/sast-analysis.txt b/labs/lab5/analysis/sast-analysis.txt new file mode 100644 index 00000000..fc44da8b --- /dev/null +++ b/labs/lab5/analysis/sast-analysis.txt @@ -0,0 +1,2 @@ +=== SAST Analysis Report === +25 diff --git a/labs/lab5/analysis/semgrep-top5.md b/labs/lab5/analysis/semgrep-top5.md new file mode 100644 index 00000000..abab81aa --- /dev/null +++ b/labs/lab5/analysis/semgrep-top5.md @@ -0,0 +1,7 @@ +| # | Rule | Severity | File:Line | Message | +|---:|---|---|---|---| +| 1 | javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection | **ERROR** | /src/data/static/codefixes/dbSchemaChallenge_1.ts:5 | Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitiz... | +| 2 | javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection | **ERROR** | /src/data/static/codefixes/dbSchemaChallenge_3.ts:11 | Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitiz... | +| 3 | javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection | **ERROR** | /src/data/static/codefixes/unionSqlInjectionChallenge_1.ts:6 | Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitiz... | +| 4 | javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection | **ERROR** | /src/data/static/codefixes/unionSqlInjectionChallenge_3.ts:10 | Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitiz... | +| 5 | javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection | **ERROR** | /src/routes/login.ts:34 | Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitiz... | diff --git a/labs/lab5/analysis/zap-compare.txt b/labs/lab5/analysis/zap-compare.txt new file mode 100644 index 00000000..5b684179 --- /dev/null +++ b/labs/lab5/analysis/zap-compare.txt @@ -0,0 +1,12 @@ +=== ZAP Auth vs No-Auth Comparison === + +No-Auth: + URLs discovered (from log): 95 + Alerts (HTML): Total=26 High=0 Med=4 Low=10 Info=12 + +Auth: + Spider URLs (from log): 112 + AJAX Spider URLs (from log): 545 + Alerts (HTML): Total=0 High=0 Med=0 Low=0 Info=0 + +Admin/authenticated endpoints examples: N/A diff --git a/labs/lab5/nikto/nikto-results.txt b/labs/lab5/nikto/nikto-results.txt new file mode 100644 index 00000000..fa741e34 --- /dev/null +++ b/labs/lab5/nikto/nikto-results.txt @@ -0,0 +1,15 @@ +- Nikto v2.1.5/2.1.5 ++ Target Host: host.docker.internal ++ Target Port: 3000 ++ GET /: Server leaks inodes via ETags, header found with file /, fields: 0xW/124fa 0x19cc006165a ++ GET /: Uncommon header 'x-recruiting' found, with contents: /#/jobs ++ GET /: Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN ++ GET /: Uncommon header 'access-control-allow-origin' found, with contents: * ++ GET /: Uncommon header 'feature-policy' found, with contents: payment 'self' ++ GET /: Uncommon header 'x-content-type-options' found, with contents: nosniff ++ GET //ftp/: File/dir '/ftp/' in robots.txt returned a non-forbidden or redirect HTTP code (200) ++ GET /robots.txt: "robots.txt" contains 1 entry which should be manually viewed. ++ OPTIONS *: Uncommon header 'access-control-allow-methods' found, with contents: GET,HEAD,PUT,PATCH,POST,DELETE ++ -3092: GET /css: /css: This might be interesting... ++ -3092: GET /ftp/: /ftp/: This might be interesting... ++ -3092: GET /public/: /public/: This might be interesting... diff --git a/labs/lab5/report-auth.html b/labs/lab5/report-auth.html new file mode 100644 index 00000000..e57c896e --- /dev/null +++ b/labs/lab5/report-auth.html @@ -0,0 +1,3238 @@ + + + + +ZAP Auth Scan Report (Juice Shop v19.0.0) + + + +

+ + + ZAP Auth Scan Report (Juice Shop v19.0.0) +

+

+ + +

+ + + Sites: https://firefox-settings-attachments.cdn.mozilla.net http://cdnjs.cloudflare.com http://host.docker.internal:3000 +

+ +

+ Generated on Thu, 5 Mar 2026 23:02:41 +

+ +

+ ZAP Version: 2.17.0 +

+ +

+ ZAP by Checkmarx +

+ + +

Summary of Alerts

+ + + + + + + + + + + + + + + + + + + + + + + + + +
Risk LevelNumber of Alerts
+
High
+ 		+
1
+
+
Medium
+ 		+
4
+
+
Low
+ 		+
4
+
+
Informational
+ 		+
3
+
+
False Positives:
+ 		+
0
+
+
+ + + +

Insights

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
LevelReasonSiteDescriptionStatistic
+
Medium
+ 		+
Exceeded High
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of authentication failures
+ 		+
100 %
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP warnings logged - see the zap.log file for details
+ 		+
52
+
+
Info
+ 		+
Informational
+ 		+
http://cdnjs.cloudflare.com
+ 		+
Percentage of responses with status code 2xx
+ 		+
100 %
+
+
Info
+ 		+
Informational
+ 		+
http://cdnjs.cloudflare.com
+ 		+
Percentage of endpoints with content type application/javascript
+ 		+
50 %
+
+
Info
+ 		+
Informational
+ 		+
http://cdnjs.cloudflare.com
+ 		+
Percentage of endpoints with content type text/css
+ 		+
50 %
+
+
Info
+ 		+
Informational
+ 		+
http://cdnjs.cloudflare.com
+ 		+
Percentage of endpoints with method GET
+ 		+
100 %
+
+
Info
+ 		+
Informational
+ 		+
http://cdnjs.cloudflare.com
+ 		+
Count of total endpoints
+ 		+
4
+
+
Info
+ 		+
Informational
+ 		+
http://cdnjs.cloudflare.com
+ 		+
Percentage of slow responses
+ 		+
100 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of responses with status code 1xx
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of responses with status code 2xx
+ 		+
30 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of responses with status code 3xx
+ 		+
25 %
+
+
Info
+ 		+
Exceeded Low
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of responses with status code 4xx
+ 		+
28 %
+
+
Info
+ 		+
Exceeded Low
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of responses with status code 5xx
+ 		+
14 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type application/javascript
+ 		+
5 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type application/json
+ 		+
7 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type application/octet-stream
+ 		+
4 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type font/woff2
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type image/jpeg
+ 		+
11 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type image/png
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type image/x-icon
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type text/css
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type text/html
+ 		+
58 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type text/markdown
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with content type text/plain
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with method GET
+ 		+
97 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of endpoints with method POST
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://host.docker.internal:3000
+ 		+
Count of total endpoints
+ 		+
103
+
+
Info
+ 		+
Exceeded Low
+ 		+
http://host.docker.internal:3000
+ 		+
Percentage of slow responses
+ 		+
48 %
+
+
Info
+ 		+
Informational
+ 		+
https://firefox-settings-attachments.cdn.mozilla.net
+ 		+
Percentage of responses with status code 2xx
+ 		+
100 %
+
+
Info
+ 		+
Informational
+ 		+
https://firefox-settings-attachments.cdn.mozilla.net
+ 		+
Percentage of endpoints with content type text/plain
+ 		+
100 %
+
+
Info
+ 		+
Informational
+ 		+
https://firefox-settings-attachments.cdn.mozilla.net
+ 		+
Percentage of endpoints with method GET
+ 		+
100 %
+
+
Info
+ 		+
Informational
+ 		+
https://firefox-settings-attachments.cdn.mozilla.net
+ 		+
Count of total endpoints
+ 		+
2
+
+
Info
+ 		+
Informational
+ 		+
https://firefox-settings-attachments.cdn.mozilla.net
+ 		+
Percentage of slow responses
+ 		+
50 %
+
+
+ + + + +

Summary of Sequences

+

For each step: result (Pass/Fail) - risk (of highest alert(s) for the step, if any).

+ + + + + + + + +

Alerts

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameRisk LevelNumber of Instances
SQL InjectionHigh2
Content Security Policy (CSP) Header Not SetMediumSystemic
Cross-Domain MisconfigurationMediumSystemic
Missing Anti-clickjacking HeaderMedium2
Session ID in URL RewriteMediumSystemic
Cross-Domain JavaScript Source File InclusionLowSystemic
Private IP DisclosureLow1
Timestamp Disclosure - UnixLowSystemic
X-Content-Type-Options Header MissingLow4
Authentication Request IdentifiedInformational1
Modern Web ApplicationInformationalSystemic
Session Management Response IdentifiedInformational1
+
+ + + +

