-
Notifications
You must be signed in to change notification settings - Fork 29
/
rules.xml
2907 lines (2830 loc) · 152 KB
/
rules.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!-- TODO this file should be automatically generated with the ZAProxy report -->
<!-- A rule model -->
<!--<rule>
<key></key>
<name></name>-->
<!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<!--<description>
<![CDATA[<h3>Solution :</h3>
<p></p>
<h3>References:</h3>
<ul>
<li><a href=""></a></li>
</ul>]]>
</description>
<severity></severity>
<status>READY</status>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
-->
<!--
For the moment, this file contains only rules of the ZAP core.
If you want to add a rule, you can, following the model above.
-->
<rules>
<rule>
<key>0</key>
<name>Directory Browsing</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Disable directory browsing. If this is required, make sure the listed files does not induce risks.</p>
<h3>References:</h3>
<ul>
<li><a href="https://httpd.apache.org/docs/mod/core.html#options">Directive Options</a></li>
<li><a href="https://alamo.satlug.org/pipermail/satlug/2002-February/000053.html">Apache Dir/Browsing Question</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/548.html">CWE-548</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/0/">https://www.zaproxy.org/docs/alerts/0/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>cweid-548</tag>
<tag>wascid-48</tag>
<tag>wascid-16</tag>
<tag>owasp-a5</tag>
<tag>owasp-a6</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<!--
"securityStandards": {
"CWE": [
330
],
"OWASP": [
"A6"
]
}-->
<rule>
<key>2</key>
<name>Private IP Disclosure</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Remove the private IP address from the HTTP response body. For comments, use JSP/ASP comment instead of HTML/JavaScript comment which can be seen by
client browsers.</p>
<h3>References:</h3>
<ul>
<li><a href="https://tools.ietf.org/html/rfc1918">Address Allocation for Private Internets</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/2/">https://www.zaproxy.org/docs/alerts/2/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>cweid-200</tag>
<tag>wascid-13</tag>
<tag>owasp-a6</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>3</key>
<name>Session ID in URL Rewrite</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.</p>
<h3>References:</h3>
<ul>
<li><a href="https://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html">Hijacking URL Encoded Session IDs using Referer Logs</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/3/">https://www.zaproxy.org/docs/alerts/3/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>cweid-200</tag>
<tag>wascid-13</tag>
<tag>owasp-a6</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>6</key>
<name>Path Traversal</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to
specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on
looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or
determining which inputs are so malformed that they should be rejected outright.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or
extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid
because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."
For filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid weaknesses,
and exclude directory separators such as "/". Use a whitelist of allowable file extensions.
Warning: if you attempt to cleanse your data, then do so that the end result is not in the form that can be dangerous. A sanitizing mechanism can remove characters
such as '.' and ';' which may be required for some exploits. An attacker can try to fool the sanitizing mechanism into "cleaning" data into a dangerous form.
Suppose the attacker injects a '.' inside a filename (e.g. "sensi.tiveFile") and the sanitizing mechanism removes the character resulting in the valid filename,
"sensitiveFile". If the input data are now assumed to be safe, then the file may be compromised.
Inputs should be decoded and canonicalized to the application's current internal representation before being validated. Make sure that your application does not
decode the same input twice. Such errors could be used to bypass whitelist schemes by introducing dangerous inputs after they have been checked.
Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes ".."
sequences and symbolic links.
Run your code using the lowest privileges that are required to accomplish the necessary tasks. If possible, create isolated accounts with limited privileges that
are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For
example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the
actual filenames or URLs, and reject all other inputs.
Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict
which files can be accessed in a particular directory or which commands can be executed by your software.
OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in
the Java SecurityManager allows you to specify restrictions on file operations.
This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
</p>
<h3>References:</h3>
<ul>
<li><a href="https://projects.webappsec.org/Path-Traversal">Path Traversal</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/22.html">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/6/">https://www.zaproxy.org/docs/alerts/6/</a></li>
</ul>]]>
</description>
<severity>CRITICAL</severity>
<status>READY</status>
<tag>cweid-22</tag>
<tag>wascid-33</tag>
<tag>owasp-a5</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>7</key>
<name>Remote File Inclusion</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Phase: Architecture and Design</p>
<p>
When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs)
to the actual filenames or URLs, and reject all other inputs.
