diff --git a/README.md b/README.md index 9de35c3..9d2d607 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,28 @@ sonar.zaproxy.htmlReportPath=${WORKSPACE}/zaproxy-htmlReport.html sonar.zaproxy.rulesFilePath=${WORKSPACE}/myrules.xml ``` +## Example of automation with a CI toolchain + +```sh +cd example + +docker-compose up -d sonarqube +sleep 120 +# wait 2 minute for sonarqbue to start + +export PLUGIN_VERSION=2.2.0 +wget https://github.com/Coveros/zap-sonar-plugin/releases/download/sonar-zap-plugin-${PLUGIN_VERSION}/sonar-zap-plugin-${PLUGIN_VERSION}.jar -O ./plugin/sonar-zap-plugin-${PLUGIN_VERSION}.jar + +export APP_URL_UNDER_TEST='your-url-under-test' +docker-compose up owasp-zap +docker-compose up sonar-scanner +``` + + * If you wish to run the zap tool within the CI pipeline: + ** you may refet to the [example](example) + ** You need to have docker and docker-compose installed + ** You may refer to [.gitlab-ci.yml](example/.gitlab-ci.yml) if you wish to run on Gitlab CI + ## History The ZAP SonarQube Plugin is derived from the diff --git a/example/.gitignore b/example/.gitignore new file mode 100644 index 0000000..6c0274e --- /dev/null +++ b/example/.gitignore @@ -0,0 +1,32 @@ +.scannerwork + +### IntelliJ IDEA ### +.idea +*.iws +*.iml +*.ipr + +### VS Code ### +.vscode/ + +### Eclipse ### +.classpath +.factorypath +.project +.settings +.metadata +.springBeans +.sts4-cache +bin/ +tmp/ +*.tmp +*.bak +*.swp +*.launch + +### Vim ### +[._]*.s[a-v][a-z] +[._]*.sw[a-p] +[._]s[a-v][a-z] +[._]sw[a-p] +Session.vim diff --git a/example/.gitlab-ci.yml b/example/.gitlab-ci.yml new file mode 100644 index 0000000..2a47ef0 --- /dev/null +++ b/example/.gitlab-ci.yml @@ -0,0 +1,33 @@ +image: openjdk:13-slim + +stages: + - pentest + +# please make sure to install the zap-sonar-plugin on sonarqube + +owasp-zap: + image: docker:19.03.12 + stage: pentest + services: + - name: docker:19.03.12-dind + command: ["--insecure-registry=registry.gitlab.com"] + variables: + DOCKER_DRIVER: overlay2 + APP_URL_UNDER_TEST: https://oneprofile.io/auth + PLUGIN_VERSION: 2.2.0 + before_script: + - apk add --no-cache make git wget + - apk add --no-cache docker-compose + - docker info + script: + - wget https://github.com/Coveros/zap-sonar-plugin/releases/download/sonar-zap-plugin-${PLUGIN_VERSION}/sonar-zap-plugin-${PLUGIN_VERSION}.jar -O ./plugin/sonar-zap-plugin-${PLUGIN_VERSION}.jar + - docker-compose up -d sonarqube + - sleep 75 + - docker-compose up owasp-zap + - docker-compose up sonar-scanner + only: + - master + - develop + +after_script: + - echo "End CI" \ No newline at end of file diff --git a/example/Makefile b/example/Makefile new file mode 100644 index 0000000..4790a75 --- /dev/null +++ b/example/Makefile @@ -0,0 +1,34 @@ +#!make + +# Makefile for Demo Auth Serve +SHELL := /bin/sh + +export APP_URL_UNDER_TEST ?= 'https://oneprofile.io/auth' +export PLUGIN_VERSION ?= 2.2.0 + +$(info URL of the application under test = $(APP_URL_UNDER_TEST)) + +#build: +# @docker-compose build sonarqube-build + +sonarqube: + @wget https://github.com/Coveros/zap-sonar-plugin/releases/download/sonar-zap-plugin-${PLUGIN_VERSION}/sonar-zap-plugin-${PLUGIN_VERSION}.jar -O ./plugin/sonar-zap-plugin-${PLUGIN_VERSION}.jar + @docker-compose up -d sonarqube + +zap: + @docker-compose up owasp-zap + +sonar-scan: + @docker-compose up sonar-scanner + +zap-scan: zap sonar-scan + +run: + @wget