Alert Detail

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
High
SQL Injection
Description +
SQL injection may be possible.
+ +
URLhttp://host.docker.internal:3000/rest/products/search?q=%27%28
Node Namehttp://host.docker.internal:3000/rest/products/search (q)
MethodGET
Parameterq
Attack'(
EvidenceHTTP/1.1 500 Internal Server Error
Other Info
URLhttp://host.docker.internal:3000/rest/user/login
Node Namehttp://host.docker.internal:3000/rest/user/login ()({email,password})
MethodPOST
Parameteremail
Attack'
EvidenceHTTP/1.1 500 Internal Server Error
Other Info
Instances2
Solution +
Do not trust client side input, even if there is client side validation in place.
+
+ +
In general, type check all data on the server side.
+
+ +
If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'
+
+ +
If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.
+
+ +
If database Stored Procedures can be used, use them.
+
+ +
Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!
+
+ +
Do not create dynamic SQL queries using simple string concatenation.
+
+ +
Escape all data received from the client.
+
+ +
Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.
+
+ +
Apply the principle of least privilege by using the least privileged database user possible.
+
+ +
In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.
+
+ +
Grant the minimum database access that is necessary for the application.
+ +
Reference + https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html + +
CWE Id89
WASC Id19
Plugin Id40018
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Content Security Policy (CSP) Header Not Set
Description +
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
+ +
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/ftp
Node Namehttp://host.docker.internal:3000/ftp
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/ftp/coupons_2013.md.bak
Node Namehttp://host.docker.internal:3000/ftp/coupons_2013.md.bak
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/sitemap.xml
Node Namehttp://host.docker.internal:3000/sitemap.xml
MethodGET
Parameter
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/rest/user/login
Node Namehttp://host.docker.internal:3000/rest/user/login ()({email,password})
MethodPOST
Parameter
Attack
Evidence
Other Info
InstancesSystemic
Solution +
Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
+ +
Reference + https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP +
+ + https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html +
+ + https://www.w3.org/TR/CSP/ +
+ + https://w3c.github.io/webappsec-csp/ +
+ + https://web.dev/articles/csp +
+ + https://caniuse.com/#feat=contentsecuritypolicy +
+ + https://content-security-policy.com/ + +
CWE Id693
WASC Id15
Plugin Id10038
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Cross-Domain Misconfiguration
Description +
Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.
+ +
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
Parameter
Attack
EvidenceAccess-Control-Allow-Origin: *
Other InfoThe CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
URLhttp://host.docker.internal:3000/assets/public/favicon_js.ico
Node Namehttp://host.docker.internal:3000/assets/public/favicon_js.ico
MethodGET
Parameter
Attack
EvidenceAccess-Control-Allow-Origin: *
Other InfoThe CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
URLhttp://host.docker.internal:3000/robots.txt
Node Namehttp://host.docker.internal:3000/robots.txt
MethodGET
Parameter
Attack
EvidenceAccess-Control-Allow-Origin: *
Other InfoThe CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
URLhttp://host.docker.internal:3000/sitemap.xml
Node Namehttp://host.docker.internal:3000/sitemap.xml
MethodGET
Parameter
Attack
EvidenceAccess-Control-Allow-Origin: *
Other InfoThe CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
URLhttp://host.docker.internal:3000/rest/user/login
Node Namehttp://host.docker.internal:3000/rest/user/login ()({email,password})
MethodPOST
Parameter
Attack
EvidenceAccess-Control-Allow-Origin: *
Other InfoThe CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.
InstancesSystemic
Solution +
Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).
+
+ +
Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.
+ +
Reference + https://vulncat.fortify.com/en/detail?category=HTML5&subcategory=Overly%20Permissive%20CORS%20Policy + +
CWE Id264
WASC Id14
Plugin Id10098
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Missing Anti-clickjacking Header
Description +
The response does not protect against 'ClickJacking' attacks. It should include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options.
+ +
URLhttp://host.docker.internal:3000/socket.io/?EIO=4&transport=polling&t=Pp0CCgH&sid=XuUlMO8t1gBrdlEVAAAA
Node Namehttp://host.docker.internal:3000/socket.io/ (EIO,sid,t,transport)(40)
MethodPOST
Parameterx-frame-options
Attack
Evidence
Other Info
URLhttp://host.docker.internal:3000/socket.io/?EIO=4&transport=polling&t=Pp0CCsD&sid=XuUlMO8t1gBrdlEVAAAA
Node Namehttp://host.docker.internal:3000/socket.io/ (EIO,sid,t,transport)(42["notification received","8d2072c6b0a4...)
MethodPOST
Parameterx-frame-options
Attack
Evidence
Other Info
Instances2
Solution +
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.
+
+ +
If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.
+ +
Reference + https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options + +
CWE Id1021
WASC Id15
Plugin Id10020
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Medium
Session ID in URL Rewrite
Description +
URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.
+ +
URLhttp://host.docker.internal:3000/socket.io/?EIO=4&transport=polling&t=Pp0CCgb&sid=XuUlMO8t1gBrdlEVAAAA
Node Namehttp://host.docker.internal:3000/socket.io/ (EIO,sid,t,transport)
MethodGET
Parametersid
Attack
EvidenceXuUlMO8t1gBrdlEVAAAA
Other Info
URLhttp://host.docker.internal:3000/socket.io/?EIO=4&transport=websocket&sid=XuUlMO8t1gBrdlEVAAAA
Node Namehttp://host.docker.internal:3000/socket.io/ (EIO,sid,transport)
MethodGET
Parametersid
Attack
EvidenceXuUlMO8t1gBrdlEVAAAA
Other Info
URLhttp://host.docker.internal:3000/socket.io/?EIO=4&transport=polling&t=Pp0CCgH&sid=XuUlMO8t1gBrdlEVAAAA
Node Namehttp://host.docker.internal:3000/socket.io/ (EIO,sid,t,transport)(40)
MethodPOST
Parametersid
Attack
EvidenceXuUlMO8t1gBrdlEVAAAA
Other Info
URLhttp://host.docker.internal:3000/socket.io/?EIO=4&transport=polling&t=Pp0CEwi&sid=euxJ-FYwo4yelfMVAAAC
Node Namehttp://host.docker.internal:3000/socket.io/ (EIO,sid,t,transport)(40)
MethodPOST
Parametersid
Attack
EvidenceeuxJ-FYwo4yelfMVAAAC
Other Info
URLhttp://host.docker.internal:3000/socket.io/?EIO=4&transport=polling&t=Pp0CCsD&sid=XuUlMO8t1gBrdlEVAAAA
Node Namehttp://host.docker.internal:3000/socket.io/ (EIO,sid,t,transport)(42["notification received","8d2072c6b0a4...)
MethodPOST
Parametersid
Attack
EvidenceXuUlMO8t1gBrdlEVAAAA
Other Info
InstancesSystemic
Solution +
For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.
+ +
Reference + https://seclists.org/webappsec/2002/q4/111 + +
CWE Id598
WASC Id13
Plugin Id3
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Cross-Domain JavaScript Source File Inclusion
Description +
The page includes one or more script files from a third-party domain.
+ +
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
Parameter//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js
Attack
Evidence<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
Other Info
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
Parameter//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js
Attack
Evidence<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
Other Info
URLhttp://host.docker.internal:3000/
Node Namehttp://host.docker.internal:3000/
MethodGET
Parameter//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js
Attack
Evidence<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
Other Info
URLhttp://host.docker.internal:3000/sitemap.xml
Node Namehttp://host.docker.internal:3000/sitemap.xml
MethodGET
Parameter//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js
Attack
Evidence<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
Other Info
URLhttp://host.docker.internal:3000/sitemap.xml
Node Namehttp://host.docker.internal:3000/sitemap.xml
MethodGET
Parameter//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js
Attack
Evidence<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
Other Info
InstancesSystemic
Solution +
Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.
+ +
Reference
CWE Id829
WASC Id15
Plugin Id10017
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Private IP Disclosure
Description +
A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.
+ +
URLhttp://host.docker.internal:3000/rest/admin/application-configuration
Node Namehttp://host.docker.internal:3000/rest/admin/application-configuration
MethodGET
Parameter
Attack
Evidence192.168.99.100:3000
Other Info192.168.99.100:3000 +192.168.99.100:4200 +
Instances1
Solution +
Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.
+ +
Reference + https://datatracker.ietf.org/doc/html/rfc1918 + +
CWE Id497
WASC Id13
Plugin Id2
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
Timestamp Disclosure - Unix
Description +
A timestamp was disclosed by the application/web server. - Unix
+ +
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
Parameter
Attack
Evidence1650485437
Other Info1650485437, which evaluates to: 2022-04-20 20:10:37.
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
Parameter
Attack
Evidence1981395349
Other Info1981395349, which evaluates to: 2032-10-14 19:35:49.
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
Parameter
Attack
Evidence2038834951
Other Info2038834951, which evaluates to: 2034-08-10 15:02:31.
URLhttp://host.docker.internal:3000/sitemap.xml
Node Namehttp://host.docker.internal:3000/sitemap.xml
MethodGET
Parameter
Attack
Evidence1650485437
Other Info1650485437, which evaluates to: 2022-04-20 20:10:37.
URLhttp://host.docker.internal:3000/sitemap.xml
Node Namehttp://host.docker.internal:3000/sitemap.xml
MethodGET
Parameter
Attack
Evidence2038834951
Other Info2038834951, which evaluates to: 2034-08-10 15:02:31.
InstancesSystemic
Solution +
Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.
+ +
Reference + https://cwe.mitre.org/data/definitions/200.html + +
CWE Id497
WASC Id13
Plugin Id10096
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Low
X-Content-Type-Options Header Missing
Description +
The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
+ +
URLhttp://host.docker.internal:3000/socket.io/?EIO=4&transport=polling&t=Pp0CCgb&sid=XuUlMO8t1gBrdlEVAAAA
Node Namehttp://host.docker.internal:3000/socket.io/ (EIO,sid,t,transport)
MethodGET
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttp://host.docker.internal:3000/socket.io/?EIO=4&transport=polling&t=Pp0CCPQ
Node Namehttp://host.docker.internal:3000/socket.io/ (EIO,t,transport)
MethodGET
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttp://host.docker.internal:3000/socket.io/?EIO=4&transport=polling&t=Pp0CCgH&sid=XuUlMO8t1gBrdlEVAAAA
Node Namehttp://host.docker.internal:3000/socket.io/ (EIO,sid,t,transport)(40)
MethodPOST
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
URLhttp://host.docker.internal:3000/socket.io/?EIO=4&transport=polling&t=Pp0CCsD&sid=XuUlMO8t1gBrdlEVAAAA
Node Namehttp://host.docker.internal:3000/socket.io/ (EIO,sid,t,transport)(42["notification received","8d2072c6b0a4...)
MethodPOST
Parameterx-content-type-options
Attack
Evidence
Other InfoThis issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type. +At "High" threshold this scan rule will not alert on client or server error responses.
Instances4
Solution +
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
+
+ +
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
+ +
Reference + https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85) +
+ + https://owasp.org/www-community/Security_Headers + +
CWE Id693
WASC Id15
Plugin Id10021
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Authentication Request Identified
Description +
The given request has been identified as an authentication request. The 'Other Info' field contains a set of key=value lines which identify any relevant fields. If the request is in a context which has an Authentication Method set to "Auto-Detect" then this rule will change the authentication to match the request identified.
+ +
URLhttp://host.docker.internal:3000/rest/user/login
Node Namehttp://host.docker.internal:3000/rest/user/login ()({email,password})
MethodPOST
Parameteremail
Attack
Evidencepassword
Other InfouserParam=email +userValue=${username} +passwordParam=password
Instances1
Solution +
This is an informational alert rather than a vulnerability and so there is nothing to fix.
+ +
Reference + https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-req-id/ + +
CWE Id
WASC Id
Plugin Id10111
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Modern Web Application
Description +
The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.
+ +
URLhttp://host.docker.internal:3000
Node Namehttp://host.docker.internal:3000
MethodGET
Parameter
Attack
Evidence<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
Other InfoNo links have been found while there are scripts, which is an indication that this is a modern web application.
URLhttp://host.docker.internal:3000/
Node Namehttp://host.docker.internal:3000/
MethodGET
Parameter
Attack
Evidence<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
Other InfoNo links have been found while there are scripts, which is an indication that this is a modern web application.
URLhttp://host.docker.internal:3000/juice-shop/build/routes/fileServer.js:43:13
Node Namehttp://host.docker.internal:3000/juice-shop/build/routes/fileServer.js:43:13
MethodGET
Parameter
Attack
Evidence<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
Other InfoNo links have been found while there are scripts, which is an indication that this is a modern web application.
URLhttp://host.docker.internal:3000/juice-shop/build/routes/fileServer.js:59:18
Node Namehttp://host.docker.internal:3000/juice-shop/build/routes/fileServer.js:59:18
MethodGET
Parameter
Attack
Evidence<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
Other InfoNo links have been found while there are scripts, which is an indication that this is a modern web application.
URLhttp://host.docker.internal:3000/sitemap.xml
Node Namehttp://host.docker.internal:3000/sitemap.xml
MethodGET
Parameter
Attack
Evidence<script src="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js"></script>
Other InfoNo links have been found while there are scripts, which is an indication that this is a modern web application.
InstancesSystemic
Solution +
This is an informational alert and so no changes are required.
+ +
Reference
CWE Id
WASC Id
Plugin Id10109
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
Informational
Session Management Response Identified
Description +
The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to "Auto-Detect" then this rule will change the session management to use the tokens identified.
+ +
URLhttp://host.docker.internal:3000/rest/continue-code
Node Namehttp://host.docker.internal:3000/rest/continue-code
MethodGET
ParametercontinueCode
Attack
EvidencecontinueCode
Other Infojson:continueCode
Instances1
Solution +
This is an informational alert rather than a vulnerability and so there is nothing to fix.
+ +
Reference + https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id/ + +
CWE Id
WASC Id
Plugin Id10112
+
+ + + + + +

