1,146 questions
0
votes
1
answer
16
views
Exclude CRS rules for some specific URLs
I am a newcomer to OWASP ModSecurity, and I wanted to know how I should exclude some specific rules for certain URLs.
I've searched and found that I should exclude them in the modsecurity.conf file, ...
- 19
0
votes
0
answers
22
views
How to reduce overall anomaly score for specific path when multiple rules CRS rules firing
I have introduced modsecurity to protect a wordpress site, but I have no clue on the modsecurity rule language. Setup so far has gone fairly OK, the problem I am facing is that multiple rules are ...
- 17
0
votes
0
answers
45
views
SQL injection may be possible with parameter __ID__
I am performing a scan with ZAP on my Nextjs 14 web application and I am encountering this security issue:
Field
Details
Risk Level
High
Vulnerability
SQL Injection - SQLite
Description
SQL ...
- 183
0
votes
1
answer
61
views
How do I mitigate the HTTP Parameter Pollution vulnerability for the Captcha.aspx in the ASP.NET Web Forms application
We recently scanned our web application using the Tenable web app scanning tool, and that tool detected a medium vulnerability called HTTP Parameter Pollution
That vulnerability detected a specific ...
- 1,241
0
votes
1
answer
47
views
Blank Pages and Responses when using OWASP CSRF Guard
I am trying to implement the OWASP CSRF Guard in a web application that I am updating (written in Java 17, running on a tomcat 10.1.25 server). We had been using the ESAPI library, but since we only ...
- 61
0
votes
0
answers
42
views
When I am running zap in local it runs complete scan without any issues while when I run zap installed on an ec2 instance it fails with an error
Zap can be accessed publicly on ec2 instance using IP and PORT.
The error I received:
Proxy error: HTTPConnectionPool(host='10.102.0.156', port=8080): Max retries exceeded with url: http://zap/JSON/...
0
votes
1
answer
42
views
Is the X-Frame-Options header recommended when the server response is not in HTML format?
I'm currently auditing an API and all the endpoints are sending me a response in JSON format.
I saw on the OWASP website that only the CSP, Permissions-Policy and Referrer-Policy headers are not ...
1
vote
1
answer
105
views
Jenkins pipeline using OWASP ZAP
I have a Jenkins pipeline to continuously build a Python app in a local environment. This is the code:
pipeline {
agent any
stages {
stage('Checkout') {
steps ...
0
votes
0
answers
62
views
defectdojo ldap integration not connected
I want to connect defectdojo (docker compose) to ldap (active directory), I have follwed the documentation https://documentation.defectdojo.com/dev/integrations/ldap-authentication/ and https://django-...
- 105
0
votes
1
answer
34
views
OWASP ZAP not cleaning up after itself
I am using the OWASP ZAP api scan (zap-api-scan.py) script to scan my api using a swagger specification file. This works great and when the scan has finished I get presented with a nice report.
...
- 20
0
votes
1
answer
124
views
SQL Character Anomaly Detection Error in OWASP CRS with next-auth Callback URL via Google Cloud Armor
I am encountering an error related to the OWASP Core Rule Set (CRS) when working with the next-auth library for authentication in my application. The error message is as follows:
Signature: owasp-crs-...
- 1,086
0
votes
1
answer
108
views
Modify an API response OWASP Juice Shop (Register as a user with administrator privileges)
OWASP Juice Shop has a challenge to register a user with admin privileges.
To solve the challenge its needed to modify the API Response, I need to change the 'role' from customer to admin, I have seen ...
1
vote
1
answer
45
views
Why innerHTML injects data into page if it doesn't use append on body?
I encountered this seemingly safe function to extract text content from html
function getText(html) {
const div = document.createElement('div')
div.innerHTML = html
return div.textContent
}
It ...
- 24.6k
0
votes
0
answers
24
views
Can we perform selective injections as a payload to test vulnerabilities in zap with python?
We are trying to see a possibility of performing selective injections like SQL injection, XSS injection etc., as a payload in fuzzing to test vulnerabilities in web applications with python.
Use-case:
...
- 509
0
votes
1
answer
46
views
How can i capture request and response details of each attack?
I'm using Zap Proxy within a Docker container defined by this Dockerfile:
FROM softwaresecurityproject/zap-bare
ENV ZAP_AUTO_UPDATE=false
EXPOSE 9090
CMD ["sh", "-c", "...
- 11.6k
0
votes
0
answers
260
views
Where to store the CSRF token in the frontend for a single page application?
I have a single page application that sends requests to a backend API after each user interractions (GET, POST....). For authentication, I use cookie session that the API return after the login to the ...
