======================================================================================================================== { "@programName": "ZAP", "@version": "2.15.0", "@generated": "Tue, 23 Jul 2024 11:12:03", "site":[ { "@name": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us", "@host": "mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us", "@port": "443", "@ssl": "true", "alerts": [ { "pluginid": "40018", "alertRef": "40018", "alert": "SQL Injection", "name": "SQL Injection", "riskcode": "3", "confidence": "2", "riskdesc": "High (Medium)", "desc": "

SQL injection may be possible.

", "instances":[ { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/settings/key+AND+1%3D1+--+", "method": "POST", "param": "\u00ABkey\u00BB", "attack": "key AND 1=1 -- ", "evidence": "", "otherinfo": "The page results were successfully manipulated using the boolean conditions [key AND 1=1 -- ] and [key AND 1=2 -- ]\nThe parameter value being modified was stripped from the HTML output for the purposes of the comparison.\nData was returned for the original parameter.\nThe vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter.", "request-header": "POST https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/settings/key+AND+1%3D1+--+ HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: */*\r\ncontent-type: application/json\r\ncontent-length: 37\r\n\r\n", "request-body": "{\"key\":\"John Doe\",\"value\":\"John Doe\"}", "response-header": "HTTP/1.1 201 Created\r\ndate: Tue, 23 Jul 2024 11:07:45 GMT\r\ncontent-length: 0\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "" } ], "count": "1", "solution": "

Do not trust client side input, even if there is client side validation in place.

In general, type check all data on the server side.

If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

If database Stored Procedures can be used, use them.

Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

Do not create dynamic SQL queries using simple string concatenation.

Escape all data received from the client.

Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.

Apply the principle of least privilege by using the least privileged database user possible.

In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

Grant the minimum database access that is necessary for the application.

", "otherinfo": "

The page results were successfully manipulated using the boolean conditions [key AND 1=1 -- ] and [key AND 1=2 -- ]

The parameter value being modified was stripped from the HTML output for the purposes of the comparison.

Data was returned for the original parameter.

The vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter.

", "reference": "

https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

", "cweid": "89", "wascid": "19", "sourceid": "41454", "tags":[ { "tag": "OWASP_2017_A01", "link": "https:\/\/owasp.org\/www-project-top-ten\/2017\/A1_2017-Injection.html" }, { "tag": "OWASP_2021_A03", "link": "https:\/\/owasp.org\/Top10\/A03_2021-Injection\/" }, { "tag": "CWE-89", "link": "https:\/\/cwe.mitre.org\/data\/definitions\/89.html" }, { "tag": "WSTG-v42-INPV-05", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/v42\/4-Web_Application_Security_Testing\/07-Input_Validation_Testing\/05-Testing_for_SQL_Injection" } ] }, { "pluginid": "90022", "alertRef": "90022", "alert": "Application Error Disclosure", "name": "Application Error Disclosure", "riskcode": "1", "confidence": "2", "riskdesc": "Low (Medium)", "desc": "

This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.

", "instances":[ { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/importsummaries/upload", "method": "POST", "param": "", "attack": "", "evidence": "HTTP/1.1 500 Internal Server Error", "otherinfo": "", "request-header": "POST https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/importsummaries/upload HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 500 Internal Server Error\r\ndate: Tue, 23 Jul 2024 11:05:21 GMT\r\ncontent-length: 0\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "" } ], "count": "1", "solution": "

Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.

", "otherinfo": "", "reference": "", "cweid": "200", "wascid": "13", "sourceid": "139", "tags":[ { "tag": "WSTG-v42-ERRH-02", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/v42\/4-Web_Application_Security_Testing\/08-Testing_for_Error_Handling\/02-Testing_for_Stack_Traces" }, { "tag": "WSTG-v42-ERRH-01", "link": "https:\/\/owasp.org\/www-project-web-security-testing-guide\/v42\/4-Web_Application_Security_Testing\/08-Testing_for_Error_Handling\/01-Testing_For_Improper_Error_Handling" }, { "tag": "OWASP_2021_A05", "link": "https:\/\/owasp.org\/Top10\/A05_2021-Security_Misconfiguration\/" }, { "tag": "OWASP_2017_A06", "link": "https:\/\/owasp.org\/www-project-top-ten\/2017\/A6_2017-Security_Misconfiguration.html" }, { "tag": "CWE-200", "link": "https:\/\/cwe.mitre.org\/data\/definitions\/200.html" } ] }, { "pluginid": "10035", "alertRef": "10035-1", "alert": "Strict-Transport-Security Header Not Set", "name": "Strict-Transport-Security Header Not Set", "riskcode": "1", "confidence": "3", "riskdesc": "Low (High)", "desc": "

HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.

