PDF Report

dbat-dev-al-jobs Scan Report
Project Name dbat-dev-al-jobs

Scan Start Thursday, September 29, 2022 7:32:10 PM
Preset Checkmarx Default
Scan Time 00h:05m:02s
Lines Of Code Scanned 72932
Files Scanned 281
Report Creation Time Thursday, September 29, 2022 7:38:12 PM
https://checkmarkx_vs.axisb.com/CxWebClient/ViewerMain.aspx?scani
Online Results
d=1058456&projectid=265
Team Dbat Team CICD
Checkmarx Version V 9.4.3 HF13
Scan Type Full
Source Origin LocalPath
Density 2/10000 (Vulnerabilities/LOC)
Visibility Public
Filter Settings
Severity
Included: High, Medium, Low, Information
Excluded: None
Result State
Included: To Verify, Not Exploitable, Confirmed, Urgent, Proposed Not Exploitable
Excluded: None
Assigned to
Included: All
Categories
Included:
Uncategorized All
Custom All
PCI DSS v3.2.1 All
OWASP Top 10 All
2013
FISMA 2014 All
NIST SP 800-53 All
OWASP Top 10 All
2017
OWASP Mobile Top All
10 2016
ASD STIG 4.10 All
OWASP Top 10 API All
OWASP Top 10 All
2010
OWASP Top 10 All
2021
Excluded:
Uncategorized None
PAGE 1 OF 42
Custom None
PCI DSS v3.2.1 None
OWASP Top 10 None
2013
FISMA 2014 None
NIST SP 800-53 None
OWASP Top 10 None
2017
OWASP Mobile Top None
10 2016
ASD STIG 4.10 None
OWASP Top 10 API None
OWASP Top 10 None
2010
OWASP Top 10 None
2021
Results Limit
Results limit per query was set to 50
Selected Queries
Selected queries are listed in Result Summary
PAGE 2 OF 42
Result Summary Most Vulnerable Files
index.html
High
mockServiceWorker.j
Medium
s
Low
index.tsx
Top 5 Vulnerabilities
PAGE 3 OF 42
Scan Summary - OWASP Top 10 2017
Further details and elaboration about vulnerabilities and risks can be found at: OWASP Top 10 2017
Threat Weakness Weakness Technical Business Issues Best Fix

Category Exploitability
Agent Prevalence Detectability Impact Impact Found Locations
App. App.
A1-Injection EASY COMMON EASY SEVERE 4 2
Specific Specific
A2-Broken App. App.

EASY COMMON AVERAGE SEVERE 0 0
Authentication Specific Specific
A3-Sensitive App. App.

AVERAGE WIDESPREAD AVERAGE SEVERE 0 0
Data Exposure Specific Specific
A4-XML External App. App.

AVERAGE COMMON EASY SEVERE 0 0
Entities (XXE) Specific Specific
A5-Broken App. App.

AVERAGE COMMON AVERAGE SEVERE 0 0
Access Control* Specific Specific
A6-Security App. App.

EASY WIDESPREAD EASY MODERATE 0 0
Misconfiguration Specific Specific
A7-Cross-Site
App. App.
Scripting EASY WIDESPREAD EASY MODERATE 0 0
Specific Specific
(XSS)*
A8-Insecure App. App.

DIFFICULT COMMON AVERAGE SEVERE 0 0
Deserialization Specific Specific
A9-Using
Components App. App.
AVERAGE WIDESPREAD AVERAGE MODERATE 1 1
with Known Specific Specific
Vulnerabilities
A10-Insufficient
App. App.
Logging & AVERAGE WIDESPREAD DIFFICULT MODERATE 0 0
Specific Specific
Monitoring
* Project scan results do not include all relevant queries. Presets and\or Filters should be changed to include all relevant
standard queries.
PAGE 4 OF 42
Issues Best Fix

Category
Found Locations
A1-Broken Access Control* 0 0
A2-Cryptographic Failures 0 0
A3-Injection* 0 0
A4-Insecure Design 0 0
A5-Security Misconfiguration 0 0
A6-Vulnerable and Outdated Components 1 1
A7-Identification and Authentication Failures* 0 0
A8-Software and Data Integrity Failures* 5 5
A9-Security Logging and Monitoring Failures 4 2
A10-Server-Side Request Forgery 0 0
standard queries.
PAGE 5 OF 42
Further details and elaboration about vulnerabilities and risks can be found at: OWASP Top 10 2013
Threat Attack Weakness Weakness Technical Business Issues Best Fix