For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap provide this capability.
</p>
Phases: Architecture and Design; Operation
<p>
Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively
restrict which files can be accessed in a particular directory or which commands can be executed by your software.
OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example,
java.io.FilePermission in the Java SecurityManager allows you to specify restrictions on file operations.
This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
Be careful to avoid CWE-243 and other weaknesses related to jails.
For PHP, the interpreter offers restrictions such as open basedir or safe mode which can make it more difficult for an attacker to escape out of the
application. Also consider Suhosin, a hardened PHP extension, which includes various options that disable some of the more dangerous PHP features.
</p>
Phase: Implementation
<p>
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to
specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on
looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or
determining which inputs are so malformed that they should be rejected outright.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values,
missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be
syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."
For filenames, use stringent whitelists that limit the character set to be used. If feasible, only allow a single "." character in the filename to avoid
weaknesses such as CWE-23, and exclude directory separators such as "/" to avoid CWE-36. Use a whitelist of allowable file extensions, which will help to
avoid CWE-434.
</p>
Phases: Architecture and Design; Operation
<p>
Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web
server's access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling
program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and
it can exit immediately.
This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include
files. It will also reduce your attack surface.
</p>
Phases: Architecture and Design; Implementation
<p>
Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network,
environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, databases, and any external systems that provide
data to the application. Remember that such inputs may be obtained indirectly through API calls.
Many file inclusion problems occur because the programmer assumed that certain inputs could not be modified, especially for cookies and URL components.
</p>
<h3>References:</h3>
<ul>
<li><a href="https://projects.webappsec.org/Remote-File-Inclusion">Remote File Inclusion</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/98.html">CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program
('PHP Remote File Inclusion')</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/7/">https://www.zaproxy.org/docs/alerts/7/</a></li>
</ul>]]>
</description>
<severity>CRITICAL</severity>
<status>READY</status>
<tag>cweid-98</tag>
<tag>wascid-5</tag>
<tag>owasp-a5</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>41</key>
<name>Source Code Disclosure - Git</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Ensure that Git metadata files are not deployed to the web server or application server.</p>
<h3>References:</h3>
<ul>
<li><a href="https://projects.webappsec.org/Predictable-Resource-Location">https://projects.webappsec.org/Predictable-Resource-Location</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/425.html">https://cwe.mitre.org/data/definitions/425.html</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/41/">https://www.zaproxy.org/docs/alerts/41/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>cweid-425</tag>
<tag>cweid-541</tag>
<tag>wascid-34</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>42</key>
<name>Source Code Disclosure - SVN</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Ensure that SVN metadata files are not deployed to the web server or application server.</p>
<h3>References:</h3>
<ul>
<li><a href="https://projects.webappsec.org/Predictable-Resource-Location">https://projects.webappsec.org/Predictable-Resource-Location</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/425.html">https://cwe.mitre.org/data/definitions/425.html</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/42/">https://www.zaproxy.org/docs/alerts/42/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>cweid-425</tag>
<tag>cweid-541</tag>
<tag>wascid-34</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>43</key>
<name>Source Code Disclosure - File Inclusion</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Ensure that Source Code files are not deployed to the web server or application server.</p>
<h3>References:</h3>
<ul>
<li><a href="https://projects.webappsec.org/Predictable-Resource-Location">https://projects.webappsec.org/Predictable-Resource-Location</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/425.html">https://cwe.mitre.org/data/definitions/425.html</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/43/">https://www.zaproxy.org/docs/alerts/43/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>cweid-425</tag>
<tag>cweid-541</tag>
<tag>wascid-34</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10003</key>
<name>Vulnerable JS Library</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Please upgrade to the latest version of ExampleLibrary.</p>
<h3>References:</h3>
<ul>
<li><a href="https://cwe.mitre.org/data/definitions/829.html">https://cwe.mitre.org/data/definitions/829.html</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/937.html">https://cwe.mitre.org/data/definitions/937.html</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10003/">https://www.zaproxy.org/docs/alerts/10003/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>cweid-829</tag>
<tag>cweid-937</tag>
<tag>owasp-a9</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10009</key>
<name>In Page Banner Information Leak</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>"Configure the server to prevent such information leaks. For example:
Under Tomcat this is done via the 'server' directive and implementation of custom error pages.