https://github.com/Coveros/zap-sonar-plugin/releases/download/sonar-zap-plugin-${PLUGIN_VERSION}/sonar-zap-plugin-${PLUGIN_VERSION}.jar -O ./plugin/sonar-zap-plugin-${PLUGIN_VERSION}.jar + @docker-compose up -d sonarqube + @sleep 75 + @docker-compose up owasp-zap + @docker-compose up sonar-scanner + +down: + @docker-compose down diff --git a/example/README.md b/example/README.md new file mode 100644 index 0000000..ddc0c14 --- /dev/null +++ b/example/README.md @@ -0,0 +1,58 @@ +# zap-sonar-plugin-example + +## Prerequisites + +* [Git](https://git-scm.com/downloads) +* [Make](https://www.gnu.org/software/make/) +* [Docker](https://docs.docker.com/install/) and [docker-compose](https://docs.docker.com/compose/install/) + +## Scan the vulnerabilitis with owasp-zap tool + +```sh +export PLUGIN_VERSION=2.2.0 +export APP_URL_UNDER_TEST='your-url-under-test' +make run +``` + +or + +```sh +docker-compose up -d sonarqube +sleep 120 +# wait 2 minute for sonarqbue to start + +export PLUGIN_VERSION=2.2.0 +wget https://github.com/Coveros/zap-sonar-plugin/releases/download/sonar-zap-plugin-${PLUGIN_VERSION}/sonar-zap-plugin-${PLUGIN_VERSION}.jar -O ./plugin/sonar-zap-plugin-${PLUGIN_VERSION}.jar + +export APP_URL_UNDER_TEST='your-url-under-test' +docker-compose up owasp-zap +docker-compose up sonar-scanner +``` + +Then go to [sonarqube](http://localhost:9000) + +Please have a look on `.gitlab-ci.yml` if you wish to run the scan wihtin the Gitlab CI pipeline. + +## Vulnerabilities Scan + +The Open Web Application Security Project (OWASP) team recommends many [tools](https://www.owasp.org/index.php/Appendix_A:_Testing_Tools) to address security matters, allowing to scan the vulnerabilities of Web Applications.One of the most popular is OWASP `Zed Attack Proxy` (**ZAP**). + +## OWASP Zap Tool + +The Open Web Application Security Project (OWASP) provides a security tool, called `Zed Attack Proxy` (**ZAP**) to scan the vulnerabilities. + +![Alt Text](assets/owasp-zap-2.8.0.png) + +You may download the standalone application [here](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) or use it with CLI.Using the CLI is interesting as in the software industry, we may want to automate to this inside the Continuous Integration (**CI**) toolchain. + +OWASP ZAP is one of the most popular security tools and is actively maintained. It comes with a UI and it allows to launch an automated scan against a URL of a web application. It then generate a report. + +![Alt Text](assets/zaproxy-report.html) + +The generated report is then published to Sonarqube by this hereby plugin. As a result, all metrics related to a software are gathered at one place. + +## Quality Metrics + +Once this is done, we can see the [vulnerabilities](http://127.0.0.1:9000) metrics on SonarQube. + +![Alt Text](assets/sonarqube-vulnerabilities.png) \ No newline at end of file diff --git a/example/assets/owasp-zap-2.8.0.png b/example/assets/owasp-zap-2.8.0.png new file mode 100644 index 0000000..736cbde Binary files /dev/null and b/example/assets/owasp-zap-2.8.0.png differ diff --git a/example/assets/sonarqube-vulnerabilities.png b/example/assets/sonarqube-vulnerabilities.png new file mode 100644 index 0000000..250aca5 Binary files /dev/null and b/example/assets/sonarqube-vulnerabilities.png differ diff --git a/example/assets/zaproxy-report.html b/example/assets/zaproxy-report.html new file mode 100644 index 0000000..1ab7169 --- /dev/null +++ b/example/assets/zaproxy-report.html @@ -0,0 +1,703 @@ + + + + ZAP Scanning Report + + + +