Category
Agent Vectors Prevalence Detectability Impact Impact Found Locations
EXTERNAL,
INTERNAL,
A1-Injection EASY COMMON AVERAGE SEVERE ALL DATA 0 0
ADMIN
USERS
A2-Broken
EXTERNAL, AFFECTED
Authentication
INTERNAL AVERAGE WIDESPREAD AVERAGE SEVERE DATA AND 0 0
and Session
USERS FUNCTIONS
Management
EXTERNAL,
A3-Cross-Site AFFECTED
INTERNAL, VERY
Scripting AVERAGE EASY MODERATE DATA AND 0 0
ADMIN WIDESPREAD
(XSS)* SYSTEM
USERS
A4-Insecure
SYSTEM EXPOSED
Direct Object EASY COMMON EASY MODERATE 0 0
USERS DATA
References*
EXTERNAL,
ALL DATA
A5-Security INTERNAL,
EASY COMMON EASY MODERATE AND 0 0
Misconfiguration ADMIN
SYSTEM
USERS
EXTERNAL,
INTERNAL,
A6-Sensitive ADMIN EXPOSED
DIFFICULT UNCOMMON AVERAGE SEVERE 0 0
Data Exposure USERS, DATA
USERS
BROWSERS
A7-Missing EXTERNAL, EXPOSED

Function Level INTERNAL EASY COMMON AVERAGE MODERATE DATA AND 0 0
Access Control USERS FUNCTIONS
A8-Cross-Site AFFECTED
USERS
Request Forgery AVERAGE COMMON EASY MODERATE DATA AND 0 0
BROWSERS
(CSRF)* FUNCTIONS
A9-Using EXTERNAL
AFFECTED
Components USERS,
AVERAGE WIDESPREAD DIFFICULT MODERATE DATA AND 0 0
with Known AUTOMATED
FUNCTIONS
Vulnerabilities TOOLS
A10-Unvalidated AFFECTED
USERS
Redirects and AVERAGE WIDESPREAD DIFFICULT MODERATE DATA AND 0 0
BROWSERS
Forwards FUNCTIONS
standard queries.
PAGE 6 OF 42
Scan Summary - PCI DSS v3.2.1
Issues Best Fix

Category
Found Locations
PCI DSS (3.2.1) - 6.5.1 - Injection flaws - particularly SQL injection 0 0
PCI DSS (3.2.1) - 6.5.2 - Buffer overflows 0 0
PCI DSS (3.2.1) - 6.5.3 - Insecure cryptographic storage 0 0
PCI DSS (3.2.1) - 6.5.4 - Insecure communications 0 0
PCI DSS (3.2.1) - 6.5.5 - Improper error handling 0 0
PCI DSS (3.2.1) - 6.5.7 - Cross-site scripting (XSS) 0 0
PCI DSS (3.2.1) - 6.5.8 - Improper access control 0 0
PCI DSS (3.2.1) - 6.5.9 - Cross-site request forgery* 0 0
PCI DSS (3.2.1) - 6.5.10 - Broken authentication and session management 0 0
standard queries.
PAGE 7 OF 42
Scan Summary - FISMA 2014
Issues Best Fix

Category Description
Found Locations
Organizations must limit information system
access to authorized users, processes acting
on behalf of authorized users, or devices
Access Control 0 0
(including other information systems) and to
the types of transactions and functions that
authorized users are permitted to exercise.
Organizations must: (i) create, protect, and

retain information system audit records to
the extent needed to enable the monitoring,
analysis, investigation, and reporting of
unlawful, unauthorized, or inappropriate
Audit And Accountability 0 0
information system activity; and (ii) ensure
that the actions of individual information
system users can be uniquely traced to those
users so they can be held accountable for
their actions.
Organizations must: (i) establish and

maintain baseline configurations and
inventories of organizational information
systems (including hardware, software,
firmware, and documentation) throughout
Configuration Management 1 1
the respective system development life
cycles; and (ii) establish and enforce security
configuration settings for information
technology products employed in
organizational information systems.
Organizations must identify information

system users, processes acting on behalf of
users, or devices and authenticate (or verify)
Identification And Authentication 0 0
the identities of those users, processes, or
devices, as a prerequisite to allowing access
to organizational information systems.
Organizations must: (i) protect information

system media, both paper and digital; (ii)
limit access to information on information
Media Protection 0 0
system media to authorized users; and (iii)
sanitize or destroy information system media
before disposal or release for reuse.
Organizations must: (i) monitor, control, and

protect organizational communications (i.e.,
information transmitted or received by
organizational information systems) at the
external boundaries and key internal
System And Communications Protection boundaries of the information systems; and 0 0
(ii) employ architectural designs, software
development techniques, and systems
engineering principles that promote effective
information security within organizational
information systems.
Organizations must: (i) identify, report, and

correct information and information system
flaws in a timely manner; (ii) provide
protection from malicious code at appropriate
System And Information Integrity* 4 2
locations within organizational information
systems; and (iii) monitor information
system security alerts and advisories and
take appropriate actions in response.
standard queries.
PAGE 8 OF 42
Scan Summary - NIST SP 800-53
Issues Best Fix