Under Apache this is done via the 'ServerSignature' and 'ServerTokens' directives.".</p>
<h3>References:</h3>
<ul>
<li><a href="https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/">https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/200.html">https://cwe.mitre.org/data/definitions/200.html</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10009/">https://www.zaproxy.org/docs/alerts/10009/</a></li>
</ul>]]>
</description>
<severity>INFO</severity>
<status>READY</status>
<tag>cweid-200</tag>
<tag>wascid-13</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10010</key>
<name>Cookie set without HttpOnly flag</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Ensure that the HttpOnly flag is set for all cookies.</p>
<h3>References:</h3>
<ul>
<li><a href="https://www.owasp.org/index.php/HttpOnly">HttpOnly</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/1004.html">https://cwe.mitre.org/data/definitions/1004.html</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10010/">https://www.zaproxy.org/docs/alerts/10010/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>wascid-15</tag>
<tag>cweid-1004</tag>
<tag>owasp-a2</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10011</key>
<name>Cookie set without secure flag</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted tunnel.
Ensure that the secure flag is set for cookies containing such sensitive information.</p>
<h3>References:</h3>
<ul>
<li><a href="https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OWASP-SM-002)">Testing for cookies attributes (OTG-SESS-002)</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/614.html">https://cwe.mitre.org/data/definitions/614.html</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10011/">https://www.zaproxy.org/docs/alerts/10011/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>wascid-4</tag>
<tag>cweid-614</tag>
<tag>owasp-a2</tag>
<tag>owasp-a3</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10012</key>
<name>Password Autocomplete in Browser</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Turn off AUTOCOMPLETE attribute in form or individual input elements containing password by using AUTOCOMPLETE='OFF'</p>
<h3>References:</h3>
<ul>
<li><a href="https://msdn.microsoft.com/library/default.asp?url=/workshop/author/forms/autocomplete_ovr.asp">Autocomplete</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/525.html">https://cwe.mitre.org/data/definitions/525.html</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10012/">https://www.zaproxy.org/docs/alerts/10012/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>cweid-525</tag>
<tag>security</tag>
<tag>zaproxy</tag>
<tag>owasp-a3</tag>
</rule>
<rule>
<key>10015</key>
<name>Incomplete or No Cache-control and Pragma HTTP Header Set</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate, private; and that the pragma HTTP header is
set with no-cache.</p>
<h3>References:</h3>
<ul>
<li><a href="https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching">Web Content Caching</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/525.html">https://cwe.mitre.org/data/definitions/525.html</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10015/">https://www.zaproxy.org/docs/alerts/10015/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>cweid-525</tag>
<tag>security</tag>
<tag>zaproxy</tag>
<tag>owasp-a3</tag>
</rule>
<rule>
<key>10016</key>
<name>Web Browser XSS Protection Not Enabled</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.</p>
<h3>References:</h3>
<ul>
<li><a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">XSS (Cross Site Scripting) Prevention Cheat Sheet</a></li>
<li><a href="https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers">Guidelines for Setting Security Headers</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/933.html">https://cwe.mitre.org/data/definitions/933.html</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10016/">https://www.zaproxy.org/docs/alerts/10016/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>cweid-933</tag>
<tag>wascid-14</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10017</key>
<name>Cross-Domain JavaScript Source File Inclusion</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application</p>
<h3>References:</h3>
<ul>
<li><a href="https://www.zaproxy.org/docs/alerts/10017/">https://www.zaproxy.org/docs/alerts/10017/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10019</key>
<name>Content-Type Header Missing</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Ensure each page is setting the specific and appropriate content-type value for the content being delivered</p>
<h3>References:</h3>
<ul>
<li><a href="https://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx">Reducing MIME type security risks</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10019/">https://www.zaproxy.org/docs/alerts/10019/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>security</tag>
<tag>zaproxy</tag>
<tag>owasp-a6</tag>
</rule>
<rule>
<key>10020</key>
<name>X-Frame-Options Header Not Set</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site
(if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise
if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).</p>
<h3>References:</h3>
<ul>
<li><a href="https://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx">Combating ClickJacking With X-Frame-Options</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10020/">https://www.zaproxy.org/docs/alerts/10020/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10021</key>
<name>X-Content-Type-Options Header Missing</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for
all web pages.</br>If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that
can be directed by the web application/web server to not perform MIME-sniffing.</p>
<h3>References:</h3>
<ul>
<li><a href="https://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx">Reducing MIME type security risks</a></li>
<li><a href="https://www.owasp.org/index.php/List_of_useful_HTTP_headers">List of useful HTTP headers</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10021/">https://www.zaproxy.org/docs/alerts/10021/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>wascid-15</tag>
<tag>owasp-a6</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10023</key>
<name>Information Disclosure - Debug Error Messages</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Disable or limit detailed error handling. In particular, do not display debug information to end users, stack traces, or path information.