+ +ZAP Scanning Report + +

+

+

+

Summary of Alerts

+

Generated on Thu, 29 Apr 2021 14:01:13

+ + + + + + + + + + + + + + + + +
Risk + LevelNumber + of Alerts
High0
Medium2
Low4
Informational1
+
+

Alerts

+ + + + + + + + + + + + + + + + + + + + + + + + + +
NameRisk LevelNumber of Instances
Content Security Policy (CSP) Header Not SetMedium3
CSP: Wildcard DirectiveMedium1
Application Error DisclosureLow3
Information Disclosure - Debug Error MessagesLow3
Server Leaks Version Information via "Server" HTTP Response Header FieldLow4
Strict-Transport-Security Header Not SetLow3
Information Disclosure - Suspicious CommentsInformational1
+
+

Alert Detail

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Medium (High)Content Security Policy (CSP) Header Not Set
Description

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

URLhttps://oneprofile.io/sitemap.xml
MethodGET
URLhttps://oneprofile.io/
MethodGET
URLhttps://oneprofile.io/robots.txt
MethodGET
Instances3
Solution

Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.

Reference

https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy

https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

http://www.w3.org/TR/CSP/

http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html

http://www.html5rocks.com/en/tutorials/security/content-security-policy/

http://caniuse.com/#feat=contentsecuritypolicy

http://content-security-policy.com/

CWE Id16
WASC Id15
Source ID3
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Medium (Medium)CSP: Wildcard Directive
Description

The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:

script-src, script-src-elem, script-src-attr, style-src, style-src-elem, style-src-attr, img-src, connect-src, font-src, media-src, manifest-src, worker-src, prefetch-src, form-action

The directive(s): form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.

URLhttps://oneprofile.io/auth/
MethodGET
ParameterContent-Security-Policy
Evidenceframe-src 'self'; frame-ancestors 'self'; object-src 'none';
Instances1
Solution

Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

Reference

http://www.w3.org/TR/CSP2/

http://www.w3.org/TR/CSP/

http://caniuse.com/#search=content+security+policy

http://content-security-policy.com/

https://github.com/shapesecurity/salvation

https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources

CWE Id16
WASC Id15
Source ID3
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Low (Medium)Application Error Disclosure
Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

URLhttps://oneprofile.io/
MethodGET
EvidenceHTTP/1.1 500 Internal Server Error
URLhttps://oneprofile.io/sitemap.xml
MethodGET
EvidenceHTTP/1.1 500 Internal Server Error
URLhttps://oneprofile.io/robots.txt
MethodGET
EvidenceHTTP/1.1 500 Internal Server Error
Instances3
Solution

Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

Reference

CWE Id200
WASC Id13
Source ID3
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Low (Medium)Information Disclosure - Debug Error Messages
Description

The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages.

URLhttps://oneprofile.io/robots.txt
MethodGET
EvidenceInternal Server Error
URLhttps://oneprofile.io/sitemap.xml
MethodGET
EvidenceInternal Server Error
URLhttps://oneprofile.io/
MethodGET
EvidenceInternal Server Error
Instances3
Solution

Disable debugging messages before pushing to production.

Reference

CWE Id200
WASC Id13
Source ID3
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Low (High)Server Leaks Version Information via "Server" HTTP Response Header Field
Description

The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.

URLhttps://oneprofile.io/sitemap.xml
MethodGET
Evidencenginx/1.19.3
URLhttps://oneprofile.io/
MethodGET
Evidencenginx/1.19.3
URLhttps://oneprofile.io/auth
MethodGET
Evidencenginx/1.19.3
URLhttps://oneprofile.io/robots.txt
MethodGET
Evidencenginx/1.19.3
Instances4
Solution

Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.

Reference

http://httpd.apache.org/docs/current/mod/core.html#servertokens

http://msdn.microsoft.com/en-us/library/ff648552.aspx#ht_urlscan_007

http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx

http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html

CWE Id200
WASC Id13
Source ID3
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Low (High)Strict-Transport-Security Header Not Set
Description

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.

URLhttps://oneprofile.io/sitemap.xml
MethodGET
URLhttps://oneprofile.io/
MethodGET
URLhttps://oneprofile.io/robots.txt
MethodGET
Instances3
Solution

Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.

Reference

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html

https://owasp.org/www-community/Security_Headers

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

http://caniuse.com/stricttransportsecurity

http://tools.ietf.org/html/rfc6797

CWE Id16
WASC Id15
Source ID3
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Informational (Medium)Information Disclosure - Suspicious Comments
Description

The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.

