diff --git a/src/Sarif.Converters/HdfConverter.cs b/src/Sarif.Converters/HdfConverter.cs index 462fe42cb..6ebf7792a 100644 --- a/src/Sarif.Converters/HdfConverter.cs +++ b/src/Sarif.Converters/HdfConverter.cs @@ -44,6 +44,14 @@ public override void Convert(Stream input, IResultLogWriter output, OptionallyEm SupportedTaxonomies = new List() { new ToolComponentReference() { Name = "NIST SP800-53 v5", Guid = Guid.Parse("AAFBAB93-5201-419E-8443-D4925C542398") } } } }, + OriginalUriBaseIds = new Dictionary() + { + { + "ROOTPATH", new ArtifactLocation { + Uri = new Uri("file:///") + } + } + }, ExternalPropertyFileReferences = new ExternalPropertyFileReferences() { Taxonomies = new List() @@ -90,7 +98,11 @@ private static (ReportingDescriptor, IList) SarifRuleAndResultFromHdfCon var reportingDescriptor = new ReportingDescriptor { Id = execJsonControl.Id, - Name = execJsonControl.Title, + Name = string.Join("", execJsonControl.Title.Split(' ').Select(s => char.ToUpper(s[0]) + s.Substring(1))), + ShortDescription = new MultiformatMessageString + { + Text = AppendPeriod(execJsonControl.Title), + }, FullDescription = new MultiformatMessageString { Text = AppendPeriod(execJsonControl.Desc), @@ -98,7 +110,12 @@ private static (ReportingDescriptor, IList) SarifRuleAndResultFromHdfCon DefaultConfiguration = new ReportingConfiguration { Level = SarifLevelFromHdfImpact(execJsonControl.Impact), + Enabled = !execJsonControl.Results.All(r => r.Status == ControlResultStatus.Skipped), }, + Help = execJsonControl.Descriptions.Any() ? new MultiformatMessageString + { + Text = string.Join("\n", execJsonControl.Descriptions.Select(d => d.Label + ":\n" + d.Data)) + } : null, HelpUri = null, Relationships = new List( ((JArray)execJsonControl.Tags["nist"]) @@ -141,6 +158,26 @@ private static (ReportingDescriptor, IList) SarifRuleAndResultFromHdfCon Kind = kind, Level = level, Rank = rank, + Locations = new List + { + new Location { + PhysicalLocation = new PhysicalLocation + { + ArtifactLocation = new ArtifactLocation + { + Uri = new Uri(".", UriKind.Relative), + UriBaseId = "ROOTPATH", + }, + Region = new Region + { + StartLine = 1, + StartColumn = 1, + EndLine = 1, + EndColumn = 1, + } + } + } + } }; results.Add(result); } diff --git a/src/Test.UnitTests.Sarif.Converters/TestData/HdfConverter/ExpectedOutputs/NoResults.sarif b/src/Test.UnitTests.Sarif.Converters/TestData/HdfConverter/ExpectedOutputs/NoResults.sarif index 707907ff4..8fe3a65f0 100644 --- a/src/Test.UnitTests.Sarif.Converters/TestData/HdfConverter/ExpectedOutputs/NoResults.sarif +++ b/src/Test.UnitTests.Sarif.Converters/TestData/HdfConverter/ExpectedOutputs/NoResults.sarif @@ -17,6 +17,11 @@ ] } }, + "originalUriBaseIds": { + "ROOTPATH": { + "uri": "file:///" + } + }, "artifacts": [ { "location": { diff --git a/src/Test.UnitTests.Sarif.Converters/TestData/HdfConverter/ExpectedOutputs/ValidResults.sarif b/src/Test.UnitTests.Sarif.Converters/TestData/HdfConverter/ExpectedOutputs/ValidResults.sarif index 358899b63..798113944 100644 --- a/src/Test.UnitTests.Sarif.Converters/TestData/HdfConverter/ExpectedOutputs/ValidResults.sarif +++ b/src/Test.UnitTests.Sarif.Converters/TestData/HdfConverter/ExpectedOutputs/ValidResults.sarif @@ -9,6 +9,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/favicon.ico\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -16,6 +33,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/transfer-funds-verify.html\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -23,6 +57,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity-show-transactions.html\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -30,6 +81,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/sendFeedback.html\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -37,6 +105,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/help.html?topic=/help/topic2.html\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -44,6 +129,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/robots.txt\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -51,6 +153,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/auth\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -58,6 +177,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/index.html\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -65,6 +201,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/signin.html\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -72,6 +225,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/signin.html\nMethod: POST\nParam: Header User-Agent\nAttack: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -79,6 +249,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/online-statements.html\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -86,6 +273,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -93,6 +297,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/money-map-get-spendings-by-type.html?_dc=1544043856896\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -100,6 +321,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/auth/security-check.html?user_token=8c797e39-7ab3-41d2-a53a-2a6449f13866\nMethod: GET\nParam: Header User-Agent\nAttack: msnbot/1.1 (+http://search.msn.com/msnbot.htm)\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -107,6 +345,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-summary.html\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -114,6 +369,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/login.html?login_error=true\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -121,6 +393,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/online-statements-for-account.html\nMethod: POST\nParam: Header User-Agent\nAttack: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -128,6 +417,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-new-payee.html\nMethod: GET\nParam: Header User-Agent\nAttack: msnbot/1.1 (+http://search.msn.com/msnbot.htm)\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -135,6 +441,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/money-map-get-spendings-by-type.html?