Category
Found Locations
AC-12 Session Termination (P2) 0 0
AC-3 Access Enforcement (P1) 0 0
AC-4 Information Flow Enforcement (P1) 0 0
AC-6 Least Privilege (P1) 0 0
AU-9 Protection of Audit Information (P1) 4 2
CM-6 Configuration Settings (P2) 0 0
IA-5 Authenticator Management (P1) 0 0
IA-6 Authenticator Feedback (P2) 0 0
IA-8 Identification and Authentication (Non-Organizational Users) (P1) 0 0
SC-12 Cryptographic Key Establishment and Management (P1) 0 0
SC-13 Cryptographic Protection (P1) 0 0
SC-17 Public Key Infrastructure Certificates (P1) 0 0
SC-18 Mobile Code (P2) 5 5
SC-23 Session Authenticity (P1)* 0 0
SC-28 Protection of Information at Rest (P1) 0 0
SC-4 Information in Shared Resources (P1) 0 0
SC-5 Denial of Service Protection (P1) 0 0
SC-8 Transmission Confidentiality and Integrity (P1) 1 1
SI-10 Information Input Validation (P1)* 0 0
SI-11 Error Handling (P2) 0 0
SI-15 Information Output Filtering (P0)* 0 0
SI-16 Memory Protection (P1) 0 0
standard queries.
PAGE 9 OF 42
Scan Summary - OWASP Mobile Top 10 2016
Issues Best Fix

Category Description
Found Locations
This category covers misuse of a platform
feature or failure to use platform security
controls. It might include Android intents,
platform permissions, misuse of TouchID, the
M1-Improper Platform Usage 0 0
Keychain, or some other security control that
is part of the mobile operating system. There
are several ways that mobile apps can
experience this risk.
This category covers insecure data storage

M2-Insecure Data Storage 0 0
and unintended data leakage.
This category covers poor handshaking,

incorrect SSL versions, weak negotiation,
M3-Insecure Communication 0 0
cleartext communication of sensitive assets,
etc.
This category captures notions of

authenticating the end user or bad session
management. This can include:
-Failing to identify the user at all when that
M4-Insecure Authentication 0 0
should be required
-Failure to maintain the user's identity when
it is required
-Weaknesses in session management
The code applies cryptography to a sensitive

information asset. However, the
cryptography is insufficient in some way.
Note that anything and everything related to
M5-Insufficient Cryptography TLS or SSL goes in M3. Also, if the app fails 0 0
to use cryptography at all when it should,
that probably belongs in M2. This category is
for issues where cryptography was
attempted, but it wasnt done correctly.
This is a category to capture any failures in

authorization (e.g., authorization decisions in
the client side, forced browsing, etc.). It is
distinct from authentication issues (e.g.,
device enrolment, user identification, etc.).
If the app does not authenticate users at all
M6-Insecure Authorization 0 0
in a situation where it should (e.g., granting
anonymous access to some resource or
service when authenticated and authorized
access is required), then that is an
authentication failure not an authorization
failure.
This category is the catch-all for code-level

implementation problems in the mobile
client. That's distinct from server-side coding
mistakes. This would capture things like
M7-Client Code Quality 0 0
buffer overflows, format string vulnerabilities,
and various other code-level mistakes where
the solution is to rewrite some code that's
running on the mobile device.
This category covers binary patching, local

resource modification, method hooking,
method swizzling, and dynamic memory
modification. Once the application is
M8-Code Tampering delivered to the mobile device, the code and 0 0
data resources are resident there. An
attacker can either directly modify the code,
change the contents of memory dynamically,
change or replace the system APIs that the
PAGE 10 OF 42
application uses, or modify the application's
data and resources. This can provide the
attacker a direct method of subverting the
intended use of the software for personal or
monetary gain.
This category includes analysis of the final

core binary to determine its source code,
libraries, algorithms, and other assets.
Software such as IDA Pro, Hopper, otool, and
other binary inspection tools give the
M9-Reverse Engineering attacker insight into the inner workings of the 0 0
application. This may be used to exploit other
nascent vulnerabilities in the application, as
well as revealing information about back end
servers, cryptographic constants and ciphers,
and intellectual property.
Often, developers include hidden backdoor

functionality or other internal development
security controls that are not intended to be
released into a production environment. For
M10-Extraneous Functionality 0 0
example, a developer may accidentally
include a password as a comment in a hybrid
app. Another example includes disabling of 2-
factor authentication during testing.
PAGE 11 OF 42
Scan Summary - Custom
Issues Best Fix

Category
Found Locations
Must audit 0 0
Check 0 0
Optional 0 0
PAGE 12 OF 42
Scan Summary - ASD STIG 4.10
Issues Best Fix

Category
Found Locations
APSC-DV-000640 - CAT II The application must provide audit record generation capability
0 0
for the renewal of session IDs.
APSC-DV-000650 - CAT II The application must not write sensitive data into the application
0 0
logs.
0 0
for session timeouts.
APSC-DV-000670 - CAT II The application must record a time stamp indicating when the
0 0
event occurred.
0 0
for HTTP headers including User-Agent, Referer, GET, and POST.
0 0
for connecting system IP addresses.
APSC-DV-000700 - CAT II The application must record the username or user ID of the user
0 0
associated with the event.
APSC-DV-000710 - CAT II The application must generate audit records when

0 0
successful/unsuccessful attempts to grant privileges occur.

0 0
successful/unsuccessful attempts to access security objects occur.

0 0
successful/unsuccessful attempts to access security levels occur.

successful/unsuccessful attempts to access categories of information (e.g., classification 0 0
levels) occur.

0 0
successful/unsuccessful attempts to modify privileges occur.

0 0
successful/unsuccessful attempts to modify security objects occur.