URLhttps://oneprofile.io/auth/
MethodGET
Evidencelater
Instances1
Solution

Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.

Other information

The following pattern was used: \bLATER\b and was detected in the element starting with: "<!--

~ JBoss, Home of Professional Open Source.

~ Copyright (c) 2011, Red Hat, Inc., and individual contributors

~ as indi", see evidence field for the suspicious comment/snippet.

Reference

CWE Id200
WASC Id13
Source ID3
+ + diff --git a/example/docker-compose.yml b/example/docker-compose.yml new file mode 100644 index 0000000..b23f6a1 --- /dev/null +++ b/example/docker-compose.yml @@ -0,0 +1,50 @@ +version: "3.6" + +services: + + sonarqube: + image: sonarqube:8.2-community + container_name: sonarqube + hostname: sonarqube + networks: + vulns-subnet: + ipv4_address: 192.168.10.11 + volumes: + - ./plugin/sonar-zap-plugin-${PLUGIN_VERSION}.jar:/opt/sonarqube/extensions/plugins/sonar-zap-plugin-${PLUGIN_VERSION}.jar + ports: + - 9000:9000 + - 9092:9092 + + owasp-zap: + image: owasp/zap2docker-stable + networks: + vulns-subnet: + ipv4_address: 192.168.10.15 + extra_hosts: + - "javavulnlab:192.168.10.13" + volumes: + - ./reports:/zap/wrk/:rw + command: zap-baseline.py -t ${APP_URL_UNDER_TEST} -r zaproxy-report.html -x zaproxy-report.xml -g zapproxy-rules.xml + + sonar-scanner: + image: sonarsource/sonar-scanner-cli + networks: + vulns-subnet: + ipv4_address: 192.168.10.14 + extra_hosts: + - "sonarqube:192.168.10.11" + volumes: + - ./reports:/app/reports + - ./sonar-project.properties:/opt/sonar-scanner/conf/sonar-scanner.properties + environment: + - SONAR_HOST_URL=http://sonarqube:9000 + command: sonar-scanner -Dproject.settings=/opt/sonar-scanner/conf/sonar-scanner.properties + +networks: + vulns-subnet: + name: vulns_subnet + driver: bridge + ipam: + driver: default + config: + - subnet: 192.168.10.0/24 diff --git a/example/reports/zapproxy-rules.xml b/example/reports/zapproxy-rules.xml new file mode 100644 index 0000000..fbed2ab --- /dev/null +++ b/example/reports/zapproxy-rules.xml @@ -0,0 +1,57 @@ +# zap-baseline rule configuration file +# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches +# Only the rule identifiers are used - the names are just for info +# You can add your own messages to each rule by appending them after a tab on each line. +10003 WARN (Vulnerable JS Library) +10010 WARN (Cookie No HttpOnly Flag) +10011 WARN (Cookie Without Secure Flag) +10015 WARN (Incomplete or No Cache-control and Pragma HTTP Header Set) +10017 WARN (Cross-Domain JavaScript Source File Inclusion) +10019 WARN (Content-Type Header Missing) +10020 WARN (X-Frame-Options Header) +10021 WARN (X-Content-Type-Options Header Missing) +10023 WARN (Information Disclosure - Debug Error Messages) +10024 WARN (Information Disclosure - Sensitive Information in URL) +10025 WARN (Information Disclosure - Sensitive Information in HTTP Referrer Header) +10026 WARN (HTTP Parameter Override) +10027 WARN (Information Disclosure - Suspicious Comments) +10028 WARN (Open Redirect) +10029 WARN (Cookie Poisoning) +10030 WARN (User Controllable Charset) +10031 WARN (User Controllable HTML Element Attribute (Potential XSS)) +10032 WARN (Viewstate) +10033 WARN (Directory Browsing) +10034 WARN (Heartbleed OpenSSL Vulnerability (Indicative)) +10035 WARN (Strict-Transport-Security Header) +10036 WARN (HTTP Server Response Header) +10037 WARN (Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)) +10038 WARN (Content Security Policy (CSP) Header Not Set) +10039 WARN (X-Backend-Server Header Information Leak) +10040 WARN (Secure Pages Include Mixed Content) +10041 WARN (HTTP to HTTPS Insecure Transition in Form Post) +10042 WARN (HTTPS to HTTP Insecure Transition in Form Post) +10043 WARN (User Controllable JavaScript Event (XSS)) +10044 WARN (Big Redirect Detected (Potential Sensitive Information Leak)) +10050 WARN (Retrieved from Cache) +10052 WARN (X-ChromeLogger-Data (XCOLD) Header Information Leak) +10054 WARN (Cookie Without SameSite Attribute) +10055 WARN (CSP) +10056 WARN (X-Debug-Token Information Leak) +10057 WARN (Username Hash Found) +10061 WARN (X-AspNet-Version Response Header) +10062 WARN (PII Disclosure) +10096 WARN (Timestamp Disclosure) +10097 WARN (Hash Disclosure) +10098 WARN (Cross-Domain Misconfiguration) +10105 WARN (Weak Authentication Method) +10108 WARN (Reverse Tabnabbing) +10109 WARN (Modern Web Application) +10202 WARN (Absence of Anti-CSRF Tokens) +2 WARN (Private IP Disclosure) +3 WARN (Session ID in URL Rewrite) +50001 WARN (Script Passive Scan Rules) +90001 WARN (Insecure JSF ViewState) +90011 WARN (Charset Mismatch) +90022 WARN (Application Error Disclosure) +90030 WARN (WSDL File Detection) +90033 WARN (Loosely Scoped Cookie) diff --git a/example/reports/zaproxy-report.html b/example/reports/zaproxy-report.html new file mode 100644 index 0000000..f92e78e --- /dev/null +++ b/example/reports/zaproxy-report.html @@ -0,0 +1,703 @@ + + + + ZAP Scanning Report + + + +

