ZAP Scanning Report

Generated with ZAP on Wed 6 Jul 2022, at 21:23:36

Contents

About this report

Report parameters

Contexts

No contexts were selected, so all contexts were included by default.

Sites

The following sites were included:

  • https://192.168.2.3

(If no sites were selected, all sites were included by default.)

An included site must also be within one of the included contexts for its data to be included in the report.

Risk levels

Included: High, Medium, Low, Informational

Excluded: None

Confidence levels

Included: User Confirmed, High, Medium, Low

Excluded: User Confirmed, High, Medium, Low, False Positive

Summaries

Alert counts by risk and confidence

This table shows the number of alerts for each level of risk and confidence included in the report.

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)
Confidence
User Confirmed High Medium Low Total
Risk High 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)
Medium 0
(0.0%)		 0
(0.0%)		 2
(33.3%)		 1
(16.7%)		 3
(50.0%)
Low 0
(0.0%)		 0
(0.0%)		 1
(16.7%)		 1
(16.7%)		 2
(33.3%)
Informational 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 1
(16.7%)		 1
(16.7%)
Total 0
(0.0%)		 0
(0.0%)		 3
(50.0%)		 3
(50.0%)		 6
(100%)

Alert counts by site and risk

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

Alerts with a confidence level of "False Positive" have been excluded from these counts.

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)
Risk
High
(= High) 		Medium
(>= Medium) 		Low
(>= Low) 		Informational
(>= Informational)
Site https://192.168.2.3 0
(0)		 3
(3)		 1
(4)		 0
(4)

Alert counts by alert type

This table shows the number of alerts of each alert type, together with the alert type's risk level.

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)
Alert type Risk Count
Absence of Anti-CSRF Tokens Medium 3
(50.0%)
CSP: script-src unsafe-inline Medium 4
(66.7%)
CSP: style-src unsafe-inline Medium 4
(66.7%)
CSP: Notices Low 4
(66.7%)
Timestamp Disclosure - Unix Low 12
(200.0%)
Information Disclosure - Suspicious Comments Informational 27
(450.0%)
Total 6

Alerts

  1. Risk=Medium, Confidence=Medium (2)

    1. https://192.168.2.3 (2)

      1. CSP: script-src unsafe-inline (1)
        1. GET https://192.168.2.3/
          Alert tags
          Alert description

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
          Other info

          script-src includes unsafe-inline.
          Request
          Request line and header section (403 bytes) 
          GET https://192.168.2.3/ HTTP/1.1
Host: 192.168.2.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
          Request body (0 bytes)
          Response
          Status line and header section (1167 bytes) 
          HTTP/1.1 302 Found
Date: Wed, 06 Jul 2022 23:10:54 GMT
Server: Apache/2.4.29 (Ubuntu)
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Upgrade: h2
Connection: Upgrade, Keep-Alive
Set-Cookie: MISP-93318e56-360b-4880-86e6-7e8f440da812=6jbnt1guubrkvakbk73spr90i2vhm1fc; expires=Sat, 09-Jul-2022 11:10:54 GMT; Max-Age=216000; path=/; secure; HttpOnly; SameSite=Lax
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Jul 2022 23:10:54 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Security-Policy: default-src 'self' data: 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'; worker-src 'none'; child-src 'none'; frame-src 'none'; base-uri 'self'; img-src 'self' data:; font-src 'self'; form-action 'self'; connect-src 'self'; manifest-src 'none'; report-uri /servers/cspReport; upgrade-insecure-requests
X-XSS-Protection: 1; mode=block
Location: https://192.168.2.3/users/login
Content-Length: 0
Keep-Alive: timeout=5, max=100
Content-Type: text/html; charset=UTF-8
          Response body (0 bytes)
          Evidence 
          default-src 'self' data: 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'; worker-src 'none'; child-src 'none'; frame-src 'none'; base-uri 'self'; img-src 'self' data:; font-src 'self'; form-action 'self'; connect-src 'self'; manifest-src 'none'; report-uri /servers/cspReport; upgrade-insecure-requests
          Solution

          Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
      2. CSP: style-src unsafe-inline (1)
        1. GET https://192.168.2.3/
          Alert tags
          Alert description

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
          Other info

          style-src includes unsafe-inline.
          Request
          Request line and header section (403 bytes) 
          GET https://192.168.2.3/ HTTP/1.1
Host: 192.168.2.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
          Request body (0 bytes)
          Response
          Status line and header section (1167 bytes) 
          HTTP/1.1 302 Found
Date: Wed, 06 Jul 2022 23:10:54 GMT
Server: Apache/2.4.29 (Ubuntu)
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Upgrade: h2
Connection: Upgrade, Keep-Alive
Set-Cookie: MISP-93318e56-360b-4880-86e6-7e8f440da812=6jbnt1guubrkvakbk73spr90i2vhm1fc; expires=Sat, 09-Jul-2022 11:10:54 GMT; Max-Age=216000; path=/; secure; HttpOnly; SameSite=Lax
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Jul 2022 23:10:54 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Security-Policy: default-src 'self' data: 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'; worker-src 'none'; child-src 'none'; frame-src 'none'; base-uri 'self'; img-src 'self' data:; font-src 'self'; form-action 'self'; connect-src 'self'; manifest-src 'none'; report-uri /servers/cspReport; upgrade-insecure-requests
X-XSS-Protection: 1; mode=block
Location: https://192.168.2.3/users/login
Content-Length: 0
Keep-Alive: timeout=5, max=100
Content-Type: text/html; charset=UTF-8
          Response body (0 bytes)
          Evidence 
          default-src 'self' data: 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'; worker-src 'none'; child-src 'none'; frame-src 'none'; base-uri 'self'; img-src 'self' data:; font-src 'self'; form-action 'self'; connect-src 'self'; manifest-src 'none'; report-uri /servers/cspReport; upgrade-insecure-requests
          Solution

          Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

  2. Risk=Medium, Confidence=Low (1)

    1. https://192.168.2.3 (1)

      1. Absence of Anti-CSRF Tokens (1)
        1. GET https://192.168.2.3/users/login
          Alert tags
          Alert description

          No Anti-CSRF tokens were found in a HTML submission form.

          A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

          CSRF attacks are effective in a number of situations, including:

          * The victim has an active session on the target site.

          * The victim is authenticated via HTTP auth on the target site.

          * The victim is on the same local network as the target site.

          CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.
          Other info

          No known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret, __csrf_magic, CSRF, _token, _csrf_token] was found in the following HTML form: [Form 1: "_method" "Token1906121980" "TokenFields770934101" "TokenUnlocked2112398299" "UserEmail" "UserPassword" ].
          Request
          Request line and header section (498 bytes) 
          GET https://192.168.2.3/users/login HTTP/1.1
Host: 192.168.2.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Cookie: MISP-93318e56-360b-4880-86e6-7e8f440da812=6jbnt1guubrkvakbk73spr90i2vhm1fc
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
          Request body (0 bytes)
          Response
          Status line and header section (941 bytes) 
          HTTP/1.1 200 OK
Date: Wed, 06 Jul 2022 23:10:54 GMT
Server: Apache/2.4.29 (Ubuntu)
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Jul 2022 23:10:54 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Security-Policy: default-src 'self' data: 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'; worker-src 'none'; child-src 'none'; frame-src 'none'; base-uri 'self'; img-src 'self' data:; font-src 'self'; form-action 'self'; connect-src 'self'; manifest-src 'none'; report-uri /servers/cspReport; upgrade-insecure-requests
X-XSS-Protection: 1; mode=block
Content-Length: 7688
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
          Response body (7688 bytes) 
          <!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />    <meta name="viewport" content="width=device-width">
    <title>Users - MISP</title>
    <link rel="stylesheet" type="text/css" href="/css/bootstrap.css"/><link rel="stylesheet" type="text/css" href="/css/bootstrap-datepicker.css"/><link rel="stylesheet" type="text/css" href="/css/bootstrap-colorpicker.css"/><link rel="stylesheet" type="text/css" href="/css/font-awesome.css"/><link rel="stylesheet" type="text/css" href="/css/chosen.min.css"/><link rel="stylesheet" type="text/css" href="/css/main.css"/><link rel="stylesheet" type="text/css" href="/css/jquery-ui.css"/><link rel="stylesheet" type="text/css" href="/css/print.css" media="print"/><script type="text/javascript" src="/js/jquery.js"></script><script type="text/javascript" src="/js/misp-touch.js"></script><script type="text/javascript" src="/js/chosen.jquery.min.js"></script><script type="text/javascript" src="/js/jquery-ui.js"></script><link href="/favicon.ico" type="image/x-icon" rel="icon"/><link href="/favicon.ico" type="image/x-icon" rel="shortcut icon"/></head>
<body data-controller="users" data-action="login">
    <div id="popover_form" class="ajax_popover_form"></div>
    <div id="popover_form_large" class="ajax_popover_form ajax_popover_form_large"></div>
    <div id="popover_form_x_large" class="ajax_popover_form ajax_popover_form_x_large"></div>
    <div id="popover_matrix" class="ajax_popover_form ajax_popover_matrix"></div>
    <div id="popover_box" class="popover_box"></div>
    <div id="screenshot_box" class="screenshot_box"></div>
    <div id="confirmation_box" class="confirmation_box"></div>
    <div id="gray_out" class="gray_out"></div>
    <div id="container">
        <div id="topBar" class="navbar navbar-inverse debugOff">
  <div class="navbar-inner">
    <ul class="nav">
            </ul>
    <ul class="nav pull-right">
            </ul>
  </div>
</div>
    </div>
    <div id="flashContainer" style="padding-top:50px; !important;">
        <div id="main-view-container" class="container-fluid">
                    </div>
    </div>
    <div>
        <div style="width:100%;">
    <table style="margin-left:auto;margin-right:auto;">
    <tr>
    <td style="text-align:right;width:250px;padding-right:50px">
            </td>
    <td style="width:460px">
        <span style="font-size:18px;">
            Initial Install, please configure        </span><br /><br />
        <div>
                    <img src="https://192.168.2.3/img/misp-logo-s-u.png" style="display:block; margin-left: auto; margin-right: auto;"/>
                </div>
                        <div style="text-align:right;font-size:18px;">
                Welcome to MISP on ubuntu, change this message in MISP Settings                </div>
        <form action="/users/login" id="UserLoginForm" method="post" accept-charset="utf-8"><div style="display:none;"><input type="hidden" name="_method" value="POST"/><input type="hidden" name="data[_Token][key]" value="ac3cf48c3d5d40f9e02ceae11b6c61f0" id="Token1906121980" autocomplete="off"/></div>        <legend>Login</legend>
        <div class="input email required"><label for="UserEmail">Email</label><input name="data[User][email]" autocomplete="off" autofocus="autofocus" maxlength="255" type="email" id="UserEmail" required="required"/></div><div class="input password required"><label for="UserPassword">Password</label><input name="data[User][password]" autocomplete="off" type="password" id="UserPassword" required="required"/></div>            <div class="clear">
                        </div>
            <button class="btn btn-primary" type="submit">Login</button>        <div style="display:none;"><input type="hidden" name="data[_Token][fields]" value="0aae20bc431fa1a52da1e7cf3338c540b5d78f26%3A" id="TokenFields770934101" autocomplete="off"/><input type="hidden" name="data[_Token][unlocked]" value="" id="TokenUnlocked2112398299" autocomplete="off"/></div></form>    </td>
    <td style="width:250px;padding-left:50px">
            </td>
    </tr>
    </table>
</div>