0 0
successful/unsuccessful attempts to modify security levels occur.

successful/unsuccessful attempts to modify categories of information (e.g., classification 0 0
levels) occur.

0 0
successful/unsuccessful attempts to delete privileges occur.

0 0
successful/unsuccessful attempts to delete security levels occur.

0 0
successful/unsuccessful attempts to delete application database security objects occur.

successful/unsuccessful attempts to delete categories of information (e.g., classification 0 0
levels) occur.

0 0
successful/unsuccessful logon attempts occur.
APSC-DV-000840 - CAT II The application must generate audit records for privileged
0 0
activities or other system-level access.
APSC-DV-000850 - CAT II The application must generate audit records showing starting and
0 0
ending time for user access to the system.

0 0
successful/unsuccessful accesses to objects occur.
PAGE 13 OF 42
APSC-DV-000870 - CAT II The application must generate audit records for all direct access
0 0
to the information system.
APSC-DV-000880 - CAT II The application must generate audit records for all account
0 0
creations, modifications, disabling, and termination events.
APSC-DV-000910 - CAT II The application must initiate session auditing upon startup. 0 0
APSC-DV-000940 - CAT II The application must log application shutdown events. 0 0
APSC-DV-000950 - CAT II The application must log destination IP addresses. 0 0
APSC-DV-000960 - CAT II The application must log user actions involving access to data. 0 0
APSC-DV-000970 - CAT II The application must log user actions involving changes to data. 0 0
APSC-DV-000980 - CAT II The application must produce audit records containing

0 0
information to establish when (date and time) the events occurred.
APSC-DV-000990 - CAT II The application must produce audit records containing enough
information to establish which component, feature or function of the application triggered 0 0
the audit event.
APSC-DV-001000 - CAT II When using centralized logging; the application must include a
0 0
unique identifier in order to distinguish itself from other application logs.
APSC-DV-001010 - CAT II The application must produce audit records that contain
0 0
information to establish the outcome of the events.
APSC-DV-001020 - CAT II The application must generate audit records containing

information that establishes the identity of any individual or process associated with the 0 0
event.
APSC-DV-001030 - CAT II The application must generate audit records containing the full-
0 0
text recording of privileged commands or the individual identities of group account users.
APSC-DV-001040 - CAT II The application must implement transaction recovery logs when
0 0
transaction based.
APSC-DV-001050 - CAT II The application must provide centralized management and

configuration of the content to be captured in audit records generated by all application 0 0
components.
APSC-DV-001070 - CAT II The application must off-load audit records onto a different
0 0
system or media than the system being audited.
APSC-DV-001080 - CAT II The application must be configured to write application logs to a

0 0
centralized log repository.
APSC-DV-001090 - CAT II The application must provide an immediate warning to the SA

and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of 0 0
repository maximum audit record storage capacity.
APSC-DV-001100 - CAT II Applications categorized as having a moderate or high impact

must provide an immediate real-time alert to the SA and ISSO (at a minimum) for all audit 0 0
failure events.
APSC-DV-001110 - CAT II The application must alert the ISSO and SA (at a minimum) in
0 0
the event of an audit processing failure.
APSC-DV-001120 - CAT II The application must shut down by default upon audit failure
0 0
(unless availability is an overriding concern).
APSC-DV-001130 - CAT II The application must provide the capability to centrally review
0 0
and analyze audit records from multiple components within the system.
APSC-DV-001140 - CAT II The application must provide the capability to filter audit records
0 0
for events of interest based upon organization-defined criteria.
APSC-DV-001150 - CAT II The application must provide an audit reduction capability that
0 0
supports on-demand reporting requirements.
0 0
supports on-demand audit review and analysis.
0 0
supports after-the-fact investigations of security incidents.
APSC-DV-001180 - CAT II The application must provide a report generation capability that
0 0
supports on-demand audit review and analysis.
APSC-DV-001190 - CAT II The application must provide a report generation capability that 0 0
PAGE 14 OF 42
supports on-demand reporting requirements.
0 0
supports after-the-fact investigations of security incidents.
0 0
does not alter original content or time ordering of audit records.
0 0
does not alter original content or time ordering of audit records.
APSC-DV-001250 - CAT II The applications must use internal system clocks to generate
0 0
time stamps for audit records.
APSC-DV-001260 - CAT II The application must record time stamps for audit records that
0 0
can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).
APSC-DV-001270 - CAT II The application must record time stamps for audit records that
0 0
meet a granularity of one second for a minimum degree of precision.
APSC-DV-001280 - CAT II The application must protect audit information from any type of
0 0
unauthorized read access.
APSC-DV-001290 - CAT II The application must protect audit information from unauthorized
0 0
modification.
APSC-DV-001300 - CAT II The application must protect audit information from unauthorized
0 0
deletion.
APSC-DV-001310 - CAT II The application must protect audit tools from unauthorized
0 0
access.
0 0
modification.
0 0
deletion.
APSC-DV-001340 - CAT II The application must back up audit records at least every seven
days onto a different system or system component than the system or component being 0 0
audited.
APSC-DV-001570 - CAT II The application must electronically verify Personal Identity