Ensure that the entire software development team shares a common approach to exception handling.
</p>
<h3>References:</h3>
<ul>
<li><a href="https://www.owasp.org/index.php/Top_10_2007-Information_Leakage_and_Improper_Error_Handling">List of useful HTTP headers</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10023/">https://www.zaproxy.org/docs/alerts/10023/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>wascid-13</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10024</key>
<name>Information Disclosure - Sensitive Informations in URL</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>When sensitive information is sent, use of the POST method is recommended (e.g. registration form).
</p>
<h3>References:</h3>
<ul>
<li><a href="https://www.owasp.org/index.php/Information_exposure_through_query_strings_in_url">List of useful HTTP headers</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10024/">https://www.zaproxy.org/docs/alerts/10024/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>wascid-13</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10025</key>
<name>Information Disclosure - Sensitive Information in HTTP Referrer Header</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>When sensitive information is sent, use of the POST method is recommended (e.g. registration form).
</p>
<h3>References:</h3>
<ul>
<li><a href="https://www.owasp.org/index.php/Information_exposure_through_query_strings_in_url">List of useful HTTP headers</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10025/">https://www.zaproxy.org/docs/alerts/10025/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>wascid-13</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10026</key>
<name>HTTP Parameter Override</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>In order to prevent these kinds of vulnerabilities, an extensive and proper input validation should be performed.
There are safe methods to conform to with each web technology/language. Moreover, awareness about the fact that clients/users can provide more than one parameter should be raised.
</p>
<h3>References:</h3>
<ul>
<li><a href="https://www.owasp.org/index.php/Testing_for_HTTP_Parameter_pollution_(OTG-INPVAL-004)">Testing for HPP</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10026/">https://www.zaproxy.org/docs/alerts/10026/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10027</key>
<name>Information Disclosure - Suspicious Comments</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Remove comments that suggest the presence of bugs, incomplete functionality, or weaknesses, before deploying the application.