Sequence Details

+ With the associated active scan results. + + + +
+ + + + + + + diff --git a/labs/lab5/scripts/compare_zap.ps1 b/labs/lab5/scripts/compare_zap.ps1 new file mode 100644 index 00000000..460c82c6 --- /dev/null +++ b/labs/lab5/scripts/compare_zap.ps1 @@ -0,0 +1,81 @@ +$ErrorActionPreference = "Stop" + +$Lab5Dir = Resolve-Path (Join-Path $PSScriptRoot "..") +$ZapDir = Join-Path $Lab5Dir "zap" +$AnaDir = Join-Path $Lab5Dir "analysis" +New-Item -ItemType Directory -Force -Path $AnaDir | Out-Null + +$NoAuthLog = Join-Path $ZapDir "zap-noauth.log" +$AuthLog = Join-Path $ZapDir "zap-auth.log" +$NoAuthReport = Join-Path $ZapDir "report-noauth.html" +$AuthReport = Join-Path $ZapDir "report-auth.html" + +function Get-TextOrEmpty([string]$p){ if(Test-Path $p){Get-Content -Raw -LiteralPath $p}else{""} } + +function FirstInt([string]$t, [string[]]$pats){ + foreach($p in $pats){ + $m=[regex]::Match($t,$p,[Text.RegularExpressions.RegexOptions]::IgnoreCase) + if($m.Success){ return [int]$m.Groups[1].Value } + } + return $null +} + +function ZapCounts([string]$htmlPath){ + if(!(Test-Path $htmlPath)){ return @{High=0;Med=0;Low=0;Info=0;Total=0} } + $h=Get-Content -Raw -LiteralPath $htmlPath -Encoding UTF8 + $high=[regex]::Matches($h,'class="risk-3"').Count + $med =[regex]::Matches($h,'class="risk-2"').Count + $low =[regex]::Matches($h,'class="risk-1"').Count + $info=[regex]::Matches($h,'class="risk-0"').Count + $high=[int]($high/2); $med=[int]($med/2); $low=[int]($low/2); $info=[int]($info/2) + return @{High=$high;Med=$med;Low=$low;Info=$info;Total=($high+$med+$low+$info)} +} + +function AdminEndpoints([string]$htmlPath,[int]$max=10){ + if(!(Test-Path $htmlPath)){ return @() } + $h=Get-Content -Raw -LiteralPath $htmlPath -Encoding UTF8 + $ms=[regex]::Matches($h,'/rest/admin/[A-Za-z0-9\-\._~/%\?\=&]+') + $set=New-Object 'System.Collections.Generic.HashSet[string]' + foreach($m in $ms){ [void]$set.Add($m.Value) } + return $set | Select-Object -First $max +} + +$noAuthText = Get-TextOrEmpty $NoAuthLog +$authText = Get-TextOrEmpty $AuthLog + +$noAuthUrls = FirstInt $noAuthText @( + 'Job spider found\s+(\d+)\s+URLs', + 'found\s+(\d+)\s+URLs', + 'Total of\s+(\d+)\s+URLs' +) +$authSpider = FirstInt $authText @('Job spider found\s+(\d+)\s+URLs') +$authAjax = FirstInt $authText @('Job spiderAjax found\s+(\d+)\s+URLs','AJAX spider.*found\s+(\d+)\s+URLs') + +$noAuthAlerts = ZapCounts $NoAuthReport +$authAlerts = ZapCounts $AuthReport +$admin = AdminEndpoints $AuthReport 12 + +$out = @() +$out += "=== ZAP Auth vs No-Auth Comparison ===" +$out += "" +$out += "No-Auth:" +$out += (" URLs discovered (from log): {0}" -f ($(if($null -eq $noAuthUrls){"N/A"}else{$noAuthUrls}))) +$out += (" Alerts (HTML): Total={0} High={1} Med={2} Low={3} Info={4}" -f $noAuthAlerts.Total,$noAuthAlerts.High,$noAuthAlerts.Med,$noAuthAlerts.Low,$noAuthAlerts.Info) +$out += "" +$out += "Auth:" +$out += (" Spider URLs (from log): {0}" -f ($(if($null -eq $authSpider){"N/A"}else{$authSpider}))) +$out += (" AJAX Spider URLs (from log): {0}" -f ($(if($null -eq $authAjax){"N/A"}else{$authAjax}))) +$out += (" Alerts (HTML): Total={0} High={1} Med={2} Low={3} Info={4}" -f $authAlerts.Total,$authAlerts.High,$authAlerts.Med,$authAlerts.Low,$authAlerts.Info) +$out += "" + +if($admin.Count -gt 0){ + $out += "Admin/authenticated endpoints examples:" + foreach($e in $admin){ $out += " - $e" } +}else{ + $out += "Admin/authenticated endpoints examples: N/A" +} + +$outPath = Join-Path $AnaDir "zap-compare.txt" +$out -join "`r`n" | Set-Content -LiteralPath $outPath -Encoding UTF8 +$out -join "`r`n" +"Saved: $outPath" \ No newline at end of file diff --git a/labs/lab5/scripts/correlation.ps1 b/labs/lab5/scripts/correlation.ps1 new file mode 100644 index 00000000..0b620c00 --- /dev/null +++ b/labs/lab5/scripts/correlation.ps1 @@ -0,0 +1,75 @@ +$ErrorActionPreference = "Stop" + +$Lab5Dir = Resolve-Path (Join-Path $PSScriptRoot "..") +$AnaDir = Join-Path $Lab5Dir "analysis" +New-Item -ItemType Directory -Force -Path $AnaDir | Out-Null + +$Semgrep = Join-Path $Lab5Dir "semgrep\semgrep-results.json" +$ZapAuth = Join-Path $Lab5Dir "zap\report-auth.html" +$Nuclei = Join-Path $Lab5Dir "nuclei\nuclei-results.json" +$Nikto = Join-Path $Lab5Dir "nikto\nikto-results.txt" +$SqlmapDir = Join-Path $Lab5Dir "sqlmap" + +function Count-Semgrep($p){ + if(!(Test-Path $p)){ return 0 } + $o = Get-Content -Raw -LiteralPath $p -Encoding UTF8 | ConvertFrom-Json + return @($o.results).Count +} +function Count-Zap($p){ + if(!(Test-Path $p)){ return 0 } + $h=Get-Content -Raw -LiteralPath $p -Encoding UTF8 + $med=[regex]::Matches($h,'class="risk-2"').Count + $high=[regex]::Matches($h,'class="risk-3"').Count + return [int](($med/2)+($high/2)) +} +function Count-Lines($p){ + if(!(Test-Path $p)){ return 0 } + return (Get-Content -LiteralPath $p -Encoding UTF8 | Where-Object { $_.Trim().Length -gt 0 }).Count +} +function Count-Nikto($p){ + if(!(Test-Path $p)){ return 0 } + return (Get-Content -LiteralPath $p -Encoding UTF8 | Where-Object { $_.StartsWith("+ ") }).Count +} +function Count-Sqlmap($root){ + if(!(Test-Path $root)){ return 0 } + $csv = Get-ChildItem -Path $root -Recurse -Filter "results-*.csv" -ErrorAction SilentlyContinue | Select-Object -First 1 + if(-not $csv){ return 0 } + $lines = Get-Content -LiteralPath $csv.FullName -Encoding UTF8 | Where-Object { $_.Trim().Length -gt 0 } + return [Math]::Max(0,$lines.Count-1) +} + +$sast = Count-Semgrep $Semgrep +$zap = Count-Zap $ZapAuth +$nuc = Count-Lines $Nuclei +$nik = Count-Nikto $Nikto +$sql = Count-Sqlmap $SqlmapDir + +$out = @() +$out += "=== SAST/DAST Correlation Report ===" +$out += "" +$out += "Security Testing Results Summary:" +$out += "" +$out += "SAST (Semgrep): $sast code-level findings" +$out += "DAST (ZAP authenticated): $zap alerts" +$out += "DAST (Nuclei): $nuc template matches" +$out += "DAST (Nikto): $nik server issues" +$out += "DAST (SQLmap): $sql SQL injection vulnerabilities" +$out += "" +$out += "Key Insights:" +$out += "" +$out += "SAST (Static Analysis):" +$out += " - Finds code-level vulnerabilities before deployment" +$out += " - Detects: hardcoded secrets, SQL injection patterns, insecure crypto" +$out += " - Fast feedback in development phase" +$out += "" +$out += "DAST (Dynamic Analysis):" +$out += " - Finds runtime configuration and deployment issues" +$out += " - Detects: missing security headers, authentication flaws, server misconfigs" +$out += " - Authenticated scanning reveals much more attack surface" +$out += "" +$out += "Recommendation: Use BOTH approaches for comprehensive security coverage" + +$path = Join-Path $AnaDir "correlation.txt" +$out -join "`r`n" | Set-Content -LiteralPath $path -Encoding UTF8 +$out -join "`r`n" +"Saved: $path" \ No newline at end of file diff --git a/labs/lab5/scripts/summarize_dast.ps1 b/labs/lab5/scripts/summarize_dast.ps1 new file mode 100644 index 00000000..82a49f7c --- /dev/null +++ b/labs/lab5/scripts/summarize_dast.ps1 @@ -0,0 +1,152 @@ +$ErrorActionPreference = "Stop" + +$Lab5Dir = Resolve-Path (Join-Path $PSScriptRoot "..") +$AnaDir = Join-Path $Lab5Dir "analysis" +$ZapDir = Join-Path $Lab5Dir "zap" +$Nuclei = Join-Path $Lab5Dir "nuclei\nuclei-results.json" +$Nikto = Join-Path $Lab5Dir "nikto\nikto-results.txt" +$SqlmapDir = Join-Path $Lab5Dir "sqlmap" + +New-Item -ItemType Directory -Force -Path $AnaDir | Out-Null + +function ZapCounts([string]$htmlPath) { + if (!(Test-Path $htmlPath)) { + return @{ High = 0; Med = 0; Low = 0; Info = 0; Total = 0 } + } + + $h = Get-Content -Raw -LiteralPath $htmlPath -Encoding UTF8 + $high = [regex]::Matches($h, 'class="risk-3"').Count + $med = [regex]::Matches($h, 'class="risk-2"').Count + $low = [regex]::Matches($h, 'class="risk-1"').Count + $info = [regex]::Matches($h, 'class="risk-0"').Count + + $high = [int]($high / 2) + $med = [int]($med / 2) + $low = [int]($low / 2) + $info = [int]($info / 2) + + return @{ + High = $high + Med = $med + Low = $low + Info = $info + Total = ($high + $med + $low + $info) + } +} + +function NucleiStats([string]$path) { + if (!(Test-Path $path)) { + return @{ Total = 0; By = @{} } + } + + $by = @{} + $lines = Get-Content -LiteralPath $path -Encoding UTF8 | Where-Object { $_.Trim().Length -gt 0 } + + foreach ($l in $lines) { + try { + $o = $l | ConvertFrom-Json + + $sev = $null + if ($o.info -and $o.info.severity) { + $sev = $o.info.severity.ToString().ToLowerInvariant() + } else { + $sev = "unknown" + } + + if ($by.ContainsKey($sev)) { + $by[$sev]++ + } else { + $by[$sev] = 1 + } + } + catch { + if ($by.ContainsKey("parse_error")) { + $by["parse_error"]++ + } else { + $by["parse_error"] = 1 + } + } + } + + return @{ + Total = $lines.Count + By = $by + } +} + +function NiktoCount([string]$path) { + if (!(Test-Path $path)) { return 0 } + return (Get-Content -LiteralPath $path -Encoding UTF8 | Where-Object { $_.StartsWith("+ ") }).Count +} + +function SqlmapCount([string]$root) { + if (!(Test-Path $root)) { + return @{ Total = 0; Csv = $null } + } + + $csv = Get-ChildItem -Path $root -Recurse -Filter "results-*.csv" -ErrorAction SilentlyContinue | Select-Object -First 1 + if (-not $csv) { + return @{ Total = 0; Csv = $null } + } + + $lines = Get-Content -LiteralPath $csv.FullName -Encoding UTF8 | Where-Object { $_.Trim().Length -gt 0 } + + return @{ + Total = [Math]::Max(0, $lines.Count - 1) + Csv = $csv.FullName + } +} + +$zapNo = ZapCounts (Join-Path $ZapDir "report-noauth.html") +$zapAu = ZapCounts (Join-Path $ZapDir "report-auth.html") +$nuc = NucleiStats $Nuclei +$nik = NiktoCount $Nikto +$sql = SqlmapCount $SqlmapDir + +$sum = @() +$sum += "=== DAST Summary ===" +$sum += "" +$sum += ("ZAP (noauth): Total={0} High={1} Med={2} Low={3} Info={4}" -f $zapNo.Total, $zapNo.High, $zapNo.Med, $zapNo.Low, $zapNo.Info) +$sum += ("ZAP (auth): Total={0} High={1} Med={2} Low={3} Info={4}" -f $zapAu.Total, $zapAu.High, $zapAu.Med, $zapAu.Low, $zapAu.Info) +$sum += "" +$sum += ("Nuclei: Total matches={0}" -f $nuc.Total) + +if ($nuc.By.Count -gt 0) { + $sum += " By severity:" + foreach ($k in ($nuc.By.Keys | Sort-Object)) { + $sum += (" - {0}: {1}" -f $k, $nuc.By[$k]) + } +} + +$sum += "" +$sum += ("Nikto: server issues={0}" -f $nik) +$sum += ("SQLmap: findings(rows in results-*.csv)={0}" -f $sql.Total) + +if ($sql.Csv) { + $sum += (" CSV: {0}" -f $sql.Csv) +} + +$sumPath = Join-Path $AnaDir "dast-summary.txt" +$sum -join "`r`n" | Set-Content -LiteralPath $sumPath -Encoding UTF8 + +$sevParts = @() +foreach ($k in ($nuc.By.Keys | Sort-Object)) { + $sevParts += ("{0}:{1}" -f $k, $nuc.By[$k]) +} +$sevStr = if ($sevParts.Count -gt 0) { $sevParts -join " " } else { "n/a" } + +$md = @() +$md += "| Tool | Findings | Severity Breakdown | Best Use Case |" +$md += "|---|---:|---|---|" +$md += ("| ZAP (auth) | {0} | High:{1} Med:{2} Low:{3} Info:{4} | Comprehensive scan + auth + active/passive |" -f $zapAu.Total, $zapAu.High, $zapAu.Med, $zapAu.Low, $zapAu.Info) +$md += ("| ZAP (noauth) | {0} | High:{1} Med:{2} Low:{3} Info:{4} | Public surface baseline |" -f $zapNo.Total, $zapNo.High, $zapNo.Med, $zapNo.Low, $zapNo.Info) +$md += ("| Nuclei | {0} | {1} | Fast template-based checks (known issues/CVEs) |" -f $nuc.Total, $sevStr) +$md += ("| Nikto | {0} | n/a | Server misconfig/headers/default files |" -f $nik) +$md += ("| SQLmap | {0} | n/a | Deep SQLi confirmation + extraction |" -f $sql.Total) + +$mdPath = Join-Path $AnaDir "dast-matrix.md" +$md -join "`r`n" | Set-Content -LiteralPath $mdPath -Encoding UTF8 + +$sum -join "`r`n" +"Saved: $sumPath" +"Saved: $mdPath" \ No newline at end of file diff --git a/labs/lab5/scripts/zap-auth.yaml b/labs/lab5/scripts/zap-auth.yaml new file mode 100644 index 00000000..9daa7a46 --- /dev/null +++ b/labs/lab5/scripts/zap-auth.yaml @@ -0,0 +1,56 @@ +env: + contexts: + - name: juice-shop + urls: + - http://host.docker.internal:3000 + includePaths: + - http://host.docker.internal:3000.