", "instances":[ { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/addons", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/addons HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 914\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[{\"name\":\"analyzer\",\"container\":{\"name\":\"addon\",\"image\":\"registry.redhat.io/mta/mta-analyzer-addon-rhel9@sha256:95c6f33c103d55a706ef64fc01d4624130f388648b2bb23de1a2e863bc1dba97\",\"resources\":{\"limits\":{\"cpu\":\"1\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"1\",\"memory\":\"512Mi\"}},\"imagePullPolicy\":\"Always\"}},{\"name\":\"language-discovery\",\"container\":{\"name\":\"addon\",\"image\":\"registry.redhat.io/mta/mta-discovery-addon-rhel9@sha256:97eb41472466db73dfea01bf960bd97a5ac693a07d445a50d17f38ab2c75f3a5\",\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"512Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"512Mi\"}},\"imagePullPolicy\":\"Always\"}},{\"name\":\"tech-discovery\",\"container\":{\"name\":\"addon\",\"image\":\"registry.redhat.io/mta/mta-analyzer-addon-rhel9@sha256:95c6f33c103d55a706ef64fc01d4624130f388648b2bb23de1a2e863bc1dba97\",\"resources\":{\"limits\":{\"cpu\":\"1\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"1\",\"memory\":\"512Mi\"}},\"imagePullPolicy\":\"Always\"}}]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/addons/ZAP", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/addons/ZAP HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 404 Not Found\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 0\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 2\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/dependencies", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/dependencies HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\nx-total: 0\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 2\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/incidents", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/incidents HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\nx-total: 0\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 2\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/incidents/10", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/incidents/10 HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 404 Not Found\r\ncontent-type: application/json; charset=utf-8\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 28\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "{\"error\":\"record not found\"}" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/issues", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/issues HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\naccept-ranges: bytes\r\ncontent-length: 2\r\ncontent-type: application/json\r\nlast-modified: Tue, 23 Jul 2024 11:05:20 GMT\r\nx-total: 0\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\ncache-control: private\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/issues/10", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/issues/10 HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 404 Not Found\r\ncontent-type: application/json; charset=utf-8\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 28\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "{\"error\":\"record not found\"}" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/issues/10/incidents", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/issues/10/incidents HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\nx-total: 0\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 2\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/report/applications", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/report/applications HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 404 Not Found\r\ncontent-type: text/plain\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 18\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "404 page not found" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/report/applications/10/issues", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/report/applications/10/issues HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 404 Not Found\r\ncontent-type: application/json; charset=utf-8\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 28\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "{\"error\":\"record not found\"}" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/report/issues/10/files", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/report/issues/10/files HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 404 Not Found\r\ncontent-type: application/json; charset=utf-8\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 28\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "{\"error\":\"record not found\"}" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/report/rules", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/report/rules HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\nx-total: 0\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 2\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[]" } ], "count": "13", "solution": "

Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.

", "otherinfo": "", "reference": "

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html

https://owasp.org/www-community/Security_Headers

https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

https://caniuse.com/stricttransportsecurity

https://datatracker.ietf.org/doc/html/rfc6797

", "cweid": "319", "wascid": "15", "sourceid": "7", "tags":[ { "tag": "OWASP_2021_A05", "link": "https:\/\/owasp.org\/Top10\/A05_2021-Security_Misconfiguration\/" }, { "tag": "OWASP_2017_A06", "link": "https:\/\/owasp.org\/www-project-top-ten\/2017\/A6_2017-Security_Misconfiguration.html" }, { "tag": "CWE-319", "link": "https:\/\/cwe.mitre.org\/data\/definitions\/319.html" } ] }, { "pluginid": "10021", "alertRef": "10021", "alert": "X-Content-Type-Options Header Missing", "name": "X-Content-Type-Options Header Missing", "riskcode": "1", "confidence": "2", "riskdesc": "Low (Medium)", "desc": "