</p>
<h3>References:</h3>
<ul>
<li><a href="https://cwe.mitre.org/data/definitions/546.html">CWE-546</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10027/">https://www.zaproxy.org/docs/alerts/10027/</a></li>
</ul>]]>
</description>
<severity>INFO</severity>
<status>READY</status>
<tag>cweid-546</tag>
<tag>wascid-13</tag>
<tag>security</tag>
<tag>zaproxy</tag>
<tag>owasp-a3</tag>
</rule>
<rule>
<key>10028</key>
<name>Open Redirect</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>To avoid the open redirect vulnerability, parameters of the application script/program must be validated before sending 302 HTTP code (redirect) to the client browser. Implement safe redirect functionality that only redirects to relative URI's, or a list of trusted domains.</p>
<h3>References:</h3>
<ul>
<li><a href="https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html">https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/601.html">CWE-601</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10028/">https://www.zaproxy.org/docs/alerts/10028/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>cweid-601</tag>
<tag>wascid-38</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10029</key>
<name>Cookie Poisoning</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters.</p>
<h3>References:</h3>
<ul>
<li><a href="https://websecuritytool.codeplex.com/wikipage?title=Checks#user-controlled-cookie">https://websecuritytool.codeplex.com/wikipage?title=Checks#user-controlled-cookie</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10029/">https://www.zaproxy.org/docs/alerts/10029/</a></li>
</ul>]]>
</description>
<severity>INFO</severity>
<status>READY</status>
<tag>cweid-20</tag>
<tag>wascid-20</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10030</key>
<name>User Controllable Charset</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Force UTF-8 in all charset declarations. If user-input is required to decide a charset declaration, ensure that only an allowed list is used.</p>
<h3>References:</h3>
<ul>
<li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10030/">https://www.zaproxy.org/docs/alerts/10030/</a></li>
</ul>]]>
</description>
<severity>INFO</severity>
<status>READY</status>
<tag>cweid-20</tag>
<tag>wascid-20</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10031</key>
<name>User Controllable HTML Element Attribute (Potential XSS)</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Validate all input and sanitize output it before writing to any HTML attributes.</p>
<h3>References:</h3>
<ul>
<li><a href="https://websecuritytool.codeplex.com/wikipage?title=Checks#user-controlled-html-attribute">https://websecuritytool.codeplex.com/wikipage?title=Checks#user-controlled-html-attribute</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10031/">https://www.zaproxy.org/docs/alerts/10031/</a></li>
</ul>]]>
</description>
<severity>INFO</severity>
<status>READY</status>
<tag>cweid-20</tag>
<tag>wascid-20</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10032</key>
<name>Viewstate Scanner</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Do not store the ViewState within the HTML page (implement a handler). Protect the ViewState contents (configuration).
</p>
<h3>References:</h3>
<ul>
<li><a href="https://www.owasp.org/images/2/22/20110412-aspnet_viewstate_security-alexandre.pdf">ASP Security ViewState flaw</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10032/">https://www.zaproxy.org/docs/alerts/10032/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>wascid-13</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10033</key>
<name>Directory Browsing</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Configure the web server to disable directory browsing.</p>
<h3>References:</h3>
<ul>
<li><a href="https://cwe.mitre.org/data/definitions/548.html">CWE-548</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10033/">https://www.zaproxy.org/docs/alerts/10033/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>cweid-548</tag>
<tag>wascid-16</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10034</key>
<name>Heartbleed OpenSSL Vulnerability (Indicative)</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Update to OpenSSL 1.0.1g or later. Re-issue HTTPS certificates. Change asymmetric private keys and shared secret keys, since these may have been compromised, with no evidence of compromise in the server log files.</p>
<h3>References:</h3>
<ul>
<li><a href="https://cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-0160">https://cvedetails.com/cve-details.php?t=1&cve_id=CVE-2014-0160</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/119.html">CWE-119</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10034/">https://www.zaproxy.org/docs/alerts/10034/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>cweid-119</tag>
<tag>wascid-20</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10036</key>
<name>HTTP Server Response Header</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Disable Server Header Version Information</p>
<h3>References:</h3>
<ul>
<li><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10036/">https://www.zaproxy.org/docs/alerts/10036/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>cweid-200</tag>
<tag>wascid-13</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10037</key>
<name>Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Ensure that your web server, application server, load balancer, etc. is configured to suppress 'X-Powered-By' headers.</p>
<h3>References:</h3>
<ul>
<li><a href="https://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx">https://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10037/">https://www.zaproxy.org/docs/alerts/10037/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>cweid-200</tag>
<tag>wascid-13</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10039</key>
<name>X-Backend-Server Header Information Leak</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Ensure that your web server, application server, load balancer, etc. is configured to suppress X-Backend-Server headers.</p>
<h3>References:</h3>
<ul>
<li><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10039/">https://www.zaproxy.org/docs/alerts/10039/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>cweid-200</tag>
<tag>wascid-13</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10040</key>
<name>Secure Pages Include Mixed Content</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>A page that is available over TLS must be comprised completely of content which is transmitted over TLS.