* + authentication: + method: json + parameters: + loginRequestUrl: http://host.docker.internal:3000/rest/user/login + loginRequestBody: '{"email":"${username}","password":"${password}"}' + verification: + method: response + loggedInRegex: '"token"\s*:\s*"' + loggedOutRegex: 'Invalid email or password' + sessionManagement: + method: cookie + users: + - name: admin + credentials: + username: admin@juice-sh.op + password: admin123 + +jobs: + - type: spider + parameters: + context: juice-shop + user: admin + maxDuration: 5 + + - type: spiderAjax + parameters: + context: juice-shop + user: admin + maxDuration: 10 + browserId: firefox-headless + inScopeOnly: true + + - type: passiveScan-wait + parameters: + maxDuration: 10 + + - type: activeScan + parameters: + context: juice-shop + user: admin + maxScanDurationInMins: 10 + + - type: report + parameters: + template: traditional-html + reportDir: /zap/wrk + reportFile: report-auth.html + reportTitle: "ZAP Auth Scan Report (Juice Shop v19.0.0)" + displayReport: false diff --git a/labs/lab5/semgrep/juice-shop b/labs/lab5/semgrep/juice-shop new file mode 160000 index 00000000..36870cbb --- /dev/null +++ b/labs/lab5/semgrep/juice-shop @@ -0,0 +1 @@ +Subproject commit 36870cbbdfe7864698e1adf644c7bf772f67ebb7 diff --git a/labs/lab5/semgrep/semgrep-report.txt b/labs/lab5/semgrep/semgrep-report.txt new file mode 100644 index 00000000..9b04f5ad --- /dev/null +++ b/labs/lab5/semgrep/semgrep-report.txt @@ -0,0 +1,243 @@ + + +┌──────────────────┐ +│ 25 Code Findings │ +└──────────────────┘ + + /src/data/static/codefixes/dbSchemaChallenge_1.ts + ❯❯❱ javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + ❰❰ Blocking ❱❱ + Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if + the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it + is recommended to use parameterized queries or prepared statements. + Details: https://sg.run/gjoe + + 5┆ models.sequelize.query("SELECT * FROM Products WHERE ((name LIKE '%"+criteria+"%' OR + description LIKE '%"+criteria+"%') AND deletedAt IS NULL) ORDER BY name") + + /src/data/static/codefixes/dbSchemaChallenge_3.ts + ❯❯❱ javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + ❰❰ Blocking ❱❱ + Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if + the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it + is recommended to use parameterized queries or prepared statements. + Details: https://sg.run/gjoe + + 11┆ models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR + description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) + + /src/data/static/codefixes/unionSqlInjectionChallenge_1.ts + ❯❯❱ javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + ❰❰ Blocking ❱❱ + Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if + the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it + is recommended to use parameterized queries or prepared statements. + Details: https://sg.run/gjoe + + 6┆ models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR + description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) + + /src/data/static/codefixes/unionSqlInjectionChallenge_3.ts + ❯❯❱ javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + ❰❰ Blocking ❱❱ + Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if + the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it + is recommended to use parameterized queries or prepared statements. + Details: https://sg.run/gjoe + + 10┆ models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR + description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) + + /src/frontend/src/app/navbar/navbar.component.html + ❯❱ generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var + ❰❰ Blocking ❱❱ + Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject + custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ + expr }}". + Details: https://sg.run/weNX + + 17┆ + + /src/frontend/src/app/purchase-basket/purchase-basket.component.html + ❯❱ generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var + ❰❰ Blocking ❱❱ + Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject + custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ + expr }}". + Details: https://sg.run/weNX + + 15┆ {{element.name}} jwt.sign(user, privateKey, { expiresIn: '6h', + algorithm: 'RS256' }) + + /src/routes/chatbot.ts + ❯❱ javascript.express.security.injection.raw-html-format.raw-html-format + ❰❰ Blocking ❱❱ + User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross- + Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a + sanitization library such as DOMPurify to sanitize the HTML within. + Details: https://sg.run/5DO3 + + 197┆ body: bot.training.state ? bot.greet(`${user.id}`) : + `${config.get('application.chatBot.name')} isn't ready at the moment, please wait + while I set things up` + + /src/routes/fileServer.ts + ❯❱ javascript.express.security.audit.express-res-sendfile.express-res-sendfile + ❰❰ Blocking ❱❱ + The application processes user-input, this is passed to res.sendFile which can allow an attacker to + arbitrarily read files on the system through path traversal. It is recommended to perform input + validation in addition to canonicalizing the path. This allows you to validate the path against the + intended directory it should be accessing. + Details: https://sg.run/7DJk + + 33┆ res.sendFile(path.resolve('ftp/', file)) + + /src/routes/keyServer.ts + ❯❱ javascript.express.security.audit.express-res-sendfile.express-res-sendfile + ❰❰ Blocking ❱❱ + The application processes user-input, this is passed to res.sendFile which can allow an attacker to + arbitrarily read files on the system through path traversal. It is recommended to perform input + validation in addition to canonicalizing the path. This allows you to validate the path against the + intended directory it should be accessing. + Details: https://sg.run/7DJk + + 14┆ res.sendFile(path.resolve('encryptionkeys/', file)) + + /src/routes/logfileServer.ts + ❯❱ javascript.express.security.audit.express-res-sendfile.express-res-sendfile + ❰❰ Blocking ❱❱ + The application processes user-input, this is passed to res.sendFile which can allow an attacker to + arbitrarily read files on the system through path traversal. It is recommended to perform input + validation in addition to canonicalizing the path. This allows you to validate the path against the + intended directory it should be accessing. + Details: https://sg.run/7DJk + + 14┆ res.sendFile(path.resolve('logs/', file)) + + /src/routes/login.ts + ❯❯❱ javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + ❰❰ Blocking ❱❱ + Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if + the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it + is recommended to use parameterized queries or prepared statements. + Details: https://sg.run/gjoe + + 34┆ models.sequelize.query(`SELECT * FROM Users WHERE email = '${req.body.email || ''}' AND + password = '${security.hash(req.body.password || '')}' AND deletedAt IS NULL`, { model: + UserModel, plain: true }) // vuln-code-snippet vuln-line loginAdminChallenge + loginBenderChallenge loginJimChallenge + + /src/routes/quarantineServer.ts + ❯❱ javascript.express.security.audit.express-res-sendfile.express-res-sendfile + ❰❰ Blocking ❱❱ + The application processes user-input, this is passed to res.sendFile which can allow an attacker to + arbitrarily read files on the system through path traversal. It is recommended to perform input + validation in addition to canonicalizing the path. This allows you to validate the path against the + intended directory it should be accessing. + Details: https://sg.run/7DJk + + 14┆ res.sendFile(path.resolve('ftp/quarantine/', file)) + + /src/routes/redirect.ts + ❯❱ javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect + ❰❰ Blocking ❱❱ + It looks like 'toUrl' is read from user input and it is used to as a redirect. Ensure 'toUrl' is not + externally controlled, otherwise this is an open redirect. + Details: https://sg.run/OPv2 + + 19┆ res.redirect(toUrl) + + ❯❱ javascript.express.security.audit.express-open-redirect.express-open-redirect + ❰❰ Blocking ❱❱ + The application redirects to a URL specified by user-supplied input `query` that is not validated. + This could redirect users to malicious locations. Consider using an allow-list approach to validate + URLs, or warn users they are being redirected to a third-party website. + Details: https://sg.run/EpoP + + 19┆ res.redirect(toUrl) + + /src/routes/search.ts + ❯❯❱ javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection + ❰❰ Blocking ❱❱ + Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if + the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it + is recommended to use parameterized queries or prepared statements. + Details: https://sg.run/gjoe + + 23┆ models.sequelize.query(`SELECT * FROM Products WHERE ((name LIKE '%${criteria}%' OR + description LIKE '%${criteria}%') AND deletedAt IS NULL) ORDER BY name`) // vuln-code- + snippet vuln-line unionSqlInjectionChallenge dbSchemaChallenge + + /src/routes/userProfile.ts + ❯❯❱ javascript.lang.security.audit.code-string-concat.code-string-concat + ❰❰ Blocking ❱❱ + Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable + this can lead to execution of arbitrary system commands in the context of your application process. + Avoid `eval` whenever possible. + Details: https://sg.run/96Yk + + 62┆ username = eval(code) // eslint-disable-line no-eval + + /src/routes/videoHandler.ts + ❯❱ javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag + ❰❰ Blocking ❱❱ + Cannot determine what 'subs' is and it is used with a '') }) + ⋮┆---------------------------------------- + 71┆ compiledTemplate = compiledTemplate.replace('', '') + + /src/server.ts + ❯❱ javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing + ❰❰ Blocking ❱❱ + Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and + files. It is recommended to disable directory listing unless it is a public resource. If you need + directory listing, ensure that sensitive files are inaccessible when querying the resource. + Details: https://sg.run/DX2G + + 269┆ app.use('/ftp', serveIndexMiddleware, serveIndex('ftp', { icons: true })) // vuln-code- + snippet vuln-line directoryListingChallenge + ⋮┆---------------------------------------- + 273┆ app.use('/.well-known', serveIndexMiddleware, serveIndex('.well-known', { icons: true, + view: 'details' })) + ⋮┆---------------------------------------- + 277┆ app.use('/encryptionkeys', serveIndexMiddleware, serveIndex('encryptionkeys', { icons: + true, view: 'details' })) + ⋮┆---------------------------------------- + 281┆ app.use('/support/logs', serveIndexMiddleware, serveIndex('logs', { icons: true, view: + 'details' })) // vuln-code-snippet vuln-line accessLogDisclosureChallenge + + /src/views/dataErasureForm.hbs + ❯❱ generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var + ❰❰ Blocking ❱❱ + Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject + custom JavaScript handlers. To fix this, add quotes around the template expression, like this: "{{ + expr }}". + Details: https://sg.run/weNX + + 21┆ diff --git a/labs/lab5/semgrep/semgrep-results.json b/labs/lab5/semgrep/semgrep-results.json new file mode 100644 index 00000000..ab2ea09b --- /dev/null +++ b/labs/lab5/semgrep/semgrep-results.json @@ -0,0 +1 @@ +{"version":"1.153.1","results":[{"check_id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","path":"/src/data/static/codefixes/dbSchemaChallenge_1.ts","start":{"line":5,"col":28,"offset":288},"end":{"line":5,"col":162,"offset":422},"extra":{"message":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"interfile":true,"references":["https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements"],"category":"security","technology":["express"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","shortlink":"https://sg.run/gjoe"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","path":"/src/data/static/codefixes/dbSchemaChallenge_3.ts","start":{"line":11,"col":28,"offset":429},"end":{"line":11,"col":159,"offset":560},"extra":{"message":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"interfile":true,"references":["https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements"],"category":"security","technology":["express"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","shortlink":"https://sg.run/gjoe"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","path":"/src/data/static/codefixes/unionSqlInjectionChallenge_1.ts","start":{"line":6,"col":28,"offset":331},"end":{"line":6,"col":159,"offset":462},"extra":{"message":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"interfile":true,"references":["https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements"],"category":"security","technology":["express"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","shortlink":"https://sg.run/gjoe"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","path":"/src/data/static/codefixes/unionSqlInjectionChallenge_3.ts","start":{"line":10,"col":28,"offset":467},"end":{"line":10,"col":159,"offset":598},"extra":{"message":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"interfile":true,"references":["https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements"],"category":"security","technology":["express"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","shortlink":"https://sg.run/gjoe"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var","path":"/src/frontend/src/app/navbar/navbar.component.html","start":{"line":17,"col":47,"offset":681},"end":{"line":17,"col":66,"offset":700},"extra":{"message":"Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"{{ expr }}\".","metadata":{"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss"],"category":"security","technology":["html-templates"],"confidence":"LOW","cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var","shortlink":"https://sg.run/weNX"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var","path":"/src/frontend/src/app/purchase-basket/purchase-basket.component.html","start":{"line":15,"col":71,"offset":505},"end":{"line":15,"col":87,"offset":521},"extra":{"message":"Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"{{ expr }}\".","metadata":{"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss"],"category":"security","technology":["html-templates"],"confidence":"LOW","cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var","shortlink":"https://sg.run/weNX"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var","path":"/src/frontend/src/app/search-result/search-result.component.html","start":{"line":40,"col":97,"offset":1804},"end":{"line":40,"col":110,"offset":1817},"extra":{"message":"Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"{{ expr }}\".","metadata":{"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss"],"category":"security","technology":["html-templates"],"confidence":"LOW","cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["audit"],"likelihood":"LOW","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/generic.html-templates.security.unquoted-attribute-var.unquoted-attribute-var","shortlink":"https://sg.run/weNX"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret","path":"/src/lib/insecurity.ts","start":{"line":56,"col":56,"offset":2882},"end":{"line":56,"col":66,"offset":2892},"extra":{"message":"A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).","metadata":{"cwe":["CWE-798: Use of Hard-coded Credentials"],"references":["https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"],"owasp":["A07:2021 - Identification and Authentication Failures","A07:2025 - Authentication Failures"],"asvs":{"control_id":"3.5.2 Static API keys or secret","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x12-V3-Session-management.md#v35-token-based-session-management","section":"V3: Session Management Verification Requirements","version":"4"},"category":"security","technology":["jwt","javascript","secrets"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Hard-coded Secrets"],"source":"https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret","shortlink":"https://sg.run/4xN9"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.express.security.injection.raw-html-format.raw-html-format","path":"/src/routes/chatbot.ts","start":{"line":197,"col":46,"offset":6279},"end":{"line":197,"col":56,"offset":6289},"extra":{"message":"User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.","metadata":{"cwe":["CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"owasp":["A07:2017 - Cross-Site Scripting (XSS)","A03:2021 - Injection","A05:2025 - Injection"],"references":["https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"],"category":"security","technology":["express"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Cross-Site-Scripting (XSS)"],"source":"https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format","shortlink":"https://sg.run/5DO3"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.express.security.audit.express-res-sendfile.express-res-sendfile","path":"/src/routes/fileServer.ts","start":{"line":33,"col":20,"offset":1174},"end":{"line":33,"col":46,"offset":1200},"extra":{"message":"The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.","metadata":{"references":["https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"],"technology":["express"],"category":"security","cwe":["CWE-73: External Control of File Name or Path"],"owasp":["A04:2021 - Insecure Design","A06:2025 - Insecure Design"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Path Traversal"],"source":"https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile","shortlink":"https://sg.run/7DJk"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.express.security.audit.express-res-sendfile.express-res-sendfile","path":"/src/routes/keyServer.ts","start":{"line":14,"col":20,"offset":423},"end":{"line":14,"col":57,"offset":460},"extra":{"message":"The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.","metadata":{"references":["https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"],"technology":["express"],"category":"security","cwe":["CWE-73: External Control of File Name or Path"],"owasp":["A04:2021 - Insecure Design","A06:2025 - Insecure Design"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Path Traversal"],"source":"https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile","shortlink":"https://sg.run/7DJk"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.express.security.audit.express-res-sendfile.express-res-sendfile","path":"/src/routes/logfileServer.ts","start":{"line":14,"col":20,"offset":423},"end":{"line":14,"col":47,"offset":450},"extra":{"message":"The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.","metadata":{"references":["https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"],"technology":["express"],"category":"security","cwe":["CWE-73: External Control of File Name or Path"],"owasp":["A04:2021 - Insecure Design","A06:2025 - Insecure Design"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Path Traversal"],"source":"https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile","shortlink":"https://sg.run/7DJk"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","path":"/src/routes/login.ts","start":{"line":34,"col":28,"offset":1492},"end":{"line":34,"col":169,"offset":1633},"extra":{"message":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"interfile":true,"references":["https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements"],"category":"security","technology":["express"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","shortlink":"https://sg.run/gjoe"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.express.security.audit.express-res-sendfile.express-res-sendfile","path":"/src/routes/quarantineServer.ts","start":{"line":14,"col":20,"offset":437},"end":{"line":14,"col":57,"offset":474},"extra":{"message":"The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.","metadata":{"references":["https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html"],"technology":["express"],"category":"security","cwe":["CWE-73: External Control of File Name or Path"],"owasp":["A04:2021 - Insecure Design","A06:2025 - Insecure Design"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Path Traversal"],"source":"https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile","shortlink":"https://sg.run/7DJk"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect","path":"/src/routes/redirect.ts","start":{"line":19,"col":7,"offset":1050},"end":{"line":19,"col":26,"offset":1069},"extra":{"message":"It looks like 'toUrl' is read from user input and it is used to as a redirect. Ensure 'toUrl' is not externally controlled, otherwise this is an open redirect.","metadata":{"owasp":["A01:2021 - Broken Access Control","A01:2025 - Broken Access Control"],"cwe":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"],"asvs":{"control_id":"5.5.1 Insecue Redirect","control_url":"https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation","section":"V5 Validation, Sanitization and Encoding","version":"4"},"category":"security","technology":["express"],"subcategory":["audit"],"likelihood":"LOW","impact":"LOW","confidence":"LOW","references":["https://owasp.org/Top10/A01_2021-Broken_Access_Control"],"license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Open Redirect"],"source":"https://semgrep.dev/r/javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect","shortlink":"https://sg.run/OPv2"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.express.security.audit.express-open-redirect.express-open-redirect","path":"/src/routes/redirect.ts","start":{"line":19,"col":20,"offset":1063},"end":{"line":19,"col":25,"offset":1068},"extra":{"message":"The application redirects to a URL specified by user-supplied input `query` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.","metadata":{"technology":["express"],"references":["https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"],"cwe":["CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"],"category":"security","owasp":["A01:2021 - Broken Access Control","A01:2025 - Broken Access Control"],"subcategory":["vuln"],"likelihood":"HIGH","impact":"MEDIUM","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Open Redirect"],"source":"https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect","shortlink":"https://sg.run/EpoP"},"severity":"WARNING","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","path":"/src/routes/search.ts","start":{"line":23,"col":28,"offset":869},"end":{"line":23,"col":159,"offset":1000},"extra":{"message":"Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.","metadata":{"interfile":true,"references":["https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements"],"category":"security","technology":["express"],"cwe":["CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"],"owasp":["A01:2017 - Injection","A03:2021 - Injection","A05:2025 - Injection"],"cwe2022-top25":true,"cwe2021-top25":true,"subcategory":["vuln"],"likelihood":"HIGH","impact":"HIGH","confidence":"HIGH","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["SQL Injection"],"source":"https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection","shortlink":"https://sg.run/gjoe"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.lang.security.audit.code-string-concat.code-string-concat","path":"/src/routes/userProfile.ts","start":{"line":62,"col":20,"offset":1916},"end":{"line":62,"col":30,"offset":1926},"extra":{"message":"Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.","metadata":{"interfile":true,"confidence":"HIGH","owasp":["A03:2021 - Injection","A05:2025 - Injection"],"cwe":["CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"],"references":["https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval","https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback","https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/","https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html"],"category":"security","technology":["node.js","Express","Next.js"],"subcategory":["vuln"],"likelihood":"MEDIUM","impact":"MEDIUM","license":"Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license","vulnerability_class":["Code Injection"],"source":"https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat","shortlink":"https://sg.run/96Yk"},"severity":"ERROR","fingerprint":"requires login","lines":"requires login","validation_state":"NO_VALIDATOR","engine_kind":"OSS"}},{"check_id":"javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag","path":"/src/routes/videoHandler.ts","start":{"line":58,"col":90,"offset":1950},"end":{"line":58,"col":94,"offset":1954},"extra":{"message":"Cannot determine what 'subs' is and it is used with a '", + "otherinfo": "" + }, + { + "id": "17", + "uri": "http://host.docker.internal:3000", + "nodeName": "http:\/\/host.docker.internal:3000", + "method": "GET", + "param": "//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "89", + "uri": "http://host.docker.internal:3000/", + "nodeName": "http:\/\/host.docker.internal:3000\/", + "method": "GET", + "param": "//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "16", + "uri": "http://host.docker.internal:3000/sitemap.xml", + "nodeName": "http:\/\/host.docker.internal:3000\/sitemap.xml", + "method": "GET", + "param": "//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.1.0/cookieconsent.min.js", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "18", + "uri": "http://host.docker.internal:3000/sitemap.xml", + "nodeName": "http:\/\/host.docker.internal:3000\/sitemap.xml", + "method": "GET", + "param": "//cdnjs.cloudflare.com/ajax/libs/jquery/2.2.4/jquery.min.js", + "attack": "", + "evidence": "", + "otherinfo": "" + } + ], + "count": "5", + "systemic": true, + "solution": "