- 29
0
votes
0
answers
29
views
Log JWT failures for secuirty monitoring
Does Spring Security Resource Server with JWT (Servlet stack) allow logging warnings / errors when invalid tokens are received. For example to aid with OWASP API10 (2019) "Insufficient Logging ...
- 493
0
votes
1
answer
326
views
Zap proxy fails to communicate with services on HTTPS?
I run zap proxy as a service in k8s using the below command:
command: [ "zap.sh" ]
args: [ "-daemon", "-port", "9090", "-config", "...
- 11.6k
0
votes
0
answers
15
views
Displaying Passed tests in MobSF
Trying to use MobSF for my mobile application OWASP scanning. However, for compliance the company needs a report that shows not only tests that failed, but also tests that have passed, especially for ...
- 45
1
vote
1
answer
169
views
Troubleshooting Zap Docker Image for Authenticated API Scan
I am trying to conducting an API scan using Zap Docker image, despite passing authentication configurations, authenticated endpoints return 404/403 errors. Unauthenticated endpoints scan correctly. ...
- 11
0
votes
1
answer
264
views
Hello, how to solve Permission denied Error while trying to generate OWASP ZAP report using Full Scan Docker image
I tried to generate an HTML report of ZAP using the Full Scan Docker image in Jenkins using this stage:
stage('OWASP ZAP Full Scan') {
steps {
script {
sh "sudo docker run -...
- 21
0
votes
3
answers
400
views
ModSecurity WAF log configuration
I'm using a ModSecurity WAF for my application that is defined within a k8s ingress.
The configuration looks like this:
nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
nginx....
- 639
1
vote
1
answer
84
views
Writing exclude configs for dependancy check
I am using https://github.com/dependency-check/dependency-check-gradle in my Android project.
Where I want to exclude these dependencies
ant-1.10.9.jar (pkg:maven/org.apache.ant/[email protected], cpe:2.3:a:...
0
votes
1
answer
41
views
Metrics for comparision of web application security testing tools (DAST)
I'm currently working on a thesis comparing web application security (WAS) testing tools. I'm struggling to determine which metrics to use for comparison. Could you provide any suggestions for metrics?...
0
votes
0
answers
30
views
Possibilities of Bypassing the Constructed attributes for input sanitization
Hello All I have implemented the following pattern for sanitizing the XSS input. Can you help me if there is any possibility or any payload that can be constructed in bypassing the below patterns
str =...
0
votes
1
answer
375
views
Zap proxy converts Http requests to Https
I need to pass the trafic of my Rest-Assured tests to the Zap proxy (version 2.14.0). I have configured the zap proxy as below picture and it works well for the Https requests:
However when i try to ...
- 11.6k
0
votes
2
answers
534
views
OWASP Amass Subcommands
I do not know why Amass only show 2 commands. Amass Enum and Intel. Why? In the github there is more than 2 commands.
My second questions, what is FQDN, manage, and other Amass Enum results? Thank you ...
- 1
0
votes
1
answer
86
views
OWASP ZAP - how to authenticate when there is no login URL, because the form is shown by a dynamic popup?
I don't know of any method about opening or accessing a dynamic popup.
I checked alternative authenticate methods but I think they would not work here. I am new to this tool but if I could solve this ...
- 3
0
votes
1
answer
129
views
How to run security check on Angular project or how to run OWASP dependency check for Angular Project
Not getting exact procedure to run OWASP dependency check for angular project, It will be helpful if any one would suggest step by step procedure.
0
votes
0
answers
85
views
MobSF OWASP Benchmark Score
I am trying to scan my mobile app for the CASA verification. For various reasons I need to use a third party scanner to accomplish this. I am trying to use mobSF, but according to this (https://...
- 33
0
votes
1
answer
214
views
Postman unable sending to OWASP ZAP with the same proxy configuration
I'm trying to do vulnerability scanning API. but when I send the Postman with post method, it don't get detect by OWASP ZAP or don't get send to OWASP ZAP.
I try to use IP 127.0.0.1 but OWASP ZAP don'...
0
votes
0
answers
218
views
CWE-73: External Control of File Name or Path
I'm having issues with CWE-73 regarding parentDir reaching the unzip method.
This class is responsible for unzipping the file and returning the address/name of the file in a temporary folder. I've ...
-1
votes
1
answer
114
views
How to create "unsafe" environment for JavaScript XSS testing [closed]
I am learning about XSS security and how to prevent it. To do that I would like to create voulnerable code and then see how adding security measures would fix it.
I created an html file that accepts ...
- 13
0
votes
0
answers
452
views
cdxgen does not detect the dependency
I want to get all the dependencies of the project, including build dependencies. For example, my project has a plugin:
plugins {
id("org.jmailen.kotlinter") version "4.2.0"
}
I ...