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

", "instances":[ { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/addons", "method": "GET", "param": "x-content-type-options", "attack": "", "evidence": "", "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/addons HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 914\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[{\"name\":\"analyzer\",\"container\":{\"name\":\"addon\",\"image\":\"registry.redhat.io/mta/mta-analyzer-addon-rhel9@sha256:95c6f33c103d55a706ef64fc01d4624130f388648b2bb23de1a2e863bc1dba97\",\"resources\":{\"limits\":{\"cpu\":\"1\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"1\",\"memory\":\"512Mi\"}},\"imagePullPolicy\":\"Always\"}},{\"name\":\"language-discovery\",\"container\":{\"name\":\"addon\",\"image\":\"registry.redhat.io/mta/mta-discovery-addon-rhel9@sha256:97eb41472466db73dfea01bf960bd97a5ac693a07d445a50d17f38ab2c75f3a5\",\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"512Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"512Mi\"}},\"imagePullPolicy\":\"Always\"}},{\"name\":\"tech-discovery\",\"container\":{\"name\":\"addon\",\"image\":\"registry.redhat.io/mta/mta-analyzer-addon-rhel9@sha256:95c6f33c103d55a706ef64fc01d4624130f388648b2bb23de1a2e863bc1dba97\",\"resources\":{\"limits\":{\"cpu\":\"1\",\"memory\":\"1Gi\"},\"requests\":{\"cpu\":\"1\",\"memory\":\"512Mi\"}},\"imagePullPolicy\":\"Always\"}}]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses", "method": "GET", "param": "x-content-type-options", "attack": "", "evidence": "", "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 2\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/10/issues", "method": "GET", "param": "x-content-type-options", "attack": "", "evidence": "", "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/10/issues HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\naccept-ranges: bytes\r\ncontent-length: 2\r\ncontent-type: application/json\r\nlast-modified: Tue, 23 Jul 2024 11:05:20 GMT\r\nx-total: 0\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\ncache-control: private\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/dependencies", "method": "GET", "param": "x-content-type-options", "attack": "", "evidence": "", "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/dependencies HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\nx-total: 0\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 2\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/incidents", "method": "GET", "param": "x-content-type-options", "attack": "", "evidence": "", "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/incidents HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\nx-total: 0\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 2\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/issues", "method": "GET", "param": "x-content-type-options", "attack": "", "evidence": "", "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/issues HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\naccept-ranges: bytes\r\ncontent-length: 2\r\ncontent-type: application/json\r\nlast-modified: Tue, 23 Jul 2024 11:05:20 GMT\r\nx-total: 0\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\ncache-control: private\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/issues/10/incidents", "method": "GET", "param": "x-content-type-options", "attack": "", "evidence": "", "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/issues/10/incidents HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\nx-total: 0\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 2\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/report/rules", "method": "GET", "param": "x-content-type-options", "attack": "", "evidence": "", "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/analyses/report/rules HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\nx-total: 0\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 2\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/applications", "method": "GET", "param": "x-content-type-options", "attack": "", "evidence": "", "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/applications HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\ndate: Tue, 23 Jul 2024 11:05:20 GMT\r\ncontent-length: 2\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/archetypes", "method": "GET", "param": "x-content-type-options", "attack": "", "evidence": "", "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/archetypes HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\ndate: Tue, 23 Jul 2024 11:05:21 GMT\r\ncontent-length: 2\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/assessments", "method": "GET", "param": "x-content-type-options", "attack": "", "evidence": "", "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.", "request-header": "GET https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/assessments HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 200 OK\r\ncontent-type: application/json; charset=utf-8\r\ndate: Tue, 23 Jul 2024 11:05:21 GMT\r\ncontent-length: 2\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "[]" }, { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/buckets", "method": "POST", "param": "x-content-type-options", "attack": "", "evidence": "", "otherinfo": "This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.\nAt \"High\" threshold this scan rule will not alert on client or server error responses.", "request-header": "POST https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/buckets HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-length: 0\r\n\r\n", "request-body": "", "response-header": "HTTP/1.1 201 Created\r\ncontent-type: application/json; charset=utf-8\r\ndate: Tue, 23 Jul 2024 11:05:21 GMT\r\ncontent-length: 153\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "{\"id\":1,\"createUser\":\"admin.noauth\",\"updateUser\":\"\",\"createTime\":\"2024-07-23T11:05:21.411607447Z\",\"path\":\"/buckets/ce4abae5-12c8-4424-8e3e-1dfb2aae276f\"}" } ], "count": "12", "solution": "

