ZAP Scanning Report

Summary of Alerts

Generated on Fri, 23 Apr 2021 11:00:42

Risk LevelNumber of Alerts
High0
Medium4
Low5
Informational0

Alerts

NameRisk LevelNumber of Instances
CSP: script-src unsafe-inlineMedium3
CSP: style-src unsafe-inlineMedium3
CSP: Wildcard DirectiveMedium3
X-Frame-Options Header Not SetMedium1
Cookie No HttpOnly FlagLow4
Cookie Without SameSite AttributeLow4
Cookie Without Secure FlagLow2
Incomplete or No Cache-control and Pragma HTTP Header SetLow1
Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)Low4

Alert Detail

Medium (Medium)CSP: script-src unsafe-inline
Description

script-src includes unsafe-inline.
URLhttps://v3.lolagrove.com/data.ashx?id=52714.14891
MethodGET
ParameterContent-Security-Policy
Evidencedefault-src https: 'unsafe-inline' 'unsafe-eval';img-src 'self' https: data:;
URLhttps://v3.lolagrove.com/sitemap.xml
MethodGET
ParameterContent-Security-Policy
Evidencedefault-src https: 'unsafe-inline' 'unsafe-eval';img-src 'self' https: data:;
URLhttps://v3.lolagrove.com/robots.txt
MethodGET
ParameterContent-Security-Policy
Evidencedefault-src https: 'unsafe-inline' 'unsafe-eval';img-src 'self' https: data:;
Instances3
Solution

Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference

http://www.w3.org/TR/CSP2/

http://www.w3.org/TR/CSP/

http://caniuse.com/#search=content+security+policy

http://content-security-policy.com/

https://github.com/shapesecurity/salvation

https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources
CWE Id16
WASC Id15
Source ID3
Medium (Medium)CSP: style-src unsafe-inline
Description

style-src includes unsafe-inline.
URLhttps://v3.lolagrove.com/data.ashx?id=52714.14891
MethodGET
ParameterContent-Security-Policy
Evidencedefault-src https: 'unsafe-inline' 'unsafe-eval';img-src 'self' https: data:;
URLhttps://v3.lolagrove.com/robots.txt
MethodGET
ParameterContent-Security-Policy
Evidencedefault-src https: 'unsafe-inline' 'unsafe-eval';img-src 'self' https: data:;
URLhttps://v3.lolagrove.com/sitemap.xml
MethodGET
ParameterContent-Security-Policy
Evidencedefault-src https: 'unsafe-inline' 'unsafe-eval';img-src 'self' https: data:;
Instances3
Solution

Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference

http://www.w3.org/TR/CSP2/

http://www.w3.org/TR/CSP/

http://caniuse.com/#search=content+security+policy

http://content-security-policy.com/

https://github.com/shapesecurity/salvation

https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources
CWE Id16
WASC Id15
Source ID3
Medium (Medium)CSP: Wildcard Directive
Description

The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:

frame-ancestors, form-action

The directive(s): frame-ancestors, form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.
URLhttps://v3.lolagrove.com/data.ashx?id=52714.14891
MethodGET
ParameterContent-Security-Policy
Evidencedefault-src https: 'unsafe-inline' 'unsafe-eval';img-src 'self' https: data:;
URLhttps://v3.lolagrove.com/robots.txt
MethodGET
ParameterContent-Security-Policy
Evidencedefault-src https: 'unsafe-inline' 'unsafe-eval';img-src 'self' https: data:;
URLhttps://v3.lolagrove.com/sitemap.xml
MethodGET
ParameterContent-Security-Policy
Evidencedefault-src https: 'unsafe-inline' 'unsafe-eval';img-src 'self' https: data:;
Instances3
Solution

Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference

http://www.w3.org/TR/CSP2/

http://www.w3.org/TR/CSP/

http://caniuse.com/#search=content+security+policy

http://content-security-policy.com/

https://github.com/shapesecurity/salvation

https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources
CWE Id16
WASC Id15
Source ID3
Medium (Medium)X-Frame-Options Header Not Set
Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
URLhttps://v3.lolagrove.com/data.ashx?id=52714.14891
MethodGET
ParameterX-Frame-Options
Instances1
Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.

