diff --git a/README.md b/README.md
index ab50f2f3..06299a91 100644
--- a/README.md
+++ b/README.md
@@ -272,7 +272,7 @@ To run bench test against populated volume data (2 endpoints)
 npm run bench:volume
 ```
 
-For convenience, you can load the volume db and run the bench tests with the single command. 
+For convenience, you can load the volume db and run the bench tests with the single command.
 
 ```
 npm run bench:load-volume
@@ -306,6 +306,24 @@ The injection tests can be configured in the [sqlmap config][]. A few output con
 
 See the [sqlmap][] repository for more details.
 
+Also, Udaru, has some additional security related (penetration) testing available through npm commands based on [OWASP Zed Attack Proxy](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project).
+End results of the scans are stored as HTML reports in the Udaru documentation and should be reviewed manually post execution.
+
+**Note:** before running this, make sure you have a Docker installed and the weekly Zed Attack proxy might take quite a bit to download (1,5GB + in size). Also note that the API scan is very thorough, extensive and takes quite some time to complete (45+ mins).
+
+To run the baseline scan:
+```
+npm run test:security:pentest:baseline
+```
+
+To run the API attack scan:
+```
+npm run test:security:pentest:api
+```
+To run both:
+```
+npm run test:security:pentest
+```
 ## License
 
 [license]: ./LICENSE.md
diff --git a/docs/_sidebar.md b/docs/_sidebar.md
index f5be119b..1d0c86cc 100644
--- a/docs/_sidebar.md
+++ b/docs/_sidebar.md
@@ -6,3 +6,7 @@
 -   API
     -   [Example Usage](example.md)
     -   [Swagger Documentation](swagger/index.html ":ignore")
+
+-   Security
+    -   [Pentration test scans](udaru/pentests/)
+    -   [SQL Injection](sqlinjection.md)
diff --git a/docs/contributing.md b/docs/contributing.md
index 56b1528b..fe6f8c76 100644
--- a/docs/contributing.md
+++ b/docs/contributing.md
@@ -50,3 +50,5 @@ We are currently supporting node 6 and 8.
 # Security testing of Udaru
 
 Udaru has been extensively tested for SQL injections, please see [sqlinjection.md](./sqlinjection.md) for more information.
+
+Aside from that, Udaru is occasionally tested with OWASP ZAProxy for any known security vulnerabilities. For a list, please see [pentests](./pentests) for more information.
diff --git a/docs/udaru/pentests/udaru-api-scan-2018-05-21T12:33:30.044Z.html b/docs/udaru/pentests/udaru-api-scan-2018-05-21T12:33:30.044Z.html
new file mode 100644
index 00000000..30c214b2
--- /dev/null
+++ b/docs/udaru/pentests/udaru-api-scan-2018-05-21T12:33:30.044Z.html
@@ -0,0 +1,1025 @@
+<html>
+<head>
+<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>ZAP Scanning Report</title>
+<style>
+body{
+  font-family: "Helvetica Neue",Helvetica,Arial,sans-serif;
+  color: #000;
+  font-size: 13px;
+}
+h1{
+  text-align: center;
+  font-weight: bold;
+  font-size: 32px
+}
+h3{
+  font-size: 16px;
+}
+table{
+  border: none;
+  font-size: 13px;
+}
+td, th {
+  padding: 3px 4px;
+}
+th{
+  font-weight: bold;
+}
+.results th{
+  text-align: left;
+}
+.spacer{
+  margin: 10px;
+}
+.spacer-lg{
+  margin: 40px;
+}
+.indent1{
+  padding: 4px 20px;
+}
+.indent2{
+  padding: 4px 40px;
+}
+.risk-high{
+  background-color: red;
+  color: #FFF;
+}
+.risk-medium{
+  background-color: orange;
+  color: #FFF;
+}
+.risk-low{
+  background-color: yellow;
+  color: #000;
+}
+.risk-info{
+  background-color: blue;
+  color: #FFF;
+}
+.summary th{
+  color: #FFF;
+}
+</style>
+</head>
+<body>
+<h1>
+<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAABqbAAAamwHdbkbTAAAAB3RJTUUH4QsKDDQPKy6k8AAABxpJREFUWMO9l31sVWcdxz+/55xzbwt9QddJExClvIzNxTKJDZi22oJSbFZpmRb4g8sfhpEIwXQNTKh0NYgiMKIwo5AsdIxdQldGNBN5W2OTFRVcIZE1YwExcXOdc1DK+nLvOc/PP87tC9CWsj98bp6ck3Ofc57v7+37/T3wYGMucBR4F/gK/8exAugAdPXq1bpx40YFekZdHYuP+8PuGP+lAc8CmzIyMtLq6uqora3FcRwAzp49m/7Wv5O95tsNEfyEKvwH9B1V2hT7GnB+PABkhGePAvVA9dy5c6mvr2fp0qX3LOru7iYrK4toSQ1OXhGKohpOiyVQe0NVn9PGFb8iFofGFSMCMMPulwEXgbdXrlxZ3dHRQXt7+4ibA2RmZtLc3Ex/y/O4fg8RMUSMS8RxiRiPqPE+4xrnl07syA3Q+aN5wADlwO1oNPpqQ0NDfl9fH4cPH2bOnDn3dV9VVRWVlVV88vsteNF0XCO4xuA6Bs9xiBgPz/EmueKcIxavHyk/BPjnli1bpm3btu1TZ2hmxkTk8aeYMK8aay1WFVWwqgSqBDYgqQFJGxygccWa4e86IhJpbW39Zk5ODgUFBZ8KwOLFZeyr/wHZs0vw0jMxIqFpAuFt+EOYZ/OrAi41t96dhF8HThcWFnpnzpwhGo0+MIhnamvZs+8AM55uIhn4+Cnrkza8Wqv4NiBhfXwNCgxy3jauuKMKPOCPrpHSU2fOUlJS8sAg8qZP50bGY0xeuIFk4JO0SnIYiMAqSRuQDPyPgsbqh++ugqSsPXGC+WsoLS1lzZqnHxhA40svcfPvfyDNjRARwTOCJ+E0IjgiOGIwRnIkFl97NwBMX9dPvEfLSC+t5cCB/eTk5Ix78ylTplBcXMxDjy3EweIZISKSqoxwcyOCYwRXHETkuSEAsTjE4kVGTLrjpdP7p33U1NTQ2dk5bgCbN28Ow7BoA8YmcVOWR1KWuyKIgEEwYjBiJhN75Ushr15qRp747g9dcRZ4RtCuf3HhdBMlpQuZNm3auAAUFBRw+fJlWl/dy9SCaqwGIBIyJGBTUwemWqzy/mAIRPmaEUGsJeNbz+IVfJ+ioiI2bNgwbi80NTUxJWciV47/GM9Lwwg4CA6CSblbBqYYRPjqEACRR8JaVcRPkPHlJ5m66kX27W8kL2/6uMPR3t7Ox+++yQcXjmLEIEYQA8YIkuIHSYVDkBnDk3DSEDwAi5c5mUfWNtGVPovc3FwOHTp0XwDZ2dm0nTvH9Td+zSedVxDVkIQAEQ1BoIgKCpnmflqpQcAXyjYxo6KeVatWUVZWRiKRGPO1+fPns2vXLjoOr7uvFA8HcHMoQ8IHmkqOINnH1d