_dc=1544043856896\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -142,6 +465,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/logout.html\nMethod: GET\nParam: Header User-Agent\nAttack: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -149,6 +489,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/font/\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -156,6 +513,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/help.html\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -163,6 +537,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/extjs/app/controller/\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -170,6 +561,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-new-payee.html\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -177,6 +585,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/help.html?topic=/help/topic3.html\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -184,6 +609,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -191,6 +633,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/extjs/app/\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -198,6 +657,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity.html\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -205,6 +681,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/extjs/ext/\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -212,6 +705,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-summary.html\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -219,6 +729,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/themes/\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -226,6 +753,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/index.html\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -233,6 +777,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/online-statements-for-account.html\nMethod: POST\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -240,6 +801,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity.html?accountId=1\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -247,6 +825,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/online-banking.html\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -254,6 +849,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/extjs/app/view/\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -261,6 +873,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/transfer-funds-verify.html\nMethod: POST\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -268,6 +897,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity.html?accountId=2\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -275,6 +921,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/extjs/\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -282,6 +945,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity.html?accountId=3\nMethod: GET\nParam: X-XSS-Protection\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -289,6 +969,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity.html?accountId=4\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -296,6 +993,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -303,6 +1017,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/sitemap.xml\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -310,6 +1041,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/login.html?login_error=true\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -317,6 +1065,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity-find-transactions.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -324,6 +1089,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-new-payee.html\nMethod: POST\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -331,6 +1113,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity-show-transactions.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -338,6 +1137,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/help.html?topic=/help/topic2.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -345,6 +1161,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/sendFeedback.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -352,6 +1185,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/auth\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -359,6 +1209,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/online-statements.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -366,6 +1233,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/forgotten-password-send.html\nMethod: POST\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -373,6 +1257,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/logout.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -380,6 +1281,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/signin.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -387,6 +1305,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/signin.html\nMethod: POST\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -394,6 +1329,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/help.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -401,6 +1353,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-purchase-currency.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -408,6 +1377,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/forgot-password.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -415,6 +1401,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-summary.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -422,6 +1425,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/transfer-funds-verify.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -429,6 +1449,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-get-payee-details.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -436,6 +1473,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-conversion-rate-for-currency.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -443,6 +1497,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/index.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -450,6 +1521,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/transfer-funds-verify.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -457,6 +1545,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/auth/security-check.html?user_token=8c797e39-7ab3-41d2-a53a-2a6449f13866\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -464,6 +1569,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -471,6 +1593,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/auth/accept-certs.html?user_token=8c797e39-7ab3-41d2-a53a-2a6449f13866\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -478,6 +1617,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/money-map-get-spendings-by-type.html?_dc=1544043856896\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -485,6 +1641,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/redirect.html?url=account-summary.