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

", + "otherinfo": "", + "reference": "", + "cweid": "829", + "wascid": "15", + "sourceid": "8" + }, + { + "pluginid": "90004", + "alertRef": "90004-2", + "alert": "Cross-Origin-Embedder-Policy Header Missing or Invalid", + "name": "Cross-Origin-Embedder-Policy Header Missing or Invalid", + "riskcode": "1", + "confidence": "2", + "riskdesc": "Low (Medium)", + "desc": "

Cross-Origin-Embedder-Policy header is a response header that prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).

", + "instances":[ + { + "id": "38", + "uri": "http://host.docker.internal:3000", + "nodeName": "http:\/\/host.docker.internal:3000", + "method": "GET", + "param": "Cross-Origin-Embedder-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "97", + "uri": "http://host.docker.internal:3000/", + "nodeName": "http:\/\/host.docker.internal:3000\/", + "method": "GET", + "param": "Cross-Origin-Embedder-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "84", + "uri": "http://host.docker.internal:3000/ftp", + "nodeName": "http:\/\/host.docker.internal:3000\/ftp", + "method": "GET", + "param": "Cross-Origin-Embedder-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "102", + "uri": "http://host.docker.internal:3000/juice-shop/node_modules/express/lib/router/index.js:365:14", + "nodeName": "http:\/\/host.docker.internal:3000\/juice-shop\/node_modules\/express\/lib\/router\/index.js:365:14", + "method": "GET", + "param": "Cross-Origin-Embedder-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "45", + "uri": "http://host.docker.internal:3000/sitemap.xml", + "nodeName": "http:\/\/host.docker.internal:3000\/sitemap.xml", + "method": "GET", + "param": "Cross-Origin-Embedder-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + } + ], + "count": "5", + "systemic": true, + "solution": "

Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately, and that it sets the Cross-Origin-Embedder-Policy header to 'require-corp' for documents.

If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Embedder-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-embedder-policy).

", + "otherinfo": "", + "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Embedder-Policy

", + "cweid": "693", + "wascid": "14", + "sourceid": "8" + }, + { + "pluginid": "90004", + "alertRef": "90004-3", + "alert": "Cross-Origin-Opener-Policy Header Missing or Invalid", + "name": "Cross-Origin-Opener-Policy Header Missing or Invalid", + "riskcode": "1", + "confidence": "2", + "riskdesc": "Low (Medium)", + "desc": "

Cross-Origin-Opener-Policy header is a response header that allows a site to control if others included documents share the same browsing context. Sharing the same browsing context with untrusted documents might lead to data leak.

", + "instances":[ + { + "id": "40", + "uri": "http://host.docker.internal:3000", + "nodeName": "http:\/\/host.docker.internal:3000", + "method": "GET", + "param": "Cross-Origin-Opener-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "98", + "uri": "http://host.docker.internal:3000/", + "nodeName": "http:\/\/host.docker.internal:3000\/", + "method": "GET", + "param": "Cross-Origin-Opener-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "86", + "uri": "http://host.docker.internal:3000/ftp", + "nodeName": "http:\/\/host.docker.internal:3000\/ftp", + "method": "GET", + "param": "Cross-Origin-Opener-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "103", + "uri": "http://host.docker.internal:3000/juice-shop/node_modules/express/lib/router/index.js:365:14", + "nodeName": "http:\/\/host.docker.internal:3000\/juice-shop\/node_modules\/express\/lib\/router\/index.js:365:14", + "method": "GET", + "param": "Cross-Origin-Opener-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + }, + { + "id": "46", + "uri": "http://host.docker.internal:3000/sitemap.xml", + "nodeName": "http:\/\/host.docker.internal:3000\/sitemap.xml", + "method": "GET", + "param": "Cross-Origin-Opener-Policy", + "attack": "", + "evidence": "", + "otherinfo": "" + } + ], + "count": "5", + "systemic": true, + "solution": "

Ensure that the application/web server sets the Cross-Origin-Opener-Policy header appropriately, and that it sets the Cross-Origin-Opener-Policy header to 'same-origin' for documents.

'same-origin-allow-popups' is considered as less secured and should be avoided.

If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Opener-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-opener-policy).

", + "otherinfo": "", + "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cross-Origin-Opener-Policy

", + "cweid": "693", + "wascid": "14", + "sourceid": "8" + }, + { + "pluginid": "10110", + "alertRef": "10110", + "alert": "Dangerous JS Functions", + "name": "Dangerous JS Functions", + "riskcode": "1", + "confidence": "1", + "riskdesc": "Low (Low)", + "desc": "

A dangerous JS function seems to be in use that would leave the site vulnerable.

", + "instances":[ + { + "id": "109", + "uri": "http://host.docker.internal:3000/main.js", + "nodeName": "http:\/\/host.docker.internal:3000\/main.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "bypassSecurityTrustHtml(", + "otherinfo": "" + }, + { + "id": "110", + "uri": "http://host.docker.internal:3000/vendor.js", + "nodeName": "http:\/\/host.docker.internal:3000\/vendor.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "bypassSecurityTrustHtml(", + "otherinfo": "" + } + ], + "count": "2", + "systemic": false, + "solution": "

See the references for security advice on the use of these functions.

", + "otherinfo": "", + "reference": "

https://v17.angular.io/guide/security

", + "cweid": "749", + "wascid": "-1", + "sourceid": "22" + }, + { + "pluginid": "10063", + "alertRef": "10063-2", + "alert": "Deprecated Feature Policy Header Set", + "name": "Deprecated Feature Policy Header Set", + "riskcode": "1", + "confidence": "2", + "riskdesc": "Low (Medium)", + "desc": "

The header has now been renamed to Permissions-Policy.