Reference

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
CWE Id16
WASC Id15
Source ID3
Low (Medium)Cookie No HttpOnly Flag
Description

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.
URLhttps://v3.lolagrove.com/data.ashx?id=52714.14891
MethodGET
ParameterApplicationGatewayAffinity
EvidenceSet-Cookie: ApplicationGatewayAffinity
URLhttps://v3.lolagrove.com/data.ashx?id=52714.14891
MethodGET
ParameterApplicationGatewayAffinityCORS
EvidenceSet-Cookie: ApplicationGatewayAffinityCORS
URLhttps://v3.lolagrove.com/robots.txt
MethodGET
ParameterApplicationGatewayAffinityCORS
EvidenceSet-Cookie: ApplicationGatewayAffinityCORS
URLhttps://v3.lolagrove.com/robots.txt
MethodGET
ParameterApplicationGatewayAffinity
EvidenceSet-Cookie: ApplicationGatewayAffinity
Instances4
Solution

Ensure that the HttpOnly flag is set for all cookies.
Reference

https://owasp.org/www-community/HttpOnly
CWE Id16
WASC Id13
Source ID3
Low (Medium)Cookie Without SameSite Attribute
Description

A cookie has been set with an invalid SameSite attribute value, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
URLhttps://v3.lolagrove.com/robots.txt
MethodGET
ParameterApplicationGatewayAffinityCORS
EvidenceSet-Cookie: ApplicationGatewayAffinityCORS
URLhttps://v3.lolagrove.com/data.ashx?id=52714.14891
MethodGET
ParameterApplicationGatewayAffinity
EvidenceSet-Cookie: ApplicationGatewayAffinity
URLhttps://v3.lolagrove.com/robots.txt
MethodGET
ParameterApplicationGatewayAffinity
EvidenceSet-Cookie: ApplicationGatewayAffinity
URLhttps://v3.lolagrove.com/data.ashx?id=52714.14891
MethodGET
ParameterApplicationGatewayAffinityCORS
EvidenceSet-Cookie: ApplicationGatewayAffinityCORS
Instances4
Solution

Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
Reference

https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site
CWE Id16
WASC Id13
Source ID3
Low (Medium)Cookie Without Secure Flag
Description

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.
URLhttps://v3.lolagrove.com/data.ashx?id=52714.14891
MethodGET
ParameterApplicationGatewayAffinity
EvidenceSet-Cookie: ApplicationGatewayAffinity
URLhttps://v3.lolagrove.com/robots.txt
MethodGET
ParameterApplicationGatewayAffinity
EvidenceSet-Cookie: ApplicationGatewayAffinity
Instances2
Solution

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted channel. Ensure that the secure flag is set for cookies containing such sensitive information.
Reference

https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes.html
CWE Id614
WASC Id13
Source ID3
Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set
Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.
URLhttps://v3.lolagrove.com/data.ashx?id=52714.14891
MethodGET
ParameterCache-Control
Evidenceprivate
Instances1
Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.
Reference

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
CWE Id525
WASC Id13
Source ID3
Low (Medium)Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
Description

The web/application server is leaking information via one or more "X-Powered-By" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.
URLhttps://v3.lolagrove.com/favicon.ico
MethodGET
EvidenceX-Powered-By: LOLAGROVE(3.4.6976.22064)
URLhttps://v3.lolagrove.com/sitemap.xml
MethodGET
EvidenceX-Powered-By: LOLAGROVE(3.4.6976.22064)
URLhttps://v3.lolagrove.com/data.ashx?id=52714.14891
MethodGET
EvidenceX-Powered-By: LOLAGROVE(3.4.6976.22064)
URLhttps://v3.lolagrove.com/robots.txt
MethodGET
EvidenceX-Powered-By: LOLAGROVE(3.4.6976.22064)
Instances4
Solution

Ensure that your web server, application server, load balancer, etc. is configured to suppress "X-Powered-By" headers.
Reference

http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx

http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
CWE Id200
WASC Id13
Source ID3