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -492,6 +1665,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/auth\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -499,6 +1689,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/online-statements-for-account.html\nMethod: GET\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -507,6 +1714,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/index.html\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -515,6 +1739,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/online-statements.html\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -523,6 +1764,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity-show-transactions.html\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -531,6 +1789,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/online-statements-for-account.html\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -539,6 +1814,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -547,6 +1839,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity.html\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -555,6 +1864,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/transfer-funds-verify.html\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -563,6 +1889,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/help.html\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -571,6 +1914,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -579,6 +1939,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-purchase-currency.html\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -587,6 +1964,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills.html\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -595,6 +1989,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/redirect.html?url=account-summary.html\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -603,6 +2014,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/auth/security-check.html?user_token=230c3296-ed16-4c56-b15a-21dec9a0b296\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -611,6 +2039,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/favicon.ico\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -619,6 +2064,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/help.html?topic=/help/topic2.html\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -627,6 +2089,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-get-payee-details.html\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -635,6 +2114,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/money-map.html\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -643,6 +2139,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/money-map-get-spendings-by-type.html?_dc=1544043856896\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -651,6 +2164,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/signin.html\nMethod: GET\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -658,6 +2188,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-get-payee-details.html\nMethod: POST\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -665,6 +2212,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-conversion-rate-for-currency.html\nMethod: POST\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -672,6 +2236,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/js/jquery-1.6.4.min.js\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -679,6 +2260,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/extjs/app/view/DetailedReport.js\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -686,6 +2284,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/transfer-funds.html\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -693,6 +2308,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/feedback.html\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -700,6 +2332,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/index.html\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -707,6 +2356,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/js/jquery-1.7.2.min.js\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -714,6 +2380,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/themes/images/gray/tools/tool-sprites.gif\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -721,6 +2404,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity.html\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -728,6 +2428,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/extjs/app/store/ReportOutFlow.js\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -735,6 +2452,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-new-payee.html\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -742,6 +2476,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/extjs/app/view/Report.js\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -749,6 +2500,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/css/ext-all-gray.css\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -756,6 +2524,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/online-banking.html\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -763,6 +2548,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/extjs/app/model/DetailedReport.js\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -770,6 +2572,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/extjs/app/view/SummaryReport.js\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -777,6 +2596,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/extjs/app/model/Report.js\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -784,6 +2620,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/extjs/app/view/Viewport.js\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -791,6 +2644,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/resources/css/jquery-ui-1.8.16.custom.css\nMethod: GET\nParam: X-Content-Type-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.3 }, { @@ -799,6 +2669,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/forgotten-password-send.html\nMethod: GET\nParam: query\nAttack: case randomblob(10000000) when not null then 1 else 1 end \nEvidence: The query time is controllable using parameter value [case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [449] milliseconds, parameter value [case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [449] milliseconds, when the original unmodified query with value [query] took [13] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -807,6 +2694,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/money-map-get-spendings-by-type.html?