0 0
Verification (PIV) credentials.
APSC-DV-001350 - CAT II The application must use cryptographic mechanisms to protect

0 0
the integrity of audit information.
APSC-DV-001360 - CAT II Application audit tools must be cryptographically hashed. 0 0
APSC-DV-001370 - CAT II The integrity of the audit tools must be validated by checking the
0 0
files for changes in the cryptographic hash value.
APSC-DV-001390 - CAT II The application must prohibit user installation of software without
0 0
explicit privileged status.
APSC-DV-001410 - CAT II The application must enforce access restrictions associated with
0 0
changes to application configuration.
APSC-DV-001420 - CAT II The application must audit who makes configuration changes to
0 0
the application.
APSC-DV-001430 - CAT II The application must have the capability to prevent the
installation of patches, service packs, or application components without verification the
0 0
software component has been digitally signed using a certificate that is recognized and
approved by the orga
APSC-DV-001440 - CAT II The applications must limit privileges to change the software
0 0
resident within software libraries.
APSC-DV-001460 - CAT II An application vulnerability assessment must be conducted. 0 0
APSC-DV-001480 - CAT II The application must prevent program execution in accordance

with organization-defined policies regarding software program usage and restrictions, and/or 0 0
rules authorizing the terms and conditions of software program usage.
APSC-DV-001490 - CAT II The application must employ a deny-all, permit-by-exception

0 0
(whitelist) policy to allow the execution of authorized software programs.
APSC-DV-001500 - CAT II The application must be configured to disable non-essential

0 0
capabilities.
PAGE 15 OF 42
APSC-DV-001510 - CAT II The application must be configured to use only functions, ports,
0 0
and protocols permitted to it in the PPSM CAL.
APSC-DV-001520 - CAT II The application must require users to reauthenticate when

0 0
organization-defined circumstances or situations require reauthentication.
APSC-DV-001530 - CAT II The application must require devices to reauthenticate when

0 0
organization-defined circumstances or situations requiring reauthentication.
APSC-DV-001540 - CAT I The application must uniquely identify and authenticate

0 0
organizational users (or processes acting on behalf of organizational users).
APSC-DV-001550 - CAT II The application must use multifactor (Alt. Token) authentication
0 0
for network access to privileged accounts.
APSC-DV-001560 - CAT II The application must accept Personal Identity Verification (PIV)
0 0
credentials.
APSC-DV-001580 - CAT II The application must use multifactor (e.g., CAC, Alt. Token)
0 0
authentication for network access to non-privileged accounts.
APSC-DV-001590 - CAT II The application must use multifactor (Alt. Token) authentication
0 0
for local access to privileged accounts.
APSC-DV-001600 - CAT II The application must use multifactor (e.g., CAC, Alt. Token)
0 0
authentication for local access to non-privileged accounts.
APSC-DV-001610 - CAT II The application must ensure users are authenticated with an
0 0
individual authenticator prior to using a group authenticator.
APSC-DV-001620 - CAT II The application must implement replay-resistant authentication

0 0
mechanisms for network access to privileged accounts.
APSC-DV-001630 - CAT II The application must implement replay-resistant authentication

0 0
mechanisms for network access to non-privileged accounts.
APSC-DV-001640 - CAT II The application must utilize mutual authentication when endpoint
0 0
device non-repudiation protections are required by DoD policy or by the data owner.
APSC-DV-001650 - CAT II The application must authenticate all network connected endpoint
0 0
devices before establishing any connection.
APSC-DV-001660 - CAT II Service-Oriented Applications handling non-releasable data must

0 0
authenticate endpoint devices via mutual SSL/TLS.
APSC-DV-001670 - CAT II The application must disable device identifiers after 35 days of
0 0
inactivity unless a cryptographic certificate is used for authentication.
APSC-DV-001680 - CAT I The application must enforce a minimum 15-character password

0 0
length.
APSC-DV-001690 - CAT II The application must enforce password complexity by requiring

0 0
that at least one upper-case character be used.

0 0
that at least one lower-case character be used.

0 0
that at least one numeric character be used.

0 0
that at least one special character be used.
APSC-DV-001730 - CAT II The application must require the change of at least 8 of the total
0 0
number of characters when passwords are changed.
APSC-DV-001740 - CAT I The application must only store cryptographic representations of

0 0
passwords.
APSC-DV-001850 - CAT I The application must not display passwords/PINs as clear text. 0 0
APSC-DV-001750 - CAT I The application must transmit only cryptographically-protected

0 0
passwords.
APSC-DV-001760 - CAT II The application must enforce 24 hours/1 day as the minimum
0 0
password lifetime.
APSC-DV-001770 - CAT II The application must enforce a 60-day maximum password

0 0
lifetime restriction.
APSC-DV-001780 - CAT II The application must prohibit password reuse for a minimum of
0 0
five generations.
PAGE 16 OF 42
APSC-DV-001790 - CAT II The application must allow the use of a temporary password for
0 0
system logons with an immediate change to a permanent password.
APSC-DV-001795 - CAT II The application password must not be changeable by users other
0 0
than the administrator or the user with which the password is associated.
APSC-DV-001800 - CAT II The application must terminate existing user sessions upon
0 0
account deletion.
APSC-DV-001820 - CAT I The application, when using PKI-based authentication, must