<script>
$(function() {
    $('#UserLoginForm').submit(function(event) {
        event.preventDefault()
        submitLoginForm()
    });
})

function submitLoginForm() {
    var $form = $('#UserLoginForm')
    var url = $form.attr('action')
    var email = $form.find('#UserEmail').val()
    var password = $form.find('#UserPassword').val()
    var LinOTPAuth = false;
    var LinOTPAuthEnabled = false;

    if (LinOTPAuth && LinOTPAuthEnabled) {
        var otp = $form.find('#UserOtp').val()
    }
    if (!$form[0].checkValidity()) {
        $form[0].reportValidity()
    } else {
        fetchFormDataAjax(url, function(html) {
            var formHTML = $(html).find('form#UserLoginForm')
            if (!formHTML.length) {
                window.location = baseurl + '/users/login'
            }
            $('body').append($('<div id="temp" style="display: none"/>').append(formHTML))
            var $tmpForm = $('#temp form#UserLoginForm')
            $tmpForm.find('#UserEmail').val(email)
            $tmpForm.find('#UserPassword').val(password)
            if (LinOTPAuth && LinOTPAuthEnabled) {
                $tmpForm.find('#UserOtp').val(otp)
            }
            $tmpForm.submit()
        })
    }
}
</script>
    </div>
    <script type="text/javascript" src="/js/bootstrap.js"></script><script type="text/javascript" src="/js/bootstrap-timepicker.js"></script><script type="text/javascript" src="/js/bootstrap-datepicker.js"></script><script type="text/javascript" src="/js/bootstrap-colorpicker.js"></script><script type="text/javascript" src="/js/misp.js"></script><script type="text/javascript" src="/js/keyboard-shortcuts-definition.js"></script><script type="text/javascript" src="/js/keyboard-shortcuts.js"></script><div class="footer debugOff">
    <div id="shortcutsListContainer" class="">
        <div id="triangle" title="Show keyboard shortcuts help"></div>
        <div id="shortcutsList">
            Keyboard shortcuts for this page:<br>
            <div id="shortcuts">none</div>
        </div>
    </div>
    <div id="footerContainer" class="navbar navbar-inverse">
        <div class="navbar-inner">
            <div class="pull-left footerText" style="float:left;position:absolute;padding-top:12px;z-index:2;">
                                    <span>Download: <a href="/gpg.asc">PGP public key</a></span>
                            </div>
            <div class="footerText footerCenterText">
                <span>This is an initial install Powered by <a href="https://github.com/MISP/MISP" rel="noopener">MISP </a> Please configure and harden accordingly - <time>2022-07-07 01:10:54</time></span>
            </div>
            <div class="pull-right" style="position:relative;padding-top:9px;z-index:2;">
                            </div>
        </div>
    </div>
</div>
    <div id="ajax_success_container" class="ajax_container">
        <div id="ajax_success" class="ajax_result ajax_success"></div>
    </div>
    <div id="ajax_fail_container" class="ajax_container">
        <div id="ajax_fail" class="ajax_result ajax_fail"></div>
    </div>
    <div id="ajax_hidden_container" class="hidden"></div>
    <div class="loading">
        <div class="spinner"></div>
        <div class="loadingText">Loading</div>
    </div>
    <script type="text/javascript">
            var baseurl = 'https://192.168.2.3';
        var here = 'https://192.168.2.3/users/login';
            </script>
</body>
</html>
          Evidence 
          <form action="/users/login" id="UserLoginForm" method="post" accept-charset="utf-8">
          Solution

          Phase: Architecture and Design

          Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.

          For example, use anti-CSRF packages such as the OWASP CSRFGuard.

          Phase: Implementation

          Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.

          Phase: Architecture and Design

          Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).

          Note that this can be bypassed using XSS.

          Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.

          Note that this can be bypassed using XSS.

          Use the ESAPI Session Management control.

          This control includes a component for CSRF.

          Do not use the GET method for any request that triggers a state change.

          Phase: Implementation

          Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.