_dc=1544043856896\nMethod: POST\nParam: _dc\nAttack: 1544043856896 * case randomblob(10000000) when not null then 1 else 1 end \nEvidence: The query time is controllable using parameter value [1544043856896 * case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [509] milliseconds, parameter value [1544043856896 * case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [509] milliseconds, when the original unmodified query with value [1544043856896] took [10] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -815,6 +2719,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills.html\nMethod: GET\nParam: query\nAttack: case randomblob(10000000) when not null then 1 else 1 end \nEvidence: The query time is controllable using parameter value [case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [469] milliseconds, parameter value [case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [469] milliseconds, when the original unmodified query with value [query] took [21] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -823,6 +2744,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/money-map.html\nMethod: GET\nParam: query\nAttack: \" | case randomblob(100000000) when not null then \"\" else \"\" end | \"\nEvidence: The query time is controllable using parameter value [\" | case randomblob(100000000) when not null then \"\" else \"\" end | \"], which caused the request to take [517] milliseconds, parameter value [\" | case randomblob(100000000) when not null then \"\" else \"\" end | \"], which caused the request to take [517] milliseconds, when the original unmodified query with value [query] took [21] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -831,6 +2769,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/signin.html\nMethod: POST\nParam: user_password\nAttack: case randomblob(100000) when not null then 1 else 1 end \nEvidence: The query time is controllable using parameter value [case randomblob(100000) when not null then 1 else 1 end ], which caused the request to take [453] milliseconds, parameter value [case randomblob(100000) when not null then 1 else 1 end ], which caused the request to take [453] milliseconds, when the original unmodified query with value [password] took [19] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -839,6 +2794,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank\nMethod: GET\nParam: query\nAttack: \" | case randomblob(1000000) when not null then \"\" else \"\" end | \"\nEvidence: The query time is controllable using parameter value [\" | case randomblob(1000000) when not null then \"\" else \"\" end | \"], which caused the request to take [586] milliseconds, parameter value [\" | case randomblob(1000000) when not null then \"\" else \"\" end | \"], which caused the request to take [586] milliseconds, when the original unmodified query with value [query] took [490] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -847,6 +2819,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-purchase-currency.html\nMethod: GET\nParam: query\nAttack: case randomblob(100000000) when not null then 1 else 1 end \nEvidence: The query time is controllable using parameter value [case randomblob(100000000) when not null then 1 else 1 end ], which caused the request to take [474] milliseconds, parameter value [case randomblob(100000000) when not null then 1 else 1 end ], which caused the request to take [474] milliseconds, when the original unmodified query with value [query] took [11] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -855,6 +2844,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/signin.html\nMethod: POST\nParam: user_remember_me\nAttack: case randomblob(1000000) when not null then 1 else 1 end \nEvidence: The query time is controllable using parameter value [case randomblob(1000000) when not null then 1 else 1 end ], which caused the request to take [446] milliseconds, parameter value [case randomblob(1000000) when not null then 1 else 1 end ], which caused the request to take [446] milliseconds, when the original unmodified query with value [on] took [21] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -863,6 +2869,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/signin.html\nMethod: GET\nParam: query\nAttack: ' | case randomblob(1000000000) when not null then \"\" else \"\" end | '\nEvidence: The query time is controllable using parameter value [' | case randomblob(1000000000) when not null then \"\" else \"\" end | '], which caused the request to take [497] milliseconds, parameter value [' | case randomblob(1000000000) when not null then \"\" else \"\" end | '], which caused the request to take [497] milliseconds, when the original unmodified query with value [query] took [32] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -871,6 +2894,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/transfer-funds-verify.html\nMethod: POST\nParam: fromAccountId\nAttack: case randomblob(10000000) when not null then 1 else 1 end \nEvidence: The query time is controllable using parameter value [case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [549] milliseconds, parameter value [case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [549] milliseconds, when the original unmodified query with value [4] took [21] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -879,6 +2919,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/sendFeedback.html\nMethod: POST\nParam: query\nAttack: case randomblob(1000000) when not null then 1 else 1 end \nEvidence: The query time is controllable using parameter value [case randomblob(1000000) when not null then 1 else 1 end ], which caused the request to take [445] milliseconds, parameter value [case randomblob(1000000) when not null then 1 else 1 end ], which caused the request to take [445] milliseconds, when the original unmodified query with value [query] took [18] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -887,6 +2944,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/login.html?login_error=true\nMethod: GET\nParam: login_error\nAttack: case randomblob(100000000) when not null then 1 else 1 end \nEvidence: The query time is controllable using parameter value [case randomblob(100000000) when not null then 1 else 1 end ], which caused the request to take [451] milliseconds, parameter value [case randomblob(100000000) when not null then 1 else 1 end ], which caused the