0 0
enforce authorized access to the corresponding private key.
APSC-DV-001830 - CAT II The application must map the authenticated identity to the
0 0
individual user or group account for PKI-based authentication.
APSC-DV-001870 - CAT II The application must uniquely identify and authenticate non-
0 0
organizational users (or processes acting on behalf of non-organizational users).
APSC-DV-001810 - CAT I The application, when utilizing PKI-based authentication, must

validate certificates by constructing a certification path (which includes status information) 0 0
to an accepted trust anchor.
APSC-DV-001840 - CAT II The application, for PKI-based authentication, must implement a

local cache of revocation data to support path discovery and validation in case of the 0 0
inability to access revocation information via the network.
APSC-DV-001860 - CAT II The application must use mechanisms meeting the requirements
of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and 0 0
guidance for authentication to a cryptographic module.
APSC-DV-001880 - CAT II The application must accept Personal Identity Verification (PIV)
0 0
credentials from other federal agencies.
APSC-DV-001890 - CAT II The application must electronically verify Personal Identity

0 0
Verification (PIV) credentials from other federal agencies.
APSC-DV-002050 - CAT II Applications making SAML assertions must use FIPS-approved

0 0
random numbers in the generation of SessionIndex in the SAML element AuthnStatement.
APSC-DV-001900 - CAT II The application must accept FICAM-approved third-party

0 0
credentials.
APSC-DV-001910 - CAT II The application must conform to FICAM-issued profiles. 0 0
APSC-DV-001930 - CAT II Applications used for non-local maintenance sessions must audit
0 0
non-local maintenance and diagnostic sessions for organization-defined auditable events.
APSC-DV-000310 - CAT III The application must have a process, feature or function that
0 0
prevents removal or disabling of emergency accounts.
APSC-DV-001940 - CAT II Applications used for non-local maintenance sessions must

implement cryptographic mechanisms to protect the integrity of non-local maintenance and 0 0
diagnostic communications.
APSC-DV-001950 - CAT II Applications used for non-local maintenance sessions must

implement cryptographic mechanisms to protect the confidentiality of non-local maintenance 0 0
and diagnostic communications.
APSC-DV-001960 - CAT II Applications used for non-local maintenance sessions must verify
0 0
remote disconnection at the termination of non-local maintenance and diagnostic sessions.
APSC-DV-001970 - CAT II The application must employ strong authenticators in the

0 0
establishment of non-local maintenance and diagnostic sessions.
APSC-DV-001980 - CAT II The application must terminate all sessions and network
0 0
connections when non-local maintenance is completed.
APSC-DV-001995 - CAT II The application must not be vulnerable to race conditions. 0 0
APSC-DV-002000 - CAT II The application must terminate all network connections

0 0
associated with a communications session at the end of the session.
APSC-DV-002010 - CAT II The application must implement NSA-approved cryptography to

protect classified information in accordance with applicable federal laws, Executive Orders, 0 0
directives, policies, regulations, and standards.
APSC-DV-002020 - CAT II The application must utilize FIPS-validated cryptographic modules

0 0
when signing application components.

0 0
when generating cryptographic hashes.
PAGE 17 OF 42
0 0
when protecting unclassified information that requires cryptographic protection.
APSC-DV-002150 - CAT II The application user interface must be either physically or

0 0
logically separated from data storage and management interfaces.
APSC-DV-002210 - CAT II The application must set the HTTPOnly flag on session cookies. 0 0
APSC-DV-002220 - CAT II The application must set the secure flag on session cookies. 0 0
APSC-DV-002230 - CAT I The application must not expose session IDs. 0 0
APSC-DV-002240 - CAT I The application must destroy the session ID value and/or cookie
0 0
on logoff or browser close.
APSC-DV-002250 - CAT II Applications must use system-generated session identifiers that

0 0
protect against session fixation.
APSC-DV-002260 - CAT II Applications must validate session identifiers. 0 0
APSC-DV-002270 - CAT II Applications must not use URL embedded session IDs. 0 0
APSC-DV-002280 - CAT II The application must not re-use or recycle session IDs. 0 0
APSC-DV-002290 - CAT II The application must use the Federal Information Processing
Standard (FIPS) 140-2-validated cryptographic modules and random number generator if
0 0
the application implements encryption, key exchange, digital signature, and hash
functionality.
APSC-DV-002300 - CAT II The application must only allow the use of DoD-approved
0 0
certificate authorities for verification of the establishment of protected sessions.
APSC-DV-002310 - CAT I The application must fail to a secure state if system initialization
0 0
fails, shutdown fails, or aborts fail.
APSC-DV-002320 - CAT II In the event of a system failure, applications must preserve any
information necessary to determine cause of failure and any information necessary to return 0 0
to operations with least disruption to mission processes.
APSC-DV-002330 - CAT II The application must protect the confidentiality and integrity of
1 1
stored information when required by DoD policy or the information owner.
APSC-DV-002340 - CAT II The application must implement approved cryptographic

mechanisms to prevent unauthorized modification of organization-defined information at 0 0
rest on organization-defined information system components.
APSC-DV-002350 - CAT II The application must use appropriate cryptography in order to