", + "instances":[ + { + "id": "37", + "uri": "http://host.docker.internal:3000", + "nodeName": "http:\/\/host.docker.internal:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Feature-Policy", + "otherinfo": "" + }, + { + "id": "73", + "uri": "http://host.docker.internal:3000/ftp/coupons_2013.md.bak", + "nodeName": "http:\/\/host.docker.internal:3000\/ftp\/coupons_2013.md.bak", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Feature-Policy", + "otherinfo": "" + }, + { + "id": "47", + "uri": "http://host.docker.internal:3000/polyfills.js", + "nodeName": "http:\/\/host.docker.internal:3000\/polyfills.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Feature-Policy", + "otherinfo": "" + }, + { + "id": "5", + "uri": "http://host.docker.internal:3000/runtime.js", + "nodeName": "http:\/\/host.docker.internal:3000\/runtime.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Feature-Policy", + "otherinfo": "" + }, + { + "id": "44", + "uri": "http://host.docker.internal:3000/sitemap.xml", + "nodeName": "http:\/\/host.docker.internal:3000\/sitemap.xml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "Feature-Policy", + "otherinfo": "" + } + ], + "count": "5", + "systemic": true, + "solution": "

Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header instead of the Feature-Policy header.

", + "otherinfo": "", + "reference": "

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy

https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/

", + "cweid": "16", + "wascid": "15", + "sourceid": "8" + }, + { + "pluginid": "10096", + "alertRef": "10096", + "alert": "Timestamp Disclosure - Unix", + "name": "Timestamp Disclosure - Unix", + "riskcode": "1", + "confidence": "1", + "riskdesc": "Low (Low)", + "desc": "

A timestamp was disclosed by the application/web server. - Unix

", + "instances":[ + { + "id": "26", + "uri": "http://host.docker.internal:3000", + "nodeName": "http:\/\/host.docker.internal:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "1650485437", + "otherinfo": "1650485437, which evaluates to: 2022-04-20 20:10:37." + }, + { + "id": "31", + "uri": "http://host.docker.internal:3000", + "nodeName": "http:\/\/host.docker.internal:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "1981395349", + "otherinfo": "1981395349, which evaluates to: 2032-10-14 19:35:49." + }, + { + "id": "27", + "uri": "http://host.docker.internal:3000", + "nodeName": "http:\/\/host.docker.internal:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "2038834951", + "otherinfo": "2038834951, which evaluates to: 2034-08-10 15:02:31." + }, + { + "id": "29", + "uri": "http://host.docker.internal:3000/sitemap.xml", + "nodeName": "http:\/\/host.docker.internal:3000\/sitemap.xml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "1650485437", + "otherinfo": "1650485437, which evaluates to: 2022-04-20 20:10:37." + }, + { + "id": "32", + "uri": "http://host.docker.internal:3000/sitemap.xml", + "nodeName": "http:\/\/host.docker.internal:3000\/sitemap.xml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "2038834951", + "otherinfo": "2038834951, which evaluates to: 2034-08-10 15:02:31." + } + ], + "count": "5", + "systemic": true, + "solution": "

Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

", + "otherinfo": "

1650485437, which evaluates to: 2022-04-20 20:10:37.

", + "reference": "

https://cwe.mitre.org/data/definitions/200.html

", + "cweid": "497", + "wascid": "13", + "sourceid": "1" + }, + { + "pluginid": "10109", + "alertRef": "10109", + "alert": "Modern Web Application", + "name": "Modern Web Application", + "riskcode": "0", + "confidence": "2", + "riskdesc": "Informational (Medium)", + "desc": "

The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

", + "instances":[ + { + "id": "22", + "uri": "http://host.docker.internal:3000", + "nodeName": "http:\/\/host.docker.internal:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + }, + { + "id": "91", + "uri": "http://host.docker.internal:3000/", + "nodeName": "http:\/\/host.docker.internal:3000\/", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + }, + { + "id": "99", + "uri": "http://host.docker.internal:3000/juice-shop/build/routes/fileServer.js:43:13", + "nodeName": "http:\/\/host.docker.internal:3000\/juice-shop\/build\/routes\/fileServer.js:43:13", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + }, + { + "id": "100", + "uri": "http://host.docker.internal:3000/juice-shop/node_modules/express/lib/router/index.js:365:14", + "nodeName": "http:\/\/host.docker.internal:3000\/juice-shop\/node_modules\/express\/lib\/router\/index.js:365:14", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + }, + { + "id": "21", + "uri": "http://host.docker.internal:3000/sitemap.xml", + "nodeName": "http:\/\/host.docker.internal:3000\/sitemap.xml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "No links have been found while there are scripts, which is an indication that this is a modern web application." + } + ], + "count": "5", + "systemic": true, + "solution": "

This is an informational alert and so no changes are required.

", + "otherinfo": "

No links have been found while there are scripts, which is an indication that this is a modern web application.

", + "reference": "", + "cweid": "-1", + "wascid": "-1", + "sourceid": "1" + }, + { + "pluginid": "10049", + "alertRef": "10049-1", + "alert": "Non-Storable Content", + "name": "Non-Storable Content", + "riskcode": "0", + "confidence": "2", + "riskdesc": "Informational (Medium)", + "desc": "

The response contents are not storable by caching components such as proxy servers. If the response does not contain sensitive, personal or user-specific information, it may benefit from being stored and cached, to improve performance.

", + "instances":[ + { + "id": "72", + "uri": "http://host.docker.internal:3000/ftp/coupons_2013.md.bak", + "nodeName": "http:\/\/host.docker.internal:3000\/ftp\/coupons_2013.md.bak", + "method": "GET", + "param": "", + "attack": "", + "evidence": "403", + "otherinfo": "" + }, + { + "id": "75", + "uri": "http://host.docker.internal:3000/ftp/eastere.gg", + "nodeName": "http:\/\/host.docker.internal:3000\/ftp\/eastere.gg", + "method": "GET", + "param": "", + "attack": "", + "evidence": "403", + "otherinfo": "" + }, + { + "id": "74", + "uri": "http://host.docker.internal:3000/ftp/encrypt.pyc", + "nodeName": "http:\/\/host.docker.internal:3000\/ftp\/encrypt.pyc", + "method": "GET", + "param": "", + "attack": "", + "evidence": "403", + "otherinfo": "" + } + ], + "count": "3", + "systemic": true, + "solution": "

The content may be marked as storable by ensuring that the following conditions are satisfied:

The request method must be understood by the cache and defined as being cacheable (\"GET\", \"HEAD\", and \"POST\" are currently defined as cacheable)

The response status code must be understood by the cache (one of the 1XX, 2XX, 3XX, 4XX, or 5XX response classes are generally understood)

The \"no-store\" cache directive must not appear in the request or response header fields

For caching by \"shared\" caches such as \"proxy\" caches, the \"private\" response directive must not appear in the response

For caching by \"shared\" caches such as \"proxy\" caches, the \"Authorization\" header field must not appear in the request, unless the response explicitly allows it (using one of the \"must-revalidate\", \"public\", or \"s-maxage\" Cache-Control response directives)

In addition to the conditions above, at least one of the following conditions must also be satisfied by the response:

It must contain an \"Expires\" header field

It must contain a \"max-age\" response directive

For \"shared\" caches such as \"proxy\" caches, it must contain a \"s-maxage\" response directive

It must contain a \"Cache Control Extension\" that allows it to be cached

It must have a status code that is defined as cacheable by default (200, 203, 204, 206, 300, 301, 404, 405, 410, 414, 501).

", + "otherinfo": "", + "reference": "

https://datatracker.ietf.org/doc/html/rfc7234

https://datatracker.ietf.org/doc/html/rfc7231

https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

", + "cweid": "524", + "wascid": "13", + "sourceid": "40" + }, + { + "pluginid": "10049", + "alertRef": "10049-3", + "alert": "Storable and Cacheable Content", + "name": "Storable and Cacheable Content", + "riskcode": "0", + "confidence": "2", + "riskdesc": "Informational (Medium)", + "desc": "

The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where \"shared\" caching servers such as \"proxy\" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.

", + "instances":[ + { + "id": "4", + "uri": "http://host.docker.internal:3000/robots.txt", + "nodeName": "http:\/\/host.docker.internal:3000\/robots.txt", + "method": "GET", + "param": "", + "attack": "", + "evidence": "", + "otherinfo": "In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234." + } + ], + "count": "1", + "systemic": true, + "solution": "

Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:

Cache-Control: no-cache, no-store, must-revalidate, private

Pragma: no-cache

Expires: 0

This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.

", + "otherinfo": "

In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.

", + "reference": "

https://datatracker.ietf.org/doc/html/rfc7234

https://datatracker.ietf.org/doc/html/rfc7231

https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

", + "cweid": "524", + "wascid": "13", + "sourceid": "6" + }, + { + "pluginid": "10049", + "alertRef": "10049-2", + "alert": "Storable but Non-Cacheable Content", + "name": "Storable but Non-Cacheable Content", + "riskcode": "0", + "confidence": "2", + "riskdesc": "Informational (Medium)", + "desc": "

The response contents are storable by caching components such as proxy servers, but will not be retrieved directly from the cache, without validating the request upstream, in response to similar requests from other users.

", + "instances":[ + { + "id": "35", + "uri": "http://host.docker.internal:3000", + "nodeName": "http:\/\/host.docker.internal:3000", + "method": "GET", + "param": "", + "attack": "", + "evidence": "max-age=0", + "otherinfo": "" + }, + { + "id": "20", + "uri": "http://host.docker.internal:3000/assets/public/favicon_js.ico", + "nodeName": "http:\/\/host.docker.internal:3000\/assets\/public\/favicon_js.ico", + "method": "GET", + "param": "", + "attack": "", + "evidence": "max-age=0", + "otherinfo": "" + }, + { + "id": "34", + "uri": "http://host.docker.internal:3000/polyfills.js", + "nodeName": "http:\/\/host.docker.internal:3000\/polyfills.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "max-age=0", + "otherinfo": "" + }, + { + "id": "3", + "uri": "http://host.docker.internal:3000/runtime.js", + "nodeName": "http:\/\/host.docker.internal:3000\/runtime.js", + "method": "GET", + "param": "", + "attack": "", + "evidence": "max-age=0", + "otherinfo": "" + }, + { + "id": "39", + "uri": "http://host.docker.internal:3000/sitemap.xml", + "nodeName": "http:\/\/host.docker.internal:3000\/sitemap.xml", + "method": "GET", + "param": "", + "attack": "", + "evidence": "max-age=0", + "otherinfo": "" + } + ], + "count": "5", + "systemic": true, + "solution": "", + "otherinfo": "", + "reference": "