  3. Risk=Low, Confidence=Medium (1)

    1. https://192.168.2.3 (1)

      1. CSP: Notices (1)
        1. GET https://192.168.2.3/
          Alert tags
          Alert description

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
          Other info

          Warnings:

          The report-uri directive has ben deprecated in favor of the new report-to directive
          Request
          Request line and header section (403 bytes) 
          GET https://192.168.2.3/ HTTP/1.1
Host: 192.168.2.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
          Request body (0 bytes)
          Response
          Status line and header section (1167 bytes) 
          HTTP/1.1 302 Found
Date: Wed, 06 Jul 2022 23:10:54 GMT
Server: Apache/2.4.29 (Ubuntu)
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Upgrade: h2
Connection: Upgrade, Keep-Alive
Set-Cookie: MISP-93318e56-360b-4880-86e6-7e8f440da812=6jbnt1guubrkvakbk73spr90i2vhm1fc; expires=Sat, 09-Jul-2022 11:10:54 GMT; Max-Age=216000; path=/; secure; HttpOnly; SameSite=Lax
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 06 Jul 2022 23:10:54 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Content-Security-Policy: default-src 'self' data: 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'; worker-src 'none'; child-src 'none'; frame-src 'none'; base-uri 'self'; img-src 'self' data:; font-src 'self'; form-action 'self'; connect-src 'self'; manifest-src 'none'; report-uri /servers/cspReport; upgrade-insecure-requests
X-XSS-Protection: 1; mode=block
Location: https://192.168.2.3/users/login
Content-Length: 0
Keep-Alive: timeout=5, max=100
Content-Type: text/html; charset=UTF-8
          Response body (0 bytes)
          Evidence 
          default-src 'self' data: 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'; frame-ancestors 'none'; worker-src 'none'; child-src 'none'; frame-src 'none'; base-uri 'self'; img-src 'self' data:; font-src 'self'; form-action 'self'; connect-src 'self'; manifest-src 'none'; report-uri /servers/cspReport; upgrade-insecure-requests
          Solution

          Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

  4. Risk=Low, Confidence=Low (1)

  5. Risk=Informational, Confidence=Low (1)

Appendix

Alert types

This section contains additional information on the types of alerts in the report.

  1. Absence of Anti-CSRF Tokens

    Source raised by a passive scanner (Absence of Anti-CSRF Tokens)
    CWE ID 352
    WASC ID 9
    Reference
    1. http://projects.webappsec.org/Cross-Site-Request-Forgery
    2. http://cwe.mitre.org/data/definitions/352.html

  2. CSP: script-src unsafe-inline

    Source raised by a passive scanner (CSP)
    CWE ID 693
    WASC ID 15
    Reference
    1. http://www.w3.org/TR/CSP2/
    2. http://www.w3.org/TR/CSP/
    3. http://caniuse.com/#search=content+security+policy
    4. http://content-security-policy.com/
    5. https://github.com/shapesecurity/salvation
    6. https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources

  3. CSP: style-src unsafe-inline

    Source raised by a passive scanner (CSP)
    CWE ID 693
    WASC ID 15
    Reference
    1. http://www.w3.org/TR/CSP2/
    2. http://www.w3.org/TR/CSP/
    3. http://caniuse.com/#search=content+security+policy
    4. http://content-security-policy.com/
    5. https://github.com/shapesecurity/salvation
    6. https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources

  4. CSP: Notices

    Source raised by a passive scanner (CSP)
    CWE ID 693
    WASC ID 15
    Reference
    1. http://www.w3.org/TR/CSP2/
    2. http://www.w3.org/TR/CSP/
    3. http://caniuse.com/#search=content+security+policy
    4. http://content-security-policy.com/
    5. https://github.com/shapesecurity/salvation
    6. https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources

  5. Timestamp Disclosure - Unix

    Source raised by a passive scanner (Timestamp Disclosure)
    CWE ID 200
    WASC ID 13
    Reference
    1. http://projects.webappsec.org/w/page/13246936/Information%20Leakage

  6. Information Disclosure - Suspicious Comments

    Source raised by a passive scanner (Information Disclosure - Suspicious Comments)
    CWE ID 200
    WASC ID 13