0
votes
0
answers
164
views
The API (java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be specified by user input
Following is the implementation in the code:
Gets the truststore location and password from the database:
SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(
...
- 119
1
vote
1
answer
463
views
Bicep code to deploy WAF policy for Azure Application gateway
I am trying to deploy a WAF policy for Application gateway with bicep. It should contain OWASP rule set 3.2. My code is as below:
param wafPolicyName string = 'mypolicy'
param location string = '...
- 2,447
0
votes
0
answers
217
views
OWASP Java HTML Sanitizer - rel attribute on a element
I'm using the OWASP Java HTML Sanitizer to sanitize HTML input.
The problem is that the "rel" attribute values "noopener" and "noreferrer" is duplicated or removed by the ...
- 1
-1
votes
1
answer
176
views
How can i integrate OWASP ZAP with Cypress to run both together and get the Zap test Result and Owasp Zap result at the same time? [closed]
I want to integrate OWASP ZAP and Cypress together in such a way that when I run cypress e2e test it should run the zap test as well and give me the list of vulnerabilities that are present in my ...
0
votes
1
answer
238
views
OWASP ZAP Scan tool doesn't support requests in XML format
I want to perform a scan using ZAP tool and generate report using CI pipeline.
The .Net Web API accepts requests and returns responses in XML format.
The API works fine.
Whenever I run the ZAP tool I ...
- 13
1
vote
0
answers
404
views
How to separate updating CVE database from scanning in owasp dependency check Maven plugin?
I have a pom.xml with an OWASP dependency check profile:
<!-- Profile to run owasp security checks. To activate, use -Dowasp=true -->
<profile>
<id>owasp-security-...
- 4,143
0
votes
1
answer
420
views
How can I use CSRF tokens with Apollo-Server?
We are currently developing a global content / e-commerce platform for a customer.
The website runs on Next.js and has an Apollo Server as API Gateway which runs integrated with Next.js on the same ...
- 8,613
0
votes
1
answer
32
views
Allowing "//" in URL.Any Security Standards for URL Definition?
I am allowing '\api\v3\getDetails' in my API Definition.xml. Are there any standards to define a URL? Are there any security impacts when allowing these types of definitions?
Security Standard for ...
- 13
2
votes
2
answers
2k
views
Unable to run OWASP dependencyCheck
Unable to run OWASP dependencyCheck and it throws the following error
id 'org.owasp.dependencycheck' version '9.0.5'
./gradlew dependencyCheckAnalyze
Region [NODEAUDIT] : Not alive and dispose was ...
- 1,271
0
votes
1
answer
152
views
How to check XXE(XML External enitites) vulnerability using OWSAP
I'm new to security testing, Could you please help me to how to find the Xml external entity using OWASP ZAP
What steps should I take? I've reviewed the tutorials, but they haven't been helpful for ...
- 63
0
votes
0
answers
71
views
Getting error fsockopen(): Unable to connect to 127.0.0.1:389
I'm new to OWASP and mutillidae, while trying to access Mutillidae I'm getting this error. Please help to resolve this
fsockopen(): Unable to connect to 127.0.0.1:389 (A connection attempt failed ...
- 63
0
votes
1
answer
472
views
ZAP baseline scan doesn't generate report [closed]
I'm running the example scan from the docs page:
docker run --rm -v /home/zap:/zap/wrk/:rw -t ghcr.io/zaproxy/zaproxy:stable zap-full-scan.py -t https://www.example.com -r testreport.html
The scan ...
- 8,394
0
votes
1
answer
109
views
Is there any way to use the ZAP Token Generation and Analysis add-on in an automated way
I'm trying to automate some security test through ZAP and I would like to know if there is any possible way to use the ZAP Add-on: Token Generation and Analysis in an automated scenario ?
I checked ...
- 19
1
vote
1
answer
180
views
Using OWASP ZAP version 2.13.0 how to perform a "automatic scan" on a webpage that returns a 404 error?
I have installed OWASP ZAP version 2.13.0 in my local computer. How to perform a automatic scan on a webpage that returns a 404 error?
0
votes
3
answers
620
views
OWASP ZAP baseline scan returns unexpected error 1 in CI/CD pipeline
I am using a docker image from OWASP in my pipeline to scan my web app and produce a HTML report, and I am encountering a problem I've spent the whole day trying to solve.
When running the scan job, ...
- 11
0
votes
0
answers
40
views
Xss prevention in JSP [duplicate]
XSS is well known vulnerability in JSP. There are lot of information on web (and on stack overflow) about preventing XSS in JSP.
I have found printing user input with <c:out> is most commonly ...
- 13