0 0
protect stored DoD information when required by the information owner or DoD policy.
APSC-DV-002360 - CAT II The application must isolate security functions from non-security
0 0
functions.
APSC-DV-002370 - CAT II The application must maintain a separate execution domain for
0 0
each executing process.
APSC-DV-002380 - CAT II Applications must prevent unauthorized and unintended

0 0
information transfer via shared system resources.
APSC-DV-002390 - CAT II XML-based applications must mitigate DoS attacks by using XML
0 0
filters, parser options, or gateways.
APSC-DV-002400 - CAT II The application must restrict the ability to launch Denial of
0 0
Service (DoS) attacks against itself or other information systems.
APSC-DV-002410 - CAT II The web service design must include redundancy mechanisms
0 0
when used with high-availability systems.
APSC-DV-002420 - CAT II An XML firewall function must be deployed to protect web

0 0
services when exposed to untrusted networks.
APSC-DV-002610 - CAT II The application must remove organization-defined software

0 0
components after updated versions have been installed.
APSC-DV-002440 - CAT I The application must protect the confidentiality and integrity of
0 0
transmitted information.
APSC-DV-002450 - CAT II The application must implement cryptographic mechanisms to

prevent unauthorized disclosure of information and/or detect changes to information during
0 0
transmission unless otherwise protected by alternative physical safeguards, such as, at a
minimum, a Prot
APSC-DV-002460 - CAT II The application must maintain the confidentiality and integrity of 0 0
PAGE 18 OF 42
information during preparation for transmission.
APSC-DV-002470 - CAT II The application must maintain the confidentiality and integrity of
0 0
information during reception.
APSC-DV-002480 - CAT II The application must not disclose unnecessary information to

0 0
users.
APSC-DV-002485 - CAT I The application must not store sensitive information in hidden
0 0
fields.
APSC-DV-002490 - CAT I The application must protect from Cross-Site Scripting (XSS)
5 5
vulnerabilities.
APSC-DV-002500 - CAT II The application must protect from Cross-Site Request Forgery
0 0
(CSRF) vulnerabilities.*
APSC-DV-002510 - CAT I The application must protect from command injection. 0 0
APSC-DV-002520 - CAT II The application must protect from canonical representation

0 0
vulnerabilities.
APSC-DV-002530 - CAT II The application must validate all input. 0 0
APSC-DV-002540 - CAT I The application must not be vulnerable to SQL Injection. 0 0
APSC-DV-002550 - CAT I The application must not be vulnerable to XML-oriented attacks. 0 0
APSC-DV-002560 - CAT I The application must not be subject to input handling

4 2
vulnerabilities.*
APSC-DV-002570 - CAT II The application must generate error messages that provide
information necessary for corrective actions without revealing information that could be 0 0
exploited by adversaries.
APSC-DV-002580 - CAT II The application must reveal error messages only to the ISSO,
0 0
ISSM, or SA.
APSC-DV-002590 - CAT I The application must not be vulnerable to overflow attacks. 0 0
APSC-DV-002630 - CAT II Security-relevant software updates and patches must be kept up

0 0
to date.
APSC-DV-002760 - CAT II The application performing organization-defined security

0 0
functions must verify correct operation of security functions.
APSC-DV-002900 - CAT II The ISSO must ensure application audit trails are retained for at
least 1 year for applications without SAMI data, and 5 years for applications including SAMI 0 0
data.
APSC-DV-002770 - CAT II The application must perform verification of the correct operation
of security functions: upon system startup and/or restart; upon command by a user with 0 0
privileged access; and/or every 30 days.
APSC-DV-002780 - CAT III The application must notify the ISSO and ISSM of failed security
0 0
verification tests.
APSC-DV-002870 - CAT II Unsigned Category 1A mobile code must not be used in the
0 0
application in accordance with DoD policy.
APSC-DV-002880 - CAT II The ISSO must ensure an account management process is

implemented, verifying only authorized users can gain access to the application, and 0 0
individual accounts designated as inactive, suspended, or terminated are promptly removed.
APSC-DV-002890 - CAT I Application web servers must be on a separate network segment

from the application and database servers if it is a tiered application operating in the DoD 0 0
DMZ.
APSC-DV-002910 - CAT II The ISSO must review audit trails periodically based on system
0 0
documentation recommendations or immediately upon system security events.
APSC-DV-002920 - CAT II The ISSO must report all suspected violations of IA policies in
0 0
accordance with DoD information system IA procedures.
APSC-DV-002930 - CAT II The ISSO must ensure active vulnerability testing is performed. 0 0
APSC-DV-002980 - CAT II New IP addresses, data services, and associated ports used by
the application must be submitted to the appropriate approving authority for the
0 0
organization, which in turn will be submitted through the DoD Ports, Protocols, and Services
Management (DoD PPS
APSC-DV-002950 - CAT II Execution flow diagrams and design documents must be created 0 0
PAGE 19 OF 42
to show how deadlock and recursion issues in web services are being mitigated.
APSC-DV-002960 - CAT II The designer must ensure the application does not store
0 0
configuration and control files in the same directory as user data.
APSC-DV-002970 - CAT II The ISSO must ensure if a DoD STIG or NSA guide is not
0 0
available, a third-party product will be configured by following available guidance.
APSC-DV-002990 - CAT II The application must be registered with the DoD Ports and
0 0
Protocols Database.
APSC-DV-002990 - CAT II The application must be registered with the DoD Ports and
0 0
Protocols Database.
APSC-DV-002995 - CAT II The Configuration Management (CM) repository must be properly

