OWASP ZAP VulnerableApp results

Generated: 2020-11-18 12:35

Total Score

                                                                              10.26%

ZAP Version: D-2020-11-10
URLs found: 130

Top Level Scores

Top LevelPassFailScoreChart
BlindSQLInjectionVulnerability020.00%  
CommandInjection1614.29%       
ErrorBasedSQLInjectionVulnerability040.00%    
Http3xxStatusCodeBasedInjection0100.00%          
JWTVulnerability0160.00%                
PathTraversal0140.00%              
PersistentXSSInHTMLTagVulnerability0100.00%          
UnionBasedSQLInjectionVulnerability1233.33%   
UnrestrictedFileUpload0100.00%          
XSSInImgTagAttribute5362.50%        
XSSWithHTMLTagInjection1420.00%     
XXEVulnerability030.00%   

Alerts

AlertDescriptionPassFailIgnoreOther
PathTravPath Traversal
SrcIncSource Code Disclosure - File Inclusion
XFrameX-Frame-Options Header Not Set
XSSProtectionNotEnabledWeb Browser XSS Protection Not Enabled
XContentX-Content-Type-Options Header Missing204 
URLinfoInformation Disclosure - Sensitive Information in URL
OpenRedirOpen Redirect
CookiePoisonCookie Poisoning
MaybeXSSUser Controllable HTML Element Attribute (Potential XSS)
ServerLeakServer Leaks Version Information via "Server" HTTP Response Header Field
NoCSPContent Security Policy (CSP) Header Not Set
UserJsEventUser Controllable JavaScript Event (XSS)
ContentCacheContent Cacheability257 
GetForPostGET for POST
PIIPII Disclosure
FeaturePolicyNotSetFeature Policy Header Not Set
TimestampTimestamp Disclosure - Unix
UAfuzzUser Agent Fuzzer
ModernAppModern Web Application
NoCSRFAbsence of Anti-CSRF Tokens
ACSRFAnti CSRF Tokens Scanner
ExtRedirExternal Redirect
BufferBuffer Overflow
FormatFormat String Error
IntOverInteger Overflow Error
RXSSCross Site Scripting (Reflected)
PXSSCross Site Scripting (Persistent) - Prime
LDAPiLDAP Injection
PXSSCross Site Scripting (Persistent)
PXSSSCross Site Scripting (Persistent) - Spider
MysqlSqliSQL Injection - MySQL
SqliteSqliSQL Injection - SQLite27 
DXSSCross Site Scripting (DOM Based)
JWTJWT Scan Rule
AdvSqliAdvanced SQL Injection
CommandInjectionRemote OS Command Injection
XXEXML External Entity Attack
AppErrorApplication Error Disclosure13 
PaddingOracleGeneric Padding Oracle
CookieSlackCookie Slack Detector
CookieLooseLoosely Scoped Cookie