https://datatracker.ietf.org/doc/html/rfc7234

https://datatracker.ietf.org/doc/html/rfc7231

https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

", + "cweid": "524", + "wascid": "13", + "sourceid": "8" + } + ] + } + ], + "sequences":[ + ] + +} diff --git a/labs/lab5/zap/zap.yaml b/labs/lab5/zap/zap.yaml new file mode 100644 index 00000000..1bb2099c --- /dev/null +++ b/labs/lab5/zap/zap.yaml @@ -0,0 +1,40 @@ +env: + contexts: + - excludePaths: [] + name: baseline + urls: + - http://host.docker.internal:3000 + parameters: + failOnError: true + progressToStdout: false +jobs: +- parameters: + enableTags: false + maxAlertsPerRule: 10 + type: passiveScan-config +- parameters: + maxDuration: 1 + url: http://host.docker.internal:3000 + type: spider +- parameters: + maxDuration: 0 + type: passiveScan-wait +- parameters: + format: Long + summaryFile: /home/zap/zap_out.json + rules: [] + type: outputSummary +- parameters: + reportDescription: '' + reportDir: /zap/wrk/ + reportFile: report-noauth.html + reportTitle: ZAP Scanning Report + template: traditional-html + type: report +- parameters: + reportDescription: '' + reportDir: /zap/wrk/ + reportFile: zap-report-noauth.json + reportTitle: ZAP Scanning Report + template: traditional-json + type: report diff --git a/labs/submission5.md b/labs/submission5.md new file mode 100644 index 00000000..54554b53 --- /dev/null +++ b/labs/submission5.md @@ -0,0 +1,157 @@ +# Lab 5 — SAST & DAST Security Analysis of OWASP Juice Shop + +## Environment +- Target application: **OWASP Juice Shop v19.0.0** +- SAST tool: **Semgrep** +- DAST tools: **OWASP ZAP**, **Nuclei**, **Nikto**, **SQLmap** +- Platform used for execution: **Windows PowerShell + Docker Desktop** + +--- + +## Task 1 — SAST Analysis with Semgrep + +### 1.1 SAST Tool Effectiveness + +Semgrep was used to statically analyze the Juice Shop source code with security-focused rulesets. It detected **25 code-level findings**, which shows good coverage for early-stage security review of the codebase. Static analysis is especially useful for identifying insecure coding patterns before deployment, including SQL injection patterns, tainted input flowing into ORM/database calls, and other source-level issues that are not dependent on runtime configuration. + +In this lab, the Semgrep output was dominated by **SQL injection-related findings** in Sequelize-based code paths. This is a strong example of what SAST does well: it catches insecure patterns directly in source files and points to exact locations where user-controlled input may reach unsafe queries. + +### 1.2 Top-5 Critical Findings from Semgrep + +| # | Rule | Severity | File:Line | Vulnerability Type | +|---:|---|---|---|---| +| 1 | `javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection` | **ERROR** | `/src/data/static/codefixes/dbSchemaChallenge_1.ts:5` | SQL Injection | +| 2 | `javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection` | **ERROR** | `/src/data/static/codefixes/dbSchemaChallenge_3.ts:11` | SQL Injection | +| 3 | `javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection` | **ERROR** | `/src/data/static/codefixes/unionSqlInjectionChallenge_1.ts:6` | SQL Injection | +| 4 | `javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection` | **ERROR** | `/src/data/static/codefixes/unionSqlInjectionChallenge_3.ts:10` | SQL Injection | +| 5 | `javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection` | **ERROR** | `/src/routes/login.ts:34` | SQL Injection | + +All five top findings are high-value because they indicate user input reaching query logic without proper sanitization or parameterization. The finding in `login.ts` is especially important because authentication endpoints are high-risk and often directly exposed. + +--- + +## Task 2 — DAST Analysis with Multiple Tools + +### 2.1 Authenticated vs Unauthenticated ZAP Scans + +The unauthenticated ZAP scan discovered **95 URLs** and reported **26 alerts**: **0 High, 4 Medium, 10 Low, 12 Informational**. This baseline scan reflects the public attack surface of the application. + +The authenticated ZAP run discovered significantly more surface through crawling: **112 URLs** via the standard spider and **545 URLs** via the AJAX spider. This is a major increase compared with the unauthenticated baseline, which confirms that authenticated scanning exposes much more of the application’s runtime surface. + +Although the helper comparison script initially reported `0` alerts for the authenticated scan, the actual `report-auth.html` shows that the authenticated report contains **1 High, 4 Medium, 4 Low, and 3 Informational alerts**. The report also indicates **103 total endpoints** and **100% authentication failures**, so the scan still traversed a broader dynamic surface, but authentication verification was not fully successful in this run. + +### 2.2 Key Authenticated Findings from ZAP + +The most important authenticated ZAP finding was **SQL Injection (High)** with **2 instances**. ZAP flagged both: +- `GET /rest/products/search?q=...` with injectable parameter `q` +- `POST /rest/user/login` with injectable parameter `email` + +In both cases, ZAP observed `HTTP/1.1 500 Internal Server Error` as evidence, which is a strong runtime signal of potentially unsafe query handling. + +The authenticated report also identified several **Medium** issues: +- **Content Security Policy (CSP) Header Not Set** +- **Cross-Domain Misconfiguration** +- **Missing Anti-clickjacking Header** +- **Session ID in URL Rewrite** + +Example runtime/session issue: +- `Session ID in URL Rewrite` was reported on Socket.IO URLs containing a `sid` parameter in the query string. This matters because session identifiers in URLs can leak via browser history, logs, and referer headers. + +Example header/configuration issue: +- `Missing Anti-clickjacking Header` was reported on Socket.IO responses, meaning the application does not consistently protect pages/responses against framing-based UI attacks. + +### 2.3 Multi-Tool Comparison + +| Tool | Findings | Severity Breakdown | Best Use Case | +|---|---:|---|---| +| ZAP (auth report HTML) | 12 | High:1 Med:4 Low:4 Info:3 | Runtime web app assessment, crawler-driven discovery, active/passive testing | +| ZAP (noauth) | 26 | High:0 Med:4 Low:10 Info:12 | Public attack surface baseline | +| Nuclei | 0 | n/a | Fast template-based checks for known issues/CVEs | +| Nikto | 14 | n/a | Server misconfiguration, headers, default files | +| SQLmap | 1 | n/a | Targeted SQL injection validation and exploitation | + +The automated summary script recorded `0` for authenticated ZAP because it parsed the wrong or empty report path during execution. However, the actual authenticated HTML report is the stronger source of truth and shows non-zero findings. Nuclei produced **0 matches**, Nikto found **14 server issues**, and SQLmap confirmed **1 SQL injection vulnerability** in its CSV output. + +### 2.4 Tool-Specific Strengths + +- **ZAP** was the most comprehensive DAST tool. It discovered runtime vulnerabilities such as SQLi, missing security headers, session management issues, and broader application behavior. +- **Nuclei** is best for quick template-driven checks, but in this run it did not identify any matching issues. +- **Nikto** was useful for server-side and HTTP-level problems, reporting **14 server issues**. +- **SQLmap** provided the strongest targeted validation for database injection by confirming **1 SQL injection vulnerability**, which complements both ZAP’s runtime signal and Semgrep’s source-level findings. + +--- + +## Task 3 — SAST vs DAST Correlation + +### 3.1 Total Findings Comparison + +- **SAST (Semgrep): 25 findings** +- **DAST summary script total:** ZAP(auth) `0` + Nuclei `0` + Nikto `14` + SQLmap `1` = **15** +- **DAST using actual authenticated ZAP HTML instead of broken summary:** ZAP(auth) `12` + Nuclei `0` + Nikto `14` + SQLmap `1` = **27** + +The difference between the script-generated DAST count and the actual authenticated ZAP report comes from report parsing, not from the scan itself. For the analysis below, the actual report evidence is more reliable than the intermediate broken summary. + +### 3.2 Vulnerability Types Found Mainly by SAST + +SAST was especially effective at identifying vulnerabilities that exist directly in source code: + +1. **ORM/SQL injection patterns in source files** + Semgrep repeatedly flagged tainted input flowing into Sequelize query construction. This is visible in multiple `.ts` files and in `routes/login.ts`. + +2. **Unsafe implementation details before deployment** + Static analysis can identify dangerous coding patterns even when they are not yet reached during testing or are protected by app flow constraints. This makes it ideal for catching defects earlier in CI/CD. + +3. **Exact file-and-line developer remediation points** + Semgrep gives developers direct remediation locations, which DAST cannot provide. + +### 3.3 Vulnerability Types Found Mainly by DAST + +DAST revealed issues that are only visible when the application is running: + +1. **HTTP header and browser security misconfiguration** + Missing CSP, missing anti-clickjacking protection, and missing `X-Content-Type-Options` are runtime response problems that static code scans often miss. + +2. **Session management issues** + `Session ID in URL Rewrite` was only visible during runtime interaction with Socket.IO/session-related flows. + +3. **Observed runtime exploitability signals** + ZAP and SQLmap both surfaced SQL injection at runtime. ZAP showed concrete payloads and server error evidence, while SQLmap confirmed one SQLi vulnerability from the live target. + +### 3.4 Why SAST and DAST Find Different Things + +SAST and DAST answer different questions: + +- **SAST** asks: *“Is the code written in a dangerous way?”* + It works before deployment and is best for spotting insecure patterns, taint flows, and exact source locations. + +- **DAST** asks: *“What is actually exposed or exploitable when the application runs?”* + It is better for headers, cookies, session handling, authentication behavior, routing, and real HTTP responses. + +This lab clearly shows why both are needed. Semgrep found many code-level SQLi patterns, while runtime tools exposed header misconfigurations, session issues, and live SQLi behavior. Together they provide much better coverage than either method alone. + +--- + +## Security Recommendations + +1. **Fix SQL injection risks first** + Replace dynamic or unsafe query construction with parameterized queries and validate all user-controlled input on the server side. + +2. **Harden HTTP security headers** + Add `Content-Security-Policy`, `X-Frame-Options` or `frame-ancestors`, and `X-Content-Type-Options` consistently across responses. + +3. **Remove session identifiers from URLs** + Session IDs should be stored in secure cookies rather than query parameters to reduce leakage risk. + +4. **Use both SAST and DAST in the DevSecOps pipeline** + - Run **Semgrep** in pull requests / CI for early developer feedback. + - Run **ZAP** in QA/staging for runtime coverage. + - Use **Nikto** for deployment/server checks. + - Use **SQLmap** for targeted validation when injection is suspected. + +--- + +## Final Conclusion + +This lab demonstrates that **SAST and DAST are complementary, not interchangeable**. Semgrep identified **25 code-level findings**, mostly related to SQL injection patterns in the source code, while runtime tools identified live application risks such as SQL injection, security header weaknesses, session exposure, and server misconfiguration. Authenticated crawling also expanded discovered surface from **95 public URLs** to **112 spider URLs** and **545 AJAX URLs**, confirming the value of authenticated scanning even though authentication verification itself was imperfect in this run. + +The main practical takeaway is simple: use **Semgrep early**, use **ZAP/Nikto/SQLmap later**, and treat correlation between static and dynamic findings as the strongest basis for prioritizing remediation.