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

", "otherinfo": "

This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At \"High\" threshold this scan rule will not alert on client or server error responses.

", "reference": "

https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)

https://owasp.org/www-community/Security_Headers

", "cweid": "693", "wascid": "15", "sourceid": "7", "tags":[ { "tag": "CWE-693", "link": "https:\/\/cwe.mitre.org\/data\/definitions\/693.html" }, { "tag": "OWASP_2021_A05", "link": "https:\/\/owasp.org\/Top10\/A05_2021-Security_Misconfiguration\/" }, { "tag": "OWASP_2017_A06", "link": "https:\/\/owasp.org\/www-project-top-ten\/2017\/A6_2017-Security_Misconfiguration.html" } ] }, { "pluginid": "10111", "alertRef": "10111", "alert": "Authentication Request Identified", "name": "Authentication Request Identified", "riskcode": "0", "confidence": "1", "riskdesc": "Informational (Low)", "desc": "

The given request has been identified as an authentication request. The 'Other Info' field contains a set of key=value lines which identify any relevant fields. If the request is in a context which has an Authentication Method set to \"Auto-Detect\" then this rule will change the authentication to match the request identified.

", "instances":[ { "uri": "https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/identities", "method": "POST", "param": "user", "attack": "", "evidence": "password", "otherinfo": "userParam=user\nuserValue=John Doe\npasswordParam=password", "request-header": "POST https://mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us/hub/identities HTTP/1.1\r\nhost: mta-openshift-mta.apps.mig08.rhos-psi.cnv-qe.rhood.us\r\nuser-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0\r\npragma: no-cache\r\ncache-control: no-cache\r\naccept: application/json\r\ncontent-type: application/json\r\ncontent-length: 316\r\n\r\n", "request-body": "{\"createTime\":\"John Doe\",\"createUser\":\"John Doe\",\"description\":\"Zaproxy alias impedit expedita quisquam pariatur exercitationem. Nemo rerum eveniet dolores rem quia dignissimos.\",\"id\":10,\"key\":\"John Doe\",\"kind\":\"John Doe\",\"name\":\"ZAP\",\"password\":\"ZAP\",\"settings\":\"John Doe\",\"updateUser\":\"John Doe\",\"user\":\"John Doe\"}", "response-header": "HTTP/1.1 400 Bad Request\r\ncontent-type: application/json; charset=utf-8\r\ndate: Tue, 23 Jul 2024 11:05:21 GMT\r\ncontent-length: 109\r\nset-cookie: 12a637bc9ab75d0e38a1f11bc90374b6=fadc4418825c6e974f41146b9c4705d8; path=/; HttpOnly; Secure; SameSite=None\r\n\r\n", "response-body": "{\"error\":\"parsing time \\\"John Doe\\\" as \\\"2006-01-02T15:04:05Z07:00\\\": cannot parse \\\"John Doe\\\" as \\\"2006\\\"\"}" } ], "count": "1", "solution": "

This is an informational alert rather than a vulnerability and so there is nothing to fix.

", "otherinfo": "

userParam=user

userValue=John Doe

passwordParam=password

", "reference": "

https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-req-id/

", "cweid": "-1", "wascid": "-1", "sourceid": "127", "tags":[ ] } ] }, { "@name": "https://raw.githubusercontent.com", "@host": "raw.githubusercontent.com", "@port": "443", "@ssl": "true", "alerts": [ ] } ] } ========================================================================================================================