0 0
patched and STIG compliant.
APSC-DV-003000 - CAT II Access privileges to the Configuration Management (CM)

0 0
repository must be reviewed every three months.
APSC-DV-003010 - CAT II A Software Configuration Management (SCM) plan describing the

configuration control and change management process of application objects developed by
0 0
the organization and the roles and responsibilities of the organization must be created and
maintained.
APSC-DV-003020 - CAT II A Configuration Control Board (CCB) that meets at least every
release cycle, for managing the Configuration Management (CM) process must be 0 0
established.
APSC-DV-003030 - CAT II The application services and interfaces must be compatible with
0 0
and ready for IPv6 networks.
APSC-DV-003040 - CAT II The application must not be hosted on a general purpose

0 0
machine if the application is designated as critical or high availability by the ISSO.
APSC-DV-003050 - CAT II A disaster recovery/continuity plan must exist in accordance with

0 0
DoD policy based on the applications availability requirements.
APSC-DV-003060 - CAT II Recovery procedures and technical system features must exist so
recovery is performed in a secure and verifiable manner. The ISSO will document 0 0
circumstances inhibiting a trusted recovery.
APSC-DV-003070 - CAT II Data backup must be performed at required intervals in

0 0
accordance with DoD policy.
APSC-DV-003080 - CAT II Back-up copies of the application software or source code must
0 0
be stored in a fire-rated container or stored separately (offsite).
APSC-DV-003090 - CAT II Procedures must be in place to assure the appropriate physical

0 0
and technical protection of the backup and restoration of the application.
APSC-DV-003100 - CAT II The application must use encryption to implement key exchange
0 0
and authenticate endpoints prior to establishing a communication channel for key exchange.
APSC-DV-003110 - CAT I The application must not contain embedded authentication data. 0 0
APSC-DV-003120 - CAT I The application must have the capability to mark

0 0
sensitive/classified output when required.
APSC-DV-003130 - CAT III Prior to each release of the application, updates to system, or
0 0
applying patches; tests plans and procedures must be created and executed.
APSC-DV-003150 - CAT II At least one tester must be designated to test for security flaws
0 0
in addition to functional testing.
APSC-DV-003140 - CAT II Application files must be cryptographically hashed prior to

0 0
deploying to DoD operational networks.
APSC-DV-003160 - CAT III Test procedures must be created and at least annually executed
to ensure system initialization, shutdown, and aborts are configured to verify the system 0 0
remains in a secure state.
APSC-DV-003170 - CAT II An application code review must be performed on the application. 0 0
APSC-DV-003180 - CAT III Code coverage statistics must be maintained for each release of
0 0
the application.
APSC-DV-003190 - CAT II Flaws found during a code review must be tracked in a defect
0 0
tracking system.
APSC-DV-003200 - CAT II The changes to the application must be assessed for IA and 0 0
PAGE 20 OF 42
accreditation impact prior to implementation.
APSC-DV-003210 - CAT II Security flaws must be fixed or addressed in the project plan. 0 0
APSC-DV-003215 - CAT III The application development team must follow a set of coding
0 0
standards.
APSC-DV-003220 - CAT III The designer must create and update the Design Document for
0 0
each release of the application.
APSC-DV-003230 - CAT II Threat models must be documented and reviewed for each
application release and updated as required by design and functionality changes or when 0 0
new threats are discovered.
APSC-DV-003235 - CAT II The application must not be subject to error handling

0 0
vulnerabilities.
APSC-DV-003250 - CAT I The application must be decommissioned when maintenance or

0 0
support is no longer available.
APSC-DV-003236 - CAT II The application development team must provide an application

0 0
incident response plan.
APSC-DV-003240 - CAT I All products must be supported by the vendor or the development
0 0
team.
APSC-DV-003260 - CAT III Procedures must be in place to notify users when an application
0 0
is decommissioned.
APSC-DV-003270 - CAT II Unnecessary built-in application accounts must be disabled. 0 0
APSC-DV-003280 - CAT I Default passwords must be changed. 0 0
APSC-DV-003330 - CAT II The system must alert an administrator when low resource
0 0
conditions are encountered.
APSC-DV-003285 - CAT II An Application Configuration Guide must be created and included

0 0
with the application.
APSC-DV-003290 - CAT II If the application contains classified data, a Security Classification

0 0
Guide must exist containing data elements and their classification.
APSC-DV-003300 - CAT II The designer must ensure uncategorized or emerging mobile

0 