The page must not contain any content that is transmitted over unencrypted HTTP.
This includes content from unrelated third party sites.</p>
<h3>References:</h3>
<ul>
<li><a href="https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet">Transport Layer Protection Cheat Sheet</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10040/">https://www.zaproxy.org/docs/alerts/10040/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10041</key>
<name>HTTP to HTTPS Insecure Transition in Form Post</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Use HTTPS for landing pages that host secure forms.</p>
<h3>References:</h3>
<ul>
<li><a href="https://cwe.mitre.org/data/definitions/16.html">CWE-16</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10041/">https://www.zaproxy.org/docs/alerts/10041/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>cweid-16</tag>
<tag>wascid-15</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10042</key>
<name>HTTPS to HTTP Insecure Transition in Form Post</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Ensure sensitive data is only sent over secured HTTPS channels.</p>
<h3>References:</h3>
<ul>
<li><a href="https://cwe.mitre.org/data/definitions/16.html">CWE-16</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10042/">https://www.zaproxy.org/docs/alerts/10042/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>cweid-16</tag>
<tag>wascid-15</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10043</key>
<name>User Controllable JavaScript Event (XSS)</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Validate all input and sanitize output it before writing to any Javascript on* events.</p>
<h3>References:</h3>
<ul>
<li><a href="https://websecuritytool.codeplex.com/wikipage?title=Checks#user-javascript-event">https://websecuritytool.codeplex.com/wikipage?title=Checks#user-javascript-event</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10043/">https://www.zaproxy.org/docs/alerts/10043/</a></li>
</ul>]]>
</description>
<severity>INFO</severity>
<status>READY</status>
<tag>cweid-20</tag>
<tag>wascid-20</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10044</key>
<name>Big Redirect Detected (Potential Sensitive Information Leak)</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Ensure that no sensitive information is leaked via redirect responses. Redirect responses should have almost no content.</p>
<h3>References:</h3>
<ul>
<li><a href="https://cwe.mitre.org/data/definitions/201.html">CWE-201</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10044/">https://www.zaproxy.org/docs/alerts/10044/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>cweid-201</tag>
<tag>wascid-13</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10045</key>
<name>Source Code Disclosure - /WEB-INF folder</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Apply appropriate access control authorizations for each access to all restricted URLs, scripts or files.</p>
<h3>References:</h3>
<ul>
<li><a href="https://projects.webappsec.org/Predictable-Resource-Location">https://projects.webappsec.org/Predictable-Resource-Location</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/541.html">CWE-541</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10045/">https://www.zaproxy.org/docs/alerts/10045/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>cweid-541</tag>
<tag>wascid-34</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10047</key>
<name>HTTPS Content Available via HTTP</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security.</p>
<h3>References:</h3>
<ul>
<li><a href="https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html">https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html</a></li>
<li><a href="https://owasp.org/www-community/Security_Headers">https://owasp.org/www-community/Security_Headers</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/311.html">CWE-311</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10047/">https://www.zaproxy.org/docs/alerts/10047/</a></li>
</ul>]]>
</description>
<severity>MINOR</severity>
<status>READY</status>
<tag>cweid-311</tag>
<tag>wascid-4</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10048</key>
<name>Remote Code Execution - Shell Shock</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Update Bash on the server to the latest version</p>
<h3>References:</h3>
<ul>
<li><a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271">https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271</a></li>
<li><a href="https://cwe.mitre.org/data/definitions/78.html">CWE-78</a></li>
<li><a href="https://www.zaproxy.org/docs/alerts/10048/">https://www.zaproxy.org/docs/alerts/10048/</a></li>
</ul>]]>
</description>
<severity>MAJOR</severity>
<status>READY</status>
<tag>cweid-78</tag>
<tag>wascid-31</tag>
<tag>security</tag>
<tag>zaproxy</tag>
</rule>
<rule>
<key>10050</key>
<name>Retrieved from Cache</name>
<description> <!-- Corresponding to "<solution>" and "<reference>" of the ZAP report -->
<![CDATA[<h3>Solution :</h3>
<p>Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user</p>