Detailed Results

PageResultPassFailIgnoreOther
BlindSQLInjectionVulnerability-LEVEL_1 FAIL  AdvSqli    
BlindSQLInjectionVulnerability-LEVEL_2 FAIL  AdvSqli    
CommandInjection-LEVEL_1 PASS CommandInjection  SqliteSqli   LDAPi ContentCache 90028 XContent 90004  
CommandInjection-LEVEL_2 FAIL  CommandInjection    
CommandInjection-LEVEL_3 FAIL  CommandInjection    
CommandInjection-LEVEL_4 FAIL  CommandInjection    
CommandInjection-LEVEL_5 FAIL  SqliteSqli   90028  
ErrorBasedSQLInjectionVulnerability-LEVEL_1 FAIL  AdvSqli    
ErrorBasedSQLInjectionVulnerability-LEVEL_2 FAIL  AdvSqli    
ErrorBasedSQLInjectionVulnerability-LEVEL_3 FAIL  AdvSqli    
ErrorBasedSQLInjectionVulnerability-LEVEL_4 FAIL  AdvSqli    
Http3xxStatusCodeBasedInjection-LEVEL_1 FAIL  SqliteSqli   90028  
Http3xxStatusCodeBasedInjection-LEVEL_2 FAIL  OpenRedir    
Http3xxStatusCodeBasedInjection-LEVEL_3 FAIL  OpenRedir    
Http3xxStatusCodeBasedInjection-LEVEL_4 FAIL  OpenRedir    
Http3xxStatusCodeBasedInjection-LEVEL_5 FAIL  SqliteSqli   90028  
Http3xxStatusCodeBasedInjection-LEVEL_6 FAIL  SqliteSqli   90028  
Http3xxStatusCodeBasedInjection-LEVEL_7 FAIL  OpenRedir    
JWTVulnerability-LEVEL_1 FAIL  JWT    
JWTVulnerability-LEVEL_2 FAIL  JWT    
JWTVulnerability-LEVEL_3 FAIL  JWT    
JWTVulnerability-LEVEL_4 FAIL  JWT    
JWTVulnerability-LEVEL_5 FAIL  JWT    
JWTVulnerability-LEVEL_6 FAIL  JWT    
JWTVulnerability-LEVEL_7 FAIL  JWT    
JWTVulnerability-LEVEL_8 FAIL  JWT    
JWTVulnerability-LEVEL_9 FAIL  SqliteSqli   90028  
PathTraversal-LEVEL_1 FAIL  PathTrav    
PathTraversal-LEVEL_10 FAIL  PathTrav    
PathTraversal-LEVEL_11 FAIL  PathTrav    
PathTraversal-LEVEL_12 FAIL  PathTrav    
PathTraversal-LEVEL_2 FAIL  PathTrav    
PathTraversal-LEVEL_3 FAIL  PathTrav    
PathTraversal-LEVEL_4 FAIL  PathTrav    
PathTraversal-LEVEL_5 FAIL  SqliteSqli   90028  
PathTraversal-LEVEL_6 FAIL  SqliteSqli   90028  
PathTraversal-LEVEL_7 FAIL  PathTrav    
PathTraversal-LEVEL_8 FAIL  PathTrav    
PathTraversal-LEVEL_9 FAIL  PathTrav    
PersistentXSSInHTMLTagVulnerability-LEVEL_1 FAIL  PXSSS    
PersistentXSSInHTMLTagVulnerability-LEVEL_2 FAIL  PXSSS    
PersistentXSSInHTMLTagVulnerability-LEVEL_3 FAIL  PXSSS    
PersistentXSSInHTMLTagVulnerability-LEVEL_4 FAIL  PXSSS    
PersistentXSSInHTMLTagVulnerability-LEVEL_5 FAIL  PXSSS    
PersistentXSSInHTMLTagVulnerability-LEVEL_6 FAIL  PXSSS    
PersistentXSSInHTMLTagVulnerability-LEVEL_7 FAIL  SqliteSqli   90028  
PersistentXSSInHTMLTagVulnerability-LEVEL_8 FAIL  SqliteSqli   90028  
UnionBasedSQLInjectionVulnerability-LEVEL_1 FAIL  AdvSqli    
UnionBasedSQLInjectionVulnerability-LEVEL_2 FAIL  AdvSqli    
UnionBasedSQLInjectionVulnerability-LEVEL_3 PASS SqliteSqli    90028  
UnrestrictedFileUpload-LEVEL_1 FAIL  PathTrav RXSS PXSSS    
UnrestrictedFileUpload-LEVEL_2 FAIL  RXSS PXSSS    
UnrestrictedFileUpload-LEVEL_3 FAIL  RXSS PXSSS    
UnrestrictedFileUpload-LEVEL_4 FAIL  RXSS PXSSS    
UnrestrictedFileUpload-LEVEL_5 FAIL  RXSS PXSSS    
UnrestrictedFileUpload-LEVEL_6 FAIL  RXSS PXSSS    
UnrestrictedFileUpload-LEVEL_7 FAIL  SqliteSqli   90028  
UnrestrictedFileUpload-LEVEL_8 FAIL  SqliteSqli   90028  
XSSInImgTagAttribute-LEVEL_1 PASS RXSS  SqliteSqli   DXSS 90028 SrcInc  
XSSInImgTagAttribute-LEVEL_2 PASS RXSS  SqliteSqli   DXSS 90028 SrcInc  
XSSInImgTagAttribute-LEVEL_3 PASS RXSS    90028 SrcInc  
XSSInImgTagAttribute-LEVEL_4 PASS RXSS    LDAPi 90028 SrcInc  
XSSInImgTagAttribute-LEVEL_5 PASS RXSS    90028 SrcInc  
XSSInImgTagAttribute-SECURE FAIL  RXSS    
XSSWithHTMLTagInjection-LEVEL_1 PASS RXSS    DXSS 90028 SrcInc  
XSSWithHTMLTagInjection-LEVEL_2 FAIL  SqliteSqli   90028  
XSSWithHTMLTagInjection-LEVEL_3 FAIL  SqliteSqli   90028  
XXEVulnerability-LEVEL_1 FAIL  XXE    
XXEVulnerability-LEVEL_2 FAIL  XXE    
XXEVulnerability-LEVEL_3 FAIL  XXE    