request to take [451] milliseconds, when the original unmodified query with value [true] took [8] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -895,6 +2969,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/signin.html\nMethod: POST\nParam: query\nAttack: case randomblob(100000000) when not null then 1 else 1 end \nEvidence: The query time is controllable using parameter value [case randomblob(100000000) when not null then 1 else 1 end ], which caused the request to take [497] milliseconds, parameter value [case randomblob(100000000) when not null then 1 else 1 end ], which caused the request to take [497] milliseconds, when the original unmodified query with value [query] took [17] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -903,6 +2994,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/online-statements.html\nMethod: GET\nParam: query\nAttack: \" | case randomblob(1000000000) when not null then \"\" else \"\" end | \"\nEvidence: The query time is controllable using parameter value [\" | case randomblob(1000000000) when not null then \"\" else \"\" end | \"], which caused the request to take [480] milliseconds, parameter value [\" | case randomblob(1000000000) when not null then \"\" else \"\" end | \"], which caused the request to take [480] milliseconds, when the original unmodified query with value [query] took [25] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -911,6 +3019,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-conversion-rate-for-currency.html\nMethod: POST\nParam: query\nAttack: ' | case randomblob(100000) when not null then \"\" else \"\" end --\nEvidence: The query time is controllable using parameter value [' | case randomblob(100000) when not null then \"\" else \"\" end --], which caused the request to take [449] milliseconds, parameter value [' | case randomblob(100000) when not null then \"\" else \"\" end --], which caused the request to take [449] milliseconds, when the original unmodified query with value [query] took [12] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -919,6 +3044,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/transfer-funds-verify.html\nMethod: POST\nParam: query\nAttack: case randomblob(1000000000) when not null then 1 else 1 end \nEvidence: The query time is controllable using parameter value [case randomblob(1000000000) when not null then 1 else 1 end ], which caused the request to take [20] milliseconds, parameter value [case randomblob(1000000000) when not null then 1 else 1 end ], which caused the request to take [20] milliseconds, when the original unmodified query with value [query] took [464] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -927,6 +3069,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/forgot-password.html\nMethod: GET\nParam: query\nAttack: case randomblob(10000000) when not null then 1 else 1 end \nEvidence: The query time is controllable using parameter value [case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [11] milliseconds, parameter value [case randomblob(10000000) when not null then 1 else 1 end ], which caused the request to take [11] milliseconds, when the original unmodified query with value [query] took [9] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -935,6 +3094,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/signin.html\nMethod: POST\nParam: submit\nAttack: ' | case randomblob(100000000) when not null then \"\" else \"\" end | '\nEvidence: The query time is controllable using parameter value [' | case randomblob(100000000) when not null then \"\" else \"\" end | '], which caused the request to take [518] milliseconds, parameter value [' | case randomblob(100000000) when not null then \"\" else \"\" end | '], which caused the request to take [518] milliseconds, when the original unmodified query with value [Sign in] took [482] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -943,6 +3119,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/sendFeedback.html\nMethod: POST\nParam: email\nAttack: case randomblob(1000000) when not null then 1 else 1 end \nEvidence: The query time is controllable using parameter value [case randomblob(1000000) when not null then 1 else 1 end ], which caused the request to take [19] milliseconds, parameter value [case randomblob(1000000) when not null then 1 else 1 end ], which caused the request to take [19] milliseconds, when the original unmodified query with value [ZAP] took [10] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -951,6 +3144,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/signin.html\nMethod: POST\nParam: query\nAttack: ' | case randomblob(100000000) when not null then \"\" else \"\" end | '\nEvidence: The query time is controllable using parameter value [' | case randomblob(100000000) when not null then \"\" else \"\" end | '], which caused the request to take [443] milliseconds, parameter value [' | case randomblob(100000000) when not null then \"\" else \"\" end | '], which caused the request to take [443] milliseconds, when the original unmodified query with value [query] took [18] milliseconds.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -958,6 +3168,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/money-map.html\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -965,6 +3192,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity.html?accountId=1\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -972,6 +3216,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/online-statements-for-account.html\nMethod: POST\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -979,6 +3240,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-summary.html\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -986,6 +3264,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-new-payee.html\nMethod: POST\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -993,6 +3288,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/login.html?login_error=true\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1000,6 +3312,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/help.html?topic=/help/topic2.html\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1007,6 +3336,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity.html?accountId=6\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1014,6 +3360,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity-find-transactions.html\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1021,6 +3384,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/help.html\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1028,6 +3408,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity.html?accountId=2\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1035,6 +3432,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity.html?accountId=3\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1042,6 +3456,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity.html?accountId=4\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1049,6 +3480,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/forgotten-password-send.html\nMethod: POST\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1056,6 +3504,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity.html?accountId=5\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1063,6 +3528,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/online-statements.html\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1070,6 +3552,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/help.html?topic=/help/topic3.html\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1077,6 +3576,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/search.html?searchTerm=ZAP\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1084,6 +3600,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity-show-transactions.html\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1091,6 +3624,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-new-payee.html\nMethod: GET\nParam: X-Frame-Options\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1098,6 +3648,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/transfer-funds-verify.html\nMethod: POST\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1105,6 +3672,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity-show-transactions.html\nMethod: POST\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1112,6 +3696,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-conversion-rate-for-currency.html\nMethod: POST\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1119,6 +3720,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/sendFeedback.html\nMethod: POST\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1126,6 +3744,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/account-activity-find-transactions.html\nMethod: POST\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1133,6 +3768,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/signin.html\nMethod: POST\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1140,6 +3792,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/money-map-get-spendings-by-type.html?_dc=1544043856896\nMethod: POST\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1147,6 +3816,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-get-payee-details.html\nMethod: POST\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1154,6 +3840,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/online-statements-for-account.html\nMethod: POST\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1161,6 +3864,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/forgotten-password-send.html\nMethod: POST\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1168,6 +3888,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills-new-payee.html\nMethod: POST\nAttack: TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 }, { @@ -1176,6 +3913,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/redirect.html?url=account-summary.html\nMethod: GET\nParam: url\nAttack: account-summary.html) WAITFOR DELAY '0:0:15' -- \n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -1184,6 +3938,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/bank/pay-bills.html\nMethod: GET\nParam: query\nAttack: query\" WAITFOR DELAY '0:0:15' -- \n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -1192,6 +3963,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/help.html?topic=WEB-INF%2Fweb.xml\nMethod: GET\nParam: topic\nAttack: WEB-INF/web.xml\nEvidence: \n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -1200,6 +3988,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/help.html?topic=http%3A%2F%2Fwww.google.com%2F\nMethod: GET\nParam: topic\nAttack: http://www.google.com/\nEvidence: Google\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.7 }, { @@ -1207,6 +4012,23 @@ "message": { "text": "Uri: http://zero.webappsecurity.com/signin.html\nMethod: POST\nParam: user_token\nAttack: ZAP%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s\n\n." }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "", + "uriBaseId": "ROOTPATH", + "index": 0 + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + } + } + ], "rank": 0.5 } ], @@ -1218,10 +4040,13 @@ "rules": [ { "id": "10104", - "name": "User Agent Fuzzer", + "name": "UserAgentFuzzer", "fullDescription": { "text": "Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response." }, + "shortDescription": { + "text": "User Agent Fuzzer." + }, "relationships": [ { "target": { @@ -1251,10 +4076,13 @@ }, { "id": "10016", - "name": "Web Browser XSS Protection Not Enabled", + "name": "WebBrowserXSSProtectionNotEnabled", "fullDescription": { "text": "Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server." }, + "shortDescription": { + "text": "Web Browser XSS Protection Not Enabled." + }, "relationships": [ { "target": { @@ -1284,10 +4112,13 @@ }, { "id": "90027.1", - "name": "Cookie Slack Detector", + "name": "CookieSlackDetector", "fullDescription": { "text": "Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced." }, + "shortDescription": { + "text": "Cookie Slack Detector." + }, "relationships": [ { "target": { @@ -1317,10 +4148,13 @@ }, { "id": "90027.2", - "name": "Cookie Slack Detector", + "name": "CookieSlackDetector", "fullDescription": { "text": "Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced." }, + "shortDescription": { + "text": "Cookie Slack Detector." + }, "relationships": [ { "target": { @@ -1350,10 +4184,13 @@ }, { "id": "40025.1", - "name": "Proxy Disclosure", + "name": "ProxyDisclosure", "fullDescription": { "text": "1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine - A list of targets for an attack against the application. - Potential vulnerabilities on the proxy servers that service the application. - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ." }, + "shortDescription": { + "text": "Proxy Disclosure." + }, "defaultConfiguration": { "level": "error" }, @@ -1386,10 +4223,13 @@ }, { "id": "10021", - "name": "X-Content-Type-Options Header Missing", + "name": "X-Content-Type-OptionsHeaderMissing", "fullDescription": { "text": "The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing." }, + "shortDescription": { + "text": "X-Content-Type-Options Header Missing." + }, "relationships": [ { "target": { @@ -1419,10 +4259,13 @@ }, { "id": "40024", - "name": "SQL Injection - SQLite", + "name": "SQLInjection-SQLite", "fullDescription": { "text": "SQL injection may be possible." }, + "shortDescription": { + "text": "SQL Injection - SQLite." + }, "defaultConfiguration": { "level": "error" }, @@ -1455,10 +4298,13 @@ }, { "id": "10020", - "name": "X-Frame-Options Header Not Set", + "name": "X-Frame-OptionsHeaderNotSet", "fullDescription": { "text": "X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks." }, + "shortDescription": { + "text": "X-Frame-Options Header Not Set." + }, "relationships": [ { "target": { @@ -1488,10 +4334,13 @@ }, { "id": "40025.2", - "name": "Proxy Disclosure", + "name": "ProxyDisclosure", "fullDescription": { "text": "1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to determine - A list of targets for an attack against the application. - Potential vulnerabilities on the proxy servers that service the application. - The presence or absence of any proxy-based components that might cause attacks against the application to be detected, prevented, or mitigated. ." }, + "shortDescription": { + "text": "Proxy Disclosure." + }, "relationships": [ { "target": { @@ -1521,10 +4370,13 @@ }, { "id": "40027", - "name": "SQL Injection - MsSQL", + "name": "SQLInjection-MsSQL", "fullDescription": { "text": "SQL injection may be possible." }, + "shortDescription": { + "text": "SQL Injection - MsSQL." + }, "defaultConfiguration": { "level": "error" }, @@ -1557,10 +4409,13 @@ }, { "id": "6", - "name": "Path Traversal", + "name": "PathTraversal", "fullDescription": { "text": "The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.Most web sites restrict user access to a specific portion of the file-system, typically called the \"web document root\" or \"CGI root\" directory. These directories contain the files intended for user access and the executable necessary to drive web application functionality. To access files or execute commands anywhere on the file-system, Path Traversal attacks will utilize the ability of special-characters sequences.The most basic Path Traversal attack uses the \"../\" special-character sequence to alter the resource location requested in the URL. Although most popular web servers will prevent this technique from escaping the web document root, alternate encodings of the \"../\" sequence may help bypass the security filters. These method variations include valid and invalid Unicode-encoding (\"..%u2216\" or \"..%c0%af\") of the forward slash character, backslash characters (\"..\\\") on Windows-based servers, URL encoded characters \"%2e%2e%2f\"), and double URL encoding (\"..%255c\") of the backslash character.Even if the web server properly restricts Path Traversal attempts in the URL path, a web application itself may still be vulnerable due to improper handling of user-supplied input. This is a common problem of web applications that use template mechanisms or load static text from files. In variations of the attack, the original URL parameter value is substituted with the file name of one of the web application's dynamic scripts. Consequently, the results can reveal source code because the file is interpreted as text instead of an executable script. These techniques often employ additional special characters such as the dot (\".\") to reveal the listing of the current working directory, or \"%00\" NULL characters in order to bypass rudimentary file extension checks." }, + "shortDescription": { + "text": "Path Traversal." + }, "defaultConfiguration": { "level": "error" }, @@ -1593,10 +4448,13 @@ }, { "id": "7", - "name": "Remote File Inclusion", + "name": "RemoteFileInclusion", "fullDescription": { "text": "Remote File Include (RFI) is an attack technique used to exploit \"dynamic file include\" mechanisms in web applications. When web applications take user input (URL, parameter value, etc.) and pass them into file include commands, the web application might be tricked into including remote files with malicious code.Almost all web application frameworks support file inclusion. File inclusion is mainly used for packaging common code into separate files that are later referenced by main application modules. When a web application references an include file, the code in this file may be executed implicitly or explicitly by calling specific procedures. If the choice of module to load is based on elements from the HTTP request, the web application might be vulnerable to RFI.An attacker can use RFI for: * Running malicious code on the server: any code in the included malicious files will be run by the server. If the file include is not executed using some wrapper, code in include files is executed in the context of the server user. This could lead to a complete system compromise. * Running malicious code on clients: the attacker's malicious code can manipulate the content of the response sent to the client. The attacker can embed malicious code in the response that will be run by the client (for example, Javascript to steal the client session cookies).PHP is particularly vulnerable to RFI attacks due to the extensive use of \"file includes\" in PHP programming and due to default server configurations that increase susceptibility to an RFI attack." }, + "shortDescription": { + "text": "Remote File Inclusion." + }, "defaultConfiguration": { "level": "error" }, @@ -1629,10 +4487,13 @@ }, { "id": "30002", - "name": "Format String Error", + "name": "FormatStringError", "fullDescription": { "text": "A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. ." }, + "shortDescription": { + "text": "Format String Error." + }, "relationships": [ { "target": { @@ -1669,7 +4530,18 @@ ] } }, + "originalUriBaseIds": { + "ROOTPATH": { + "uri": "file:///" + } + }, "artifacts": [ + { + "location": { + "uri": "", + "uriBaseId": "ROOTPATH" + } + }, { "location": { "uri": "https://raw.githubusercontent.com/sarif-standard/taxonomies/main/NIST_SP800-53_v5.sarif" @@ -1682,7 +4554,7 @@ { "location": { "uri": "https://raw.githubusercontent.com/sarif-standard/taxonomies/main/NIST_SP800-53_v5.sarif", - "index": 0 + "index": 1 }, "guid": "AAFBAB93-5201-419E-8443-D4925C542398" }