81kJeXR0VFRcqKkUcQBLS0tHD79u2QXHq7UmkIqgKqoIKKAnQPNiSqXFG0QFVCXbcGK4pVIdnTBcDOnTupqqoa06q2tjZKS0uZ8LmZzKiox5nwWXzfx9qBfmGgCkDRa4MeUNE3repg2QSEiwMFk5nDF8vrWLZsGTNnzqS9vX1UAEVFRezYsYOeD68y8fNPEFifAL2rDAfBnJdhGv0NzzgtoYYbHGOICkSMIWKEqBE8x+X91v18cKGJyspKDh48SFZW1ohAlixZQstfLzM99iK9iQQJqySsxVfFDyz9Nolv/fw7gumsPtIbMZE0zxhcR3DFEDVCZIDTjeA5Drb3Jv84sYOu639j69atNDQ0jAgiN3cyPQ/NJXvhM/QnEwRW8dWSDAL6bbLTHlyee0cVWNWfBhpgVbEWfFUSqiSGqVoyCCCaxayndjKn+nm2736BzIyJHDt27B4AFy9eovvtU3R3nA5DkFJEXwNUtWHEptSsPtIXNW7UMy4mJSLeMA+4IrhCKC6A46XR+VYz772xj/z8fJqampg1a9bg906ePElZWRlZy3+DZuSGPUGQ/G/QuDznHjVMeaEyaS2+WqxVbMryxMDVKv0W+qzSr0pPoo/Mx8uZs/51rgdTmD17NrFYbJArFi9ezKZNm7h1dD1B4JO0PgG23KR6QxnlYLHXM846z7i4oX4P6vmA9Q6ENMsQZyiGxK1OPjr5M5Kd77B7925qamoAWLBgAX+59jFU7tmivy3fPvq5INXDSyx+3DXOd1xx8YzBiGBMKCIDwmKMDLEWEnoMUDdK37U2bp/6BQ9PSueV+BEWLVpEdnYW3be6f67wo7EOJoMgiMX3uuKs84zBEQcjghjBMCAmhF1niskGCMaiqFWs8ehrj+Off5nCwkK2b99OcXExwFTgvdEB3AmizIi85oqTNgDCSKrPFWV4DFRD/beqWLX4YUXdst0ffk+b168CVqZWpwN9YwO4Wzhi8c1GpM6ISTcYREJPMOSAQYZLHc1upY5meyjfBq/XAUwGbgL9Y4dgrBGLFwtSITAPkekCk1L73wS9qsoFxR6nceWfx/O5/wGLCSMJ+zJrfwAAAABJRU5ErkJggg==">
+ZAP Scanning Report
+</h1>
+<p>
+
+</p>
+<h3>Summary of Alerts</h3>
+<table width="45%" class="summary">
+<tr bgcolor="#666666">
+<th width="45%" height="24">Risk 
+      Level</th><th width="55%" align="center">Number 
+      of Alerts</th>
+</tr>
+<tr bgcolor="#e8e8e8">
+<td><a href="#high">High</a></td><td align="center">1</td>
+</tr>
+<tr bgcolor="#e8e8e8">
+<td><a href="#medium">Medium</a></td><td align="center">1</td>
+</tr>
+<tr bgcolor="#e8e8e8">
+<td><a href="#low">Low</a></td><td align="center">1</td>
+</tr>
+<tr bgcolor="#e8e8e8">
+<td><a href="#info">Informational</a></td><td align="center">1</td>
+</tr>
+</table>
+<div class="spacer-lg"></div>
+<h3>Alert Detail</h3>
+<div class="spacer"></div>
+<table width="100%" class="results">
+  
+  
+  
+<tr height="24" class="risk-high">
+<th width="20%"><a name="high"></a>High (Medium)</th><th width="80%">Source Code Disclosure - SVN</th>
+</tr>
+  
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Description</td><td width="80%"><p>The source code for the current page was disclosed by the web server</p></td>
+</tr>
+<TR vAlign="top">
+<TD colspan="2"></TD>
+</TR>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/access/userId/action</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/access/userId/.svn/text-base/action.svn-base</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/access/userId/action/{resource*}</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/access/userId/action/.svn/text-base/{resource*}.svn-base</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/list/userId/{resource*}</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/list/userId/.svn/text-base/{resource*}.svn-base</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Instances</td><td width="80%">3</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Solution</td><td width="80%"><p>Ensure that SVN metadata files are not deployed to the web server or application server</p></td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Other information</td><td width="80%"><p>The source code for [action] was found at [http://docker.for.mac.localhost:8080/authorization/access/userId/.svn/text-base/action.svn-base]</p></td>
+</tr>
+<TR vAlign="top">
+<TD colspan="2"></TD>
+</TR>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Reference</td><td width="80%"><p>http://projects.webappsec.org/Predictable-Resource-Location</p><p>http://cwe.mitre.org/data/definitions/425.html</p></td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">CWE Id</td><td width="80%">541</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">WASC Id</td><td width="80%">34</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Source ID</td><td width="80%">1</td>
+</tr>
+
+</table>
+<div class="spacer"></div>
+<table width="100%" class="results">
+  
+  
+  
+<tr height="24" class="risk-medium">
+<th width="20%"><a name="medium"></a>Medium (Medium)</th><th width="80%">Backup File Disclosure</th>
+</tr>
+  
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Description</td><td width="80%"><p>A backup of the file was disclosed by the web server</p></td>
+</tr>
+<TR vAlign="top">
+<TD colspan="2"></TD>
+</TR>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/policies/search.zip</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/policies/search.zip</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/policies/search?query=query] is available at [http://docker.for.mac.localhost:8080/authorization/policies/search.zip]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/teams/teamId.zip</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/teams/teamId.zip</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/teams/teamId] is available at [http://docker.for.mac.localhost:8080/authorization/teams/teamId.zip]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/Copy (3) of id</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/Copy (3) of id</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/users/id] is available at [http://docker.for.mac.localhost:8080/authorization/users/Copy (3) of id]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/id - Copy (3)</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/id - Copy (3)</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/users/id] is available at [http://docker.for.mac.localhost:8080/authorization/users/id - Copy (3)]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/teams/teamId.backup</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/teams/teamId.backup</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/teams/teamId] is available at [http://docker.for.mac.localhost:8080/authorization/teams/teamId.backup]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/teams/id.bak</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/teams/id.bak</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/teams/id] is available at [http://docker.for.mac.localhost:8080/authorization/teams/id.bak]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/teams/id - Copy/nested</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/teams/id - Copy/nested</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/teams/id/nested?page=10&amp;limit=10] is available at [http://docker.for.mac.localhost:8080/authorization/teams/id - Copy/nested]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/shared-policies/search.log</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/shared-policies/search.log</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/shared-policies/search?query=query] is available at [http://docker.for.mac.localhost:8080/authorization/shared-policies/search.log]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/userId.bak</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/userId.bak</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/users/userId] is available at [http://docker.for.mac.localhost:8080/authorization/users/userId.bak]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/search.bak</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/search.bak</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/users/search?query=query] is available at [http://docker.for.mac.localhost:8080/authorization/users/search.bak]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/id - Copy (2)</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/id - Copy (2)</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/users/id] is available at [http://docker.for.mac.localhost:8080/authorization/users/id - Copy (2)]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/shared-policies/search.backup</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/shared-policies/search.backup</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/shared-policies/search?query=query] is available at [http://docker.for.mac.localhost:8080/authorization/shared-policies/search.backup]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/policies/id.bak</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/policies/id.bak</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/policies/id?sig=sig] is available at [http://docker.for.mac.localhost:8080/authorization/policies/id.bak]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/search.log</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/search.log</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/users/search?query=query] is available at [http://docker.for.mac.localhost:8080/authorization/users/search.log]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/policies/id.tar</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/policies/id.tar</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/policies/id?sig=sig] is available at [http://docker.for.mac.localhost:8080/authorization/policies/id.tar]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/shared-policies/search~</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/shared-policies/search~</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/shared-policies/search?query=query] is available at [http://docker.for.mac.localhost:8080/authorization/shared-policies/search~]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/list/userId - Copy/{resource*}</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/list/userId - Copy/{resource*}</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/list/userId/%7Bresource*%7D] is available at [http://docker.for.mac.localhost:8080/authorization/list/userId - Copy/{resource*}]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/teams/Copy of id/users</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/teams/Copy of id/users</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/teams/id/users?page=10&amp;limit=10] is available at [http://docker.for.mac.localhost:8080/authorization/teams/Copy of id/users]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/id.bac</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/id.bac</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/users/id] is available at [http://docker.for.mac.localhost:8080/authorization/users/id.bac]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/id.old</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Attack</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/id.old</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">A backup of [http://docker.for.mac.localhost:8080/authorization/users/id] is available at [http://docker.for.mac.localhost:8080/authorization/users/id.old]</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Instances</td><td width="80%">251</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Solution</td><td width="80%"><p>Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server.</p></td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Other information</td><td width="80%"><p>http://docker.for.mac.localhost:8080/authorization/policies/search?query=query</p></td>
+</tr>
+<TR vAlign="top">
+<TD colspan="2"></TD>
+</TR>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Reference</td><td width="80%"><p>http://projects.webappsec.org/Predictable-Resource-Location</p><p>http://cwe.mitre.org/data/definitions/425.html</p></td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">CWE Id</td><td width="80%">425</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">WASC Id</td><td width="80%">34</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Source ID</td><td width="80%">1</td>
+</tr>
+
+</table>
+<div class="spacer"></div>
+<table width="100%" class="results">
+  
+  
+  
+<tr height="24" class="risk-low">
+<a name="low"></a><th width="20%">Low (Medium)</th><th width="80%">X-Content-Type-Options Header Missing</th>
+</tr>
+  
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Description</td><td width="80%"><p>The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.</p></td>
+</tr>
+<TR vAlign="top">
+<TD colspan="2"></TD>
+</TR>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/shared-policies?page=10&amp;limit=10</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Parameter</td><td width="80%">X-Content-Type-Options</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/organizations?page=10&amp;limit=10</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Parameter</td><td width="80%">X-Content-Type-Options</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/swagger.json</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Parameter</td><td width="80%">X-Content-Type-Options</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Instances</td><td width="80%">3</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Solution</td><td width="80%"><p>Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.</p><p>If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.</p></td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Other information</td><td width="80%"><p>This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.</p><p>At "High" threshold this scanner will not alert on client or server error responses.</p></td>
+</tr>
+<TR vAlign="top">
+<TD colspan="2"></TD>
+</TR>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Reference</td><td width="80%"><p>http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx</p><p>https://www.owasp.org/index.php/List_of_useful_HTTP_headers</p></td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">CWE Id</td><td width="80%">16</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">WASC Id</td><td width="80%">15</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Source ID</td><td width="80%">3</td>
+</tr>
+
+</table>
+<div class="spacer"></div>
+<table width="100%" class="results">
+  
+  
+  
+<tr height="24" class="risk-info">
+<th width="20%"><a name="info"></a>Informational (High)</th><th width="80%">A Client Error response code was returned by the server</th>
+</tr>
+  
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Description</td><td width="80%"><p>A response code of 400 was returned by the server.</p><p>This may indicate that the application is failing to handle unexpected input correctly.</p><p>Raised by the 'Alert on HTTP Response Code Error' script</p></td>
+</tr>
+<TR vAlign="top">
+<TD colspan="2"></TD>
+</TR>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users?query=%29</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 400</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/organizations/id?query=query%27</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">DELETE</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 404</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/policies/id?query=query%27+AND+%271%27%3D%272%27+--+</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 400</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/teams?page=10%3B&amp;limit=10</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 400</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users?query=query%22%26cat+%2Fetc%2Fpasswd%26%22</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">POST</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 400</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/shared-policies?page=10&amp;limit=Set-cookie%3A+Tamper%3Ded05869b-0813-4e18-ba6c-6752e6f64445</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 400</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/id/policies?page=10&amp;limit=%22%27</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 401</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/shared-policies?sig=http%3A%2F%2Fwww.google.com%3A80%2F</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">POST</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 400</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/teams/id/nested?page=10%27%29+UNION+ALL+select+NULL+--+&amp;limit=10</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 400</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization?query=query%3Bget-help+%23</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 404</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/teams/id/policies?query=%2Fpolicies</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">DELETE</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 400</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/organizations/id/policies?page=10%22%7Ctimeout+%2FT+15&amp;limit=10</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 400</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/id/policies?query=any%0ASet-cookie%3A+Tamper%3Dc220d01e-db02-4f37-b626-530b781fbc3b</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">PUT</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 401</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/shared-policies?query=www.google.com%2F</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 400</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/shared-policies?sig=sig%3Bstart-sleep+-s+%7B0%7D</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">POST</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 400</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users/id/policies?page=%28%29+%7B+%3A%3B%7D%3B+%2Fbin%2Fsleep+15&amp;limit=10</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 401</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/shared-policies?page=10%3Bsleep+15%3B&amp;limit=10</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 400</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/policies/id/</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">DELETE</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 404</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/teams/id/users?page=10&amp;limit=any%0ASet-cookie%3A+Tamper%3D208212ef-86fb-404d-88f0-155c7b24e684</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 400</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent1">URL</td><td width="80%">http://docker.for.mac.localhost:8080/authorization/users?query=any%0D%0ASet-cookie%3A+Tamper%3D062ad8b9-837c-4dd2-982b-400e74a44046%0D%0A</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Method</td><td width="80%">GET</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%" class="indent2">Evidence</td><td width="80%">HTTP/1.1 400</td>
+</tr>
+  
+  
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Instances</td><td width="80%">13422</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Solution</td><td width="80%"><p></p></td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Reference</td><td width="80%"><p></p></td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">CWE Id</td><td width="80%">388</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">WASC Id</td><td width="80%">20</td>
+</tr>
+  
+<tr bgcolor="#e8e8e8">
+<td width="20%">Source ID</td><td width="80%">4</td>
+</tr>
+
+</table>
+</body>
+</html>
diff --git a/docs/udaru/pentests/udaru-basline-scan-2018-05-18T13:39:28.850Z.html b/docs/udaru/pentests/udaru-basline-scan-2018-05-18T13:39:28.850Z.html
new file mode 100644
index 00000000..4e8612ca
--- /dev/null
+++ b/docs/udaru/pentests/udaru-basline-scan-2018-05-18T13:39:28.850Z.html
@@ -0,0 +1,96 @@
+<html>
+<head>
+<META http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<title>ZAP Scanning Report</title>
+<style>
+body{
+  font-family: "Helvetica Neue",Helvetica,Arial,sans-serif;
+  color: #000;
+  font-size: 13px;
+}
+h1{
+  text-align: center;
+  font-weight: bold;
+  font-size: 32px
+}
+h3{
+  font-size: 16px;
+}
+table{
+  border: none;
+  font-size: 13px;
+}
+td, th {
+  padding: 3px 4px;
+}
+th{
+  font-weight: bold;
+}
+.results th{
+  text-align: left;
+}
+.spacer{
+  margin: 10px;
+}
+.spacer-lg{
+  margin: 40px;
+}
+.indent1{
+  padding: 4px 20px;
+}
+.indent2{
+  padding: 4px 40px;
+}
+.risk-high{
+  background-color: red;
+  color: #FFF;
+}
+.risk-medium{
+  background-color: orange;
+  color: #FFF;
+}
+.risk-low{
+  background-color: yellow;
+  color: #000;
+}
+.risk-info{
+  background-color: blue;
+  color: #FFF;
+}
+.summary th{
+  color: #FFF;
+}
+</style>
+</head>
+<body>
+<h1>
+<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAABqbAAAamwHdbkbTAAAAB3RJTUUH4QsKDDQPKy6k8AAABxpJREFUWMO9l31sVWcdxz+/55xzbwt9QddJExClvIzNxTKJDZi22oJSbFZpmRb4g8sfhpEIwXQNTKh0NYgiMKIwo5AsdIxdQldGNBN5W2OTFRVcIZE1YwExcXOdc1DK+nLvOc/PP87tC9CWsj98bp6ck3Ofc57v7+37/T3wYGMucBR4F/gK/8exAugAdPXq1bpx40YFekZdHYuP+8PuGP+lAc8CmzIyMtLq6uqora3FcRwAzp49m/7Wv5O95tsNEfyEKvwH9B1V2hT7GnB+PABkhGePAvVA9dy5c6mvr2fp0qX3LOru7iYrK4toSQ1OXhGKohpOiyVQe0NVn9PGFb8iFofGFSMCMMPulwEXgbdXrlxZ3dHRQXt7+4ibA2RmZtLc3Ex/y/O4fg8RMUSMS8RxiRiPqPE+4xrnl07syA3Q+aN5wADlwO1oNPpqQ0NDfl9fH4cPH2bOnDn3dV9VVRWVlVV88vsteNF0XCO4xuA6Bs9xiBgPz/EmueKcIxavHyk/BPjnli1bpm3btu1TZ2hmxkTk8aeYMK8aay1WFVWwqgSqBDYgqQFJGxygccWa4e86IhJpbW39Zk5ODgUFBZ8KwOLFZeyr/wHZs0vw0jMxIqFpAuFt+EOYZ/OrAi41t96dhF8HThcWFnpnzpwhGo0+MIhnamvZs+8AM55uIhn4+Cnrkza8Wqv4NiBhfXwNCgxy3jauuKMKPOCPrpHSU2fOUlJS8sAg8qZP50bGY0xeuIFk4JO0SnIYiMAqSRuQDPyPgsbqh++ugqSsPXGC+WsoLS1lzZqnHxhA40svcfPvfyDNjRARwTOCJ+E0IjgiOGIwRnIkFl97NwBMX9dPvEfLSC+t5cCB/eTk5Ix78ylTplBcXMxDjy3EweIZISKSqoxwcyOCYwRXHETkuSEAsTjE4kVGTLrjpdP7p33U1NTQ2dk5bgCbN28Ow7BoA8YmcVOWR1KWuyKIgEEwYjBiJhN75Ushr15qRp747g9dcRZ4RtCuf3HhdBMlpQuZNm3auAAUFBRw+fJlWl/dy9SCaqwGIBIyJGBTUwemWqzy/mAIRPmaEUGsJeNbz+IVfJ+ioiI2bNgwbi80NTUxJWciV47/GM9Lwwg4CA6CSblbBqYYRPjqEACRR8JaVcRPkPHlJ5m66kX27W8kL2/6uMPR3t7Ox+++yQcXjmLEIEYQA8YIkuIHSYVDkBnDk3DSEDwAi5c5mUfWNtGVPovc3FwOHTp0XwDZ2dm0nTvH9Td+zSedVxDVkIQAEQ1BoIgKCpnmflqpQcAXyjYxo6KeVatWUVZWRiKRGPO1+fPns2vXLjoOr7uvFA8HcHMoQ8IHmkqOINnH1d81kJeXR0VFRcqKkUcQBLS0tHD79u2QXHq7UmkIqgKqoIKKAnQPNiSqXFG0QFVCXbcGK4pVIdnTBcDOnTupqqoa06q2tjZKS0uZ8LmZzKiox5nwWXzfx9qBfmGgCkDRa4MeUNE3repg2QSEiwMFk5nDF8vrWLZsGTNnzqS9vX1UAEVFRezYsYOeD68y8fNPEFifAL2rDAfBnJdhGv0NzzgtoYYbHGOICkSMIWKEqBE8x+X91v18cKGJyspKDh48SFZW1ohAlixZQstfLzM99iK9iQQJqySsxVfFDyz9Nolv/fw7gumsPtIbMZE0zxhcR3DFEDVCZIDTjeA5Drb3Jv84sYOu639j69atNDQ0jAgiN3cyPQ/NJXvhM/QnEwRW8dWSDAL6bbLTHlyee0cVWNWfBhpgVbEWfFUSqiSGqVoyCCCaxayndjKn+nm2736BzIyJHDt27B4AFy9eovvtU3R3nA5DkFJEXwNUtWHEptSsPtIXNW7UMy4mJSLeMA+4IrhCKC6A46XR+VYz772xj/z8fJqampg1a9bg906ePElZWRlZy3+DZuSGPUGQ/G/QuDznHjVMeaEyaS2+WqxVbMryxMDVKv0W+qzSr0pPoo/Mx8uZs/51rgdTmD17NrFYbJArFi9ezKZNm7h1dD1B4JO0PgG23KR6QxnlYLHXM846z7i4oX4P6vmA9Q6ENMsQZyiGxK1OPjr5M5Kd77B7925qamoAWLBgAX+59jFU7tmivy3fPvq5INXDSyx+3DXOd1xx8YzBiGBMKCIDwmKMDLEWEnoMUDdK37U2bp/6BQ9PSueV+BEWLVpEdnYW3be6f67wo7EOJoMgiMX3uuKs84zBEQcjghjBMCAmhF1niskGCMaiqFWs8ehrj+Off5nCwkK2b99OcXExwFTgvdEB3AmizIi85oqTNgDCSKrPFWV4DFRD/beqWLX4YUXdst0ffk+b168CVqZWpwN9YwO4Wzhi8c1GpM6ISTcYREJPMOSAQYZLHc1upY5meyjfBq/XAUwGbgL9Y4dgrBGLFwtSITAPkekCk1L73wS9qsoFxR6nceWfx/O5/wGLCSMJ+zJrfwAAAABJRU5ErkJggg==">
+ZAP Scanning Report
+</h1>
+<p>
+
+</p>
+<h3>Summary of Alerts</h3>
+<table width="45%" class="summary">
+<tr bgcolor="#666666">
+<th width="45%" height="24">Risk 
+      Level</th><th width="55%" align="center">Number 
+      of Alerts</th>
+</tr>
+<tr bgcolor="#e8e8e8">
+<td><a href="#high">High</a></td><td align="center">0</td>
+</tr>
+<tr bgcolor="#e8e8e8">
+<td><a href="#medium">Medium</a></td><td align="center">0</td>
+</tr>
+<tr bgcolor="#e8e8e8">
+<td><a href="#low">Low</a></td><td align="center">0</td>
+</tr>
+<tr bgcolor="#e8e8e8">
+<td><a href="#info">Informational</a></td><td align="center">0</td>
+</tr>
+</table>
+<div class="spacer-lg"></div>
+<h3>Alert Detail</h3>
+</body>
+</html>
diff --git a/package.json b/package.json
index 35f4bcea..85468cdb 100644
--- a/package.json
+++ b/package.json
@@ -128,6 +128,9 @@
     "test": "lerna run test",
     "test:commit-check": "npm run doc:lint && npm run lint && npm run depcheck && npm run test",
     "test:security": "cd packages/udaru-hapi-server && npm run test:security",
+    "test:security:pentest:baseline": " node packages/udaru-hapi-server/security/penetration/runner.js --baseline",
+    "test:security:pentest:api": " node packages/udaru-hapi-server/security/penetration/runner.js --api",
+    "test:security:pentest": " node packages/udaru-hapi-server/security/penetration/runner.js --api --baseline",
     "swagger-gen": "node scripts/getSwaggerJson.js js > docs/swagger/swagger-json.js"
   },
   "remarkConfig": {
diff --git a/packages/udaru-hapi-server/security/penetration/runner.js b/packages/udaru-hapi-server/security/penetration/runner.js
new file mode 100644
index 00000000..61d43681
--- /dev/null
+++ b/packages/udaru-hapi-server/security/penetration/runner.js
@@ -0,0 +1,68 @@
+'use strict'
+
+const spawn = require('child_process').spawn
+const path = require('path')
+const chalk = require('chalk')
+
+const cmdArguments = process.argv.slice(2).join(' ').toLowerCase()
+
+const doApiScan = cmdArguments.includes('api')
+const doBaselineScan = cmdArguments.includes('baseline')
+
+if (!(doBaselineScan || doApiScan)) {
+  console.log(chalk.green('No scans specified for the runner. Exiting.'))
+  process.exit(0)
+}
+
+const server = require('../../index')
+
+// Due to the fact Docker does networking differently on OSX and this script might be ran manually
+// we need to compensate for the host part of the test endpoint
+const isOSX = process.platform === 'darwin'
+const baseEndpoint = `${server.info.protocol}://${isOSX ? 'docker.for.mac.localhost' : server.info.host}:${server.info.port}`
+const swaggerEndpoint = `${baseEndpoint}/swagger.json`
+const reportNameDatePart = new Date().toISOString()
+const baselineReportName = `udaru-baseline-scan-${reportNameDatePart}.html`
+const apiReportName = `udaru-api-scan-${reportNameDatePart}.html`
+const reportDestination = path.join(process.cwd(), path.join('docs', 'udaru', 'pentests'))
+
+const command = `sh`
+const params = ['runner.sh', baseEndpoint, swaggerEndpoint, baselineReportName, apiReportName, reportDestination, `--baseline=${doBaselineScan}`, `--api=${doApiScan}`]
+
+function executeMap (command, params, done) {
+  console.log('Command that will be used:', command)
+
+  console.log(chalk.green('executing with: ', ([command].concat(params)).join(' ')))
+
+  const docker = spawn(command, params, {cwd: __dirname, env: process.env})
+
+  docker.stdout.on('data', (data) => {
+    console.log(`docker: ${data}`)
+  })
+
+  docker.stderr.on('data', (data) => {
+    console.log('error', data.toString())
+    console.error(data.toString())
+  })
+
+  docker.on('error', (error) => {
+    console.error(chalk.red(error))
+    done(new Error('failed to start child process'))
+  })
+
+  docker.on('close', (code) => {
+    console.log(chalk.green(`child process exited with code ${code}\n`))
+    done(null)
+  })
+}
+
+executeMap(command, params, async (err) => {
+  await server.stop()
+  if (err) {
+    console.error(chalk.red(err))
+    return process.exit(1)
+  }
+
+  console.log(chalk.green(`HTML reports should be at ${reportDestination}. Commit to master to publish on gh-pages.`))
+  return process.exit()
+})
diff --git a/packages/udaru-hapi-server/security/penetration/runner.sh b/packages/udaru-hapi-server/security/penetration/runner.sh
new file mode 100644
index 00000000..70953168
--- /dev/null
+++ b/packages/udaru-hapi-server/security/penetration/runner.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+BASE_ENDPOINT="$1"
+SWAGGER_ENDPOINT="$2"
+BASELINE_REP_NAME="$3"
+API_REP_NAME="$4"
+REPORT_DEST_DIR="$5"
+
+docker pull owasp/zap2docker-weekly
+## run the baseline scan
+if [[ $6 == '--baseline=true' ]]; then
+    echo 'Running the baseline test'
+    docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-baseline.py  -c udaruBaseline.config -t $BASE_ENDPOINT  -r $BASELINE_REP_NAME \
+     -z "-config replacer.full_list\(0\).description=auth1 -config replacer.full_list\(0\).enabled=true -config replacer.full_list\(0\).matchtype=REQ_HEADER -config replacer.full_list\(0\).matchstr=Authorization -config replacer.full_list\(0\).regex=false -config replacer.full_list\(0\).replacement=ROOTid"
+
+    if [ ! -f $BASELINE_REP_NAME ]; then
+        echo 'Moving report file'
+        mv  $BASELINE_REP_NAME $REPORT_DEST_DIR
+    fi
+
+fi
+
+if [[ $7 == '--api=true' ]]; then
+## run the api attack scan
+    echo 'Running the API attach test'
+    docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -t $SWAGGER_ENDPOINT -f openapi -d -c udaruApi.config -r $API_REP_NAME \
+     -z "-config replacer.full_list\(0\).description=auth1 -config replacer.full_list\(0\).enabled=true -config replacer.full_list\(0\).matchtype=REQ_HEADER -config replacer.full_list\(0\).matchstr=Authorization -config replacer.full_list\(0\).regex=false -config replacer.full_list\(0\).replacement=ROOTid"
+
+    if [ ! -f $API_REP_NAME ]; then
+        echo 'Moving report file'
+        mv  $API_REP_NAME $REPORT_DEST_DIR
+    fi
+
+fi
\ No newline at end of file
diff --git a/packages/udaru-hapi-server/security/penetration/udaruApi.config b/packages/udaru-hapi-server/security/penetration/udaruApi.config
new file mode 100644
index 00000000..ef938f7e
--- /dev/null
+++ b/packages/udaru-hapi-server/security/penetration/udaruApi.config
@@ -0,0 +1,72 @@
+# zap-api-scan rule configuration file
+# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
+# Active scan rules set to IGNORE will not be run which will speed up the scan
+# Only the rule identifiers are used - the names are just for info
+# You can add your own messages to each rule by appending them after a tab on each line.
+0	WARN	(Directory Browsing - Active/release)
+10010	IGNORE	(Cookie No HttpOnly Flag - Passive/release)
+10011	IGNORE	(Cookie Without Secure Flag - Passive/release)
+10015	WARN	(Incomplete or No Cache-control and Pragma HTTP Header Set - Passive/release)
+10016	WARN	(Web Browser XSS Protection Not Enabled - Passive/release)
+10017	WARN	(Cross-Domain JavaScript Source File Inclusion - Passive/release)
+10019	WARN	(Content-Type Header Missing - Passive/release)
+10020	WARN	(X-Frame-Options Header Scanner - Passive/release)
+10021	WARN	(X-Content-Type-Options Header Missing - Passive/release)
+10023	WARN	(Information Disclosure - Debug Error Messages - Passive/beta)
+10024	WARN	(Information Disclosure - Sensitive Informations in URL - Passive/beta)
+10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header - Passive/beta)
+10026	WARN	(HTTP Parameter Override - Passive/beta)
+10027	WARN	(Information Disclosure - Suspicious Comments - Passive/beta)
+10032	WARN	(Viewstate Scanner - Passive/beta)
+10040	WARN	(Secure Pages Include Mixed Content - Passive/release)
+10045	WARN	(Source Code Disclosure - /WEB-INF folder - Active/beta)
+10048	WARN	(Remote Code Execution - Shell Shock - Active/beta)
+10055	WARN	(CSP Scanner - Passive/beta)
+10095	WARN	(Backup File Disclosure - Active/beta)
+10105	WARN	(Weak Authentication Method - Passive/beta)
+10202	WARN	(Absence of Anti-CSRF Tokens - Passive/beta)
+2	WARN	(Private IP Disclosure - Passive/release)
+20012	WARN	(Anti CSRF Tokens Scanner - Active/beta)
+20014	WARN	(HTTP Parameter Pollution scanner - Active/beta)
+20015	IGNORE	(Heartbleed OpenSSL Vulnerability - Active/beta)
+20016	WARN	(Cross-Domain Misconfiguration - Active/beta)
+20017	WARN	(Source Code Disclosure - CVE-2012-1823 - Active/beta)
+20018	WARN	(Remote Code Execution - CVE-2012-1823 - Active/beta)
+20019	WARN	(External Redirect - Active/release)
+3	WARN	(Session ID in URL Rewrite - Passive/release)
+30001	WARN	(Buffer Overflow - Active/release)
+30002	WARN	(Format String Error - Active/release)
+30003	WARN	(Integer Overflow Error - Active/beta)
+40003	WARN	(CRLF Injection - Active/release)
+40008	WARN	(Parameter Tampering - Active/release)
+40009	WARN	(Server Side Include - Active/release)
+40012	WARN	(Cross Site Scripting (Reflected) - Active/release)
+40013	WARN	(Session Fixation - Active/beta)
+40014	WARN	(Cross Site Scripting (Persistent) - Active/release)
+40016	WARN	(Cross Site Scripting (Persistent) - Prime - Active/release)
+40017	WARN	(Cross Site Scripting (Persistent) - Spider - Active/release)
+40018	WARN	(SQL Injection - Active/release)
+40019	IGNORE	(SQL Injection - MySQL - Active/beta)
+40020	IGNORE	(SQL Injection - Hypersonic SQL - Active/beta)
+40021	IGNORE	(SQL Injection - Oracle - Active/beta)
+40022	FAIL	(SQL Injection - PostgreSQL - Active/beta)
+40023	WARN	(Possible Username Enumeration - Active/beta)
+42	IGNORE	(Source Code Disclosure - SVN - Active/beta)
+50000	WARN	(Script Active Scan Rules - Active/release)
+50001	WARN	(Script Passive Scan Rules - Passive/release)
+6	WARN	(Path Traversal - Active/release)
+7	WARN	(Remote File Inclusion - Active/release)
+90001	IGNORE	(Insecure JSF ViewState - Passive/beta)
+90011	WARN	(Charset Mismatch - Passive/beta)
+90019	WARN	(Server Side Code Injection - Active/release)
+90020	WARN	(Remote OS Command Injection - Active/release)
+90021	WARN	(XPath Injection - Active/beta)
+90022	WARN	(Application Error Disclosure - Passive/release)
+90023	WARN	(XML External Entity Attack - Active/beta)
+90024	WARN	(Generic Padding Oracle - Active/beta)
+90025	WARN	(Expression Language Injection - Active/beta)
+90026	IGNORE	(SOAP Action Spoofing - Active/alpha)
+90028	WARN	(Insecure HTTP Method - Active/beta)
+90029	WARN	(SOAP XML Injection - Active/alpha)
+90030	WARN	(WSDL File Passive Scanner - Passive/alpha)
+90033	WARN	(Loosely Scoped Cookie - Passive/beta)
diff --git a/packages/udaru-hapi-server/security/penetration/udaruBaseline.config b/packages/udaru-hapi-server/security/penetration/udaruBaseline.config
new file mode 100644
index 00000000..497a772c
--- /dev/null
+++ b/packages/udaru-hapi-server/security/penetration/udaruBaseline.config
@@ -0,0 +1,30 @@
+# zap-baseline rule configuration file
+# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
+# Only the rule identifiers are used - the names are just for info
+# You can add your own messages to each rule by appending them after a tab on each line.
+10010	WARN	(Cookie No HttpOnly Flag)
+10011	WARN	(Cookie Without Secure Flag)
+10012	WARN	(Password Autocomplete in Browser)
+10015	WARN	(Incomplete or No Cache-control and Pragma HTTP Header Set)
+10016	WARN	(Web Browser XSS Protection Not Enabled)
+10017	WARN	(Cross-Domain JavaScript Source File Inclusion)
+10019	WARN	(Content-Type Header Missing)
+10020	WARN	(X-Frame-Options Header Scanner)
+10021	WARN	(X-Content-Type-Options Header Missing)
+10023	WARN	(Information Disclosure - Debug Error Messages)
+10024	WARN	(Information Disclosure - Sensitive Informations in URL)
+10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header)
+10026	WARN	(HTTP Parameter Override)
+10027	WARN	(Information Disclosure - Suspicious Comments)
+10032	WARN	(Viewstate Scanner)
+10040	WARN	(Secure Pages Include Mixed Content)
+10105	WARN	(Weak Authentication Method)
+10202	WARN	(Absence of Anti-CSRF Tokens)
+2	WARN	(Private IP Disclosure)
+3	WARN	(Session ID in URL Rewrite)
+50001	WARN	(Script Passive Scan Rules)
+90001	WARN	(Insecure JSF ViewState)
+90011	WARN	(Charset Mismatch)
+90022	WARN	(Application Error Disclosure)
+90030	WARN	(WSDL File Passive Scanner)
+90033	WARN	(Loosely Scoped Cookie)
\ No newline at end of file