+ +ZAP Scanning Report + +

+

+

+

Summary of Alerts

+

Generated on Tue, 18 May 2021 15:41:46

+ + + + + + + + + + + + + + + + +
Risk + LevelNumber + of Alerts
High0
Medium2
Low4
Informational1
+
+

Alerts

+ + + + + + + + + + + + + + + + + + + + + + + + + +
NameRisk LevelNumber of Instances
Content Security Policy (CSP) Header Not SetMedium3
CSP: Wildcard DirectiveMedium1
Application Error DisclosureLow3
Information Disclosure - Debug Error MessagesLow3
Server Leaks Version Information via "Server" HTTP Response Header FieldLow4
Strict-Transport-Security Header Not SetLow3
Information Disclosure - Suspicious CommentsInformational1
+
+

Alert Detail

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Medium (High)Content Security Policy (CSP) Header Not Set
Description

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

URLhttps://oneprofile.io/sitemap.xml
MethodGET
URLhttps://oneprofile.io/
MethodGET
URLhttps://oneprofile.io/robots.txt
MethodGET
Instances3
Solution

Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.

Reference

https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy

https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

http://www.w3.org/TR/CSP/

http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html

http://www.html5rocks.com/en/tutorials/security/content-security-policy/

http://caniuse.com/#feat=contentsecuritypolicy

http://content-security-policy.com/

CWE Id16
WASC Id15
Source ID3
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Medium (Medium)CSP: Wildcard Directive
Description

The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:

script-src, script-src-elem, script-src-attr, style-src, style-src-elem, style-src-attr, img-src, connect-src, font-src, media-src, manifest-src, worker-src, prefetch-src, form-action

The directive(s): form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.

URLhttps://oneprofile.io/auth/
MethodGET
ParameterContent-Security-Policy
Evidenceframe-src 'self'; frame-ancestors 'self'; object-src 'none';
Instances1
Solution

Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

Reference

http://www.w3.org/TR/CSP2/

http://www.w3.org/TR/CSP/

http://caniuse.com/#search=content+security+policy

http://content-security-policy.com/

https://github.com/shapesecurity/salvation

https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources

CWE Id16
WASC Id15
Source ID3
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Low (Medium)Application Error Disclosure
Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

URLhttps://oneprofile.io/
MethodGET
EvidenceHTTP/1.1 500 Internal Server Error
URLhttps://oneprofile.io/sitemap.xml
MethodGET
EvidenceHTTP/1.1 500 Internal Server Error
URLhttps://oneprofile.io/robots.txt
MethodGET
EvidenceHTTP/1.1 500 Internal Server Error
Instances3
Solution

Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

Reference

CWE Id200
WASC Id13
Source ID3
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Low (Medium)Information Disclosure - Debug Error Messages
Description

The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages.

URLhttps://oneprofile.io/robots.txt
MethodGET
EvidenceInternal Server Error
URLhttps://oneprofile.io/sitemap.xml
MethodGET
EvidenceInternal Server Error
URLhttps://oneprofile.io/
MethodGET
EvidenceInternal Server Error
Instances3
Solution

Disable debugging messages before pushing to production.

Reference

CWE Id200
WASC Id13
Source ID3
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Low (High)Server Leaks Version Information via "Server" HTTP Response Header Field
Description

The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.

URLhttps://oneprofile.io/sitemap.xml
MethodGET
Evidencenginx/1.19.3
URLhttps://oneprofile.io/
MethodGET
Evidencenginx/1.19.3
URLhttps://oneprofile.io/auth
MethodGET
Evidencenginx/1.19.3
URLhttps://oneprofile.io/robots.txt
MethodGET
Evidencenginx/1.19.3
Instances4
Solution

Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.

Reference

http://httpd.apache.org/docs/current/mod/core.html#servertokens

http://msdn.microsoft.com/en-us/library/ff648552.aspx#ht_urlscan_007

http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx

http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html

CWE Id200
WASC Id13
Source ID3
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Low (High)Strict-Transport-Security Header Not Set
Description

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.

URLhttps://oneprofile.io/sitemap.xml
MethodGET
URLhttps://oneprofile.io/
MethodGET
URLhttps://oneprofile.io/robots.txt
MethodGET
Instances3
Solution

Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.

Reference

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html

https://owasp.org/www-community/Security_Headers

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

http://caniuse.com/stricttransportsecurity

http://tools.ietf.org/html/rfc6797

CWE Id16
WASC Id15
Source ID3
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Informational (Medium)Information Disclosure - Suspicious Comments
Description

The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.

URLhttps://oneprofile.io/auth/
MethodGET
Evidencelater
Instances1
Solution

Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.

Other information

The following pattern was used: \bLATER\b and was detected in the element starting with: "<!--

~ JBoss, Home of Professional Open Source.

~ Copyright (c) 2011, Red Hat, Inc., and individual contributors

~ as indi", see evidence field for the suspicious comment/snippet.

Reference

CWE Id200
WASC Id13
Source ID3
+ + diff --git a/example/reports/zaproxy-report.xml b/example/reports/zaproxy-report.xml new file mode 100644 index 0000000..e0db8c7 --- /dev/null +++ b/example/reports/zaproxy-report.xml @@ -0,0 +1,214 @@ + + + 10038 + 10038 + Content Security Policy (CSP) Header Not Set + Content Security Policy (CSP) Header Not Set + 2 + 3 + Medium (High) + <p>Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.</p> + + + https://oneprofile.io/sitemap.xml + GET + + + https://oneprofile.io/ + GET + + + https://oneprofile.io/robots.txt + GET + + + 3 + <p>Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy" for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.</p> + <p>https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy</p><p>https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html</p><p>http://www.w3.org/TR/CSP/</p><p>http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html</p><p>http://www.html5rocks.com/en/tutorials/security/content-security-policy/</p><p>http://caniuse.com/#feat=contentsecuritypolicy</p><p>http://content-security-policy.com/</p> + 16 + 15 + 3 + + + 10023 + 10023 + Information Disclosure - Debug Error Messages + Information Disclosure - Debug Error Messages + 1 + 2 + Low (Medium) + <p>The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages.</p> + + + https://oneprofile.io/robots.txt + GET + Internal Server Error + + + https://oneprofile.io/sitemap.xml + GET + Internal Server Error + + + https://oneprofile.io/ + GET + Internal Server Error + + + 3 + <p>Disable debugging messages before pushing to production.</p> + <p></p> + 200 + 13 + 3 + + + 10027 + 10027 + Information Disclosure - Suspicious Comments + Information Disclosure - Suspicious Comments + 0 + 2 + Informational (Medium) + <p>The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.</p> + + + https://oneprofile.io/auth/ + GET + later + + + 1 + <p>Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.</p> + <p>The following pattern was used: \bLATER\b and was detected in the element starting with: "<!--</p><p> ~ JBoss, Home of Professional Open Source.</p><p> ~ Copyright (c) 2011, Red Hat, Inc., and individual contributors</p><p> ~ as indi", see evidence field for the suspicious comment/snippet.</p> + <p></p> + 200 + 13 + 3 + + + 90022 + 90022 + Application Error Disclosure + Application Error Disclosure + 1 + 2 + Low (Medium) + <p>This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.</p> + + + https://oneprofile.io/ + GET + HTTP/1.1 500 Internal Server Error + + + https://oneprofile.io/sitemap.xml + GET + HTTP/1.1 500 Internal Server Error + + + https://oneprofile.io/robots.txt + GET + HTTP/1.1 500 Internal Server Error + + + 3 + <p>Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.</p> + <p></p> + 200 + 13 + 3 + + + 10036 + 10036 + Server Leaks Version Information via "Server" HTTP Response Header Field + Server Leaks Version Information via "Server" HTTP Response Header Field + 1 + 3 + Low (High) + <p>The web/application server is leaking version information via the "Server" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.</p> + + + https://oneprofile.io/sitemap.xml + GET + nginx/1.19.3 + + + https://oneprofile.io/ + GET + nginx/1.19.3 + + + https://oneprofile.io/auth + GET + nginx/1.19.3 + + + https://oneprofile.io/robots.txt + GET + nginx/1.19.3 + + + 4 + <p>Ensure that your web server, application server, load balancer, etc. is configured to suppress the "Server" header or provide generic details.</p> + <p>http://httpd.apache.org/docs/current/mod/core.html#servertokens</p><p>http://msdn.microsoft.com/en-us/library/ff648552.aspx#ht_urlscan_007</p><p>http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx</p><p>http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html</p> + 200 + 13 + 3 + + + 10035 + 10035 + Strict-Transport-Security Header Not Set + Strict-Transport-Security Header Not Set + 1 + 3 + Low (High) + <p>HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.</p> + + + https://oneprofile.io/sitemap.xml + GET + + + https://oneprofile.io/ + GET + + + https://oneprofile.io/robots.txt + GET + + + 3 + <p>Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.</p> + <p>https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html</p><p>https://owasp.org/www-community/Security_Headers</p><p>http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security</p><p>http://caniuse.com/stricttransportsecurity</p><p>http://tools.ietf.org/html/rfc6797</p> + 16 + 15 + 3 + + + 10055 + 10055 + CSP: Wildcard Directive + CSP: Wildcard Directive + 2 + 2 + Medium (Medium) + <p>The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined: </p><p>script-src, script-src-elem, script-src-attr, style-src, style-src-elem, style-src-attr, img-src, connect-src, font-src, media-src, manifest-src, worker-src, prefetch-src, form-action</p><p></p><p>The directive(s): form-action are among the directives that do not fallback to default-src, missing/excluding them is the same as allowing anything.</p> + + + https://oneprofile.io/auth/ + GET + Content-Security-Policy + frame-src 'self'; frame-ancestors 'self'; object-src 'none'; + + + 1 + <p>Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.</p> + <p>http://www.w3.org/TR/CSP2/</p><p>http://www.w3.org/TR/CSP/</p><p>http://caniuse.com/#search=content+security+policy</p><p>http://content-security-policy.com/</p><p>https://github.com/shapesecurity/salvation</p><p>https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources</p> + 16 + 15 + 3 + + \ No newline at end of file diff --git a/example/sonar-project.properties b/example/sonar-project.properties new file mode 100644 index 0000000..7483347 --- /dev/null +++ b/example/sonar-project.properties @@ -0,0 +1,19 @@ +sonar.projectKey=vulns-app +sonar.projectName=vulnerable-app +sonar.projectVersion=1.0.0-SNAPSHOT +sonar.projectBaseDir=/app +#sonar.scm.provider=git + +#sonar.sources=src/main/java +#sonar.sourceEncoding=UTF-8 + +#sonar.binaries=target/classes +#sonar.java.binaries=target/classes +#sonar.tests=src/test/java + +#Java report only +#sonar.language=java + +sonar.zaproxy.reportPath=reports/zaproxy-report.xml +sonar.zaproxy.htmlReportPath=reports/zaproxy-report.html +sonar.zaproxy.rulesFilePath=reports/zaproxy-rules.xml \ No newline at end of file