Plugin Times

PluginmsReqsQuality
Path Traversal0:01:49.96936858release
Remote File Inclusion0:01:12.67729120release
Source Code Disclosure - /WEB-INF folder0:00:00.0160release
External Redirect0:00:24.4514576release
Server Side Include0:00:16.5591664release
Cross Site Scripting (Reflected)0:00:15.0811401release
Cross Site Scripting (Persistent) - Prime0:00:15.414416release
Cross Site Scripting (Persistent) - Spider0:00:05.182129release
Cross Site Scripting (Persistent)0:00:14.8220release
SQL Injection0:01:49.49823410release
Server Side Code Injection0:00:22.7123328release
Remote OS Command Injection0:01:41.04735193release
Directory Browsing0:00:04.268129release
Buffer Overflow0:00:15.837377release
Format String Error0:00:15.9391131release
CRLF Injection0:00:22.2412912release
Parameter Tampering0:00:20.8891844release
ELMAH Information Leak0:00:00.0221release
.htaccess Information Leak0:00:04.45025release
Script Active Scan Rules0:00:00.0080release
Source Code Disclosure - Git 0:00:04.1650beta
Source Code Disclosure - File Inclusion0:00:55.591382beta
Remote Code Execution - Shell Shock0:00:15.119832beta
Httpoxy - Proxy Header Misuse0:00:14.510645beta
Anti-CSRF Tokens Check0:00:01.2360beta
Cross-Domain Misconfiguration0:00:00.0342beta
Heartbleed OpenSSL Vulnerability0:00:00.0492beta
Source Code Disclosure - CVE-2012-18230:00:04.751103beta
Remote Code Execution - CVE-2012-18230:00:11.777258beta
Session Fixation0:00:01.4300beta
SQL Injection - MySQL0:00:45.7369152beta
SQL Injection - Hypersonic SQL0:00:36.3007072beta
SQL Injection - Oracle0:00:33.7745408beta
SQL Injection - PostgreSQL0:00:36.4377072beta
SQL Injection - SQLite0:02:42.09435482beta
Cross Site Scripting (DOM Based)0:13:15.1671673beta
SQL Injection - MsSQL0:00:34.4506386beta
Advanced SQL Injection1:39:25.0871549063beta
XPath Injection0:00:16.4081248beta
XML External Entity Attack0:00:01.4780beta
Generic Padding Oracle0:00:14.9122beta
Expression Language Injection0:00:14.392416beta
Cloud Metadata Potentially Exposed0:00:00.0431beta
Source Code Disclosure - SVN0:00:10.527261beta
Relative Path Confusion0:00:02.49118beta
Apache Range Header DoS (CVE-2011-3192)0:00:04.934145beta
Backup File Disclosure0:01:54.25926639beta
HTTP Only Site0:00:00.1030beta
Integer Overflow Error0:00:20.1851508beta
Proxy Disclosure0:00:03.822129beta
Trace.axd Information Leak0:00:03.79525beta
.env Information Leak0:00:03.63225beta
Hidden File Finder0:00:00.35638beta
XSLT Injection0:00:17.5802896beta
Insecure HTTP Method0:00:33.9181548beta
HTTPS Content Available via HTTP0:00:01.6680beta
GET for POST0:00:01.7880beta
User Agent Fuzzer0:00:32.674903beta
HTTP Parameter Pollution0:00:01.7140beta
Possible Username Enumeration0:00:00.0220beta
Cookie Slack Detector0:00:01.0840beta
LDAP Injection0:02:50.1751135alpha
NoSQL Injection - MongoDB0:00:47.7729296alpha
Example Active Scan Rule: Denial of Service0:00:14.6630alpha
An example active scan rule which loads data from a file0:00:14.6130alpha
JWT Scan Rule0:00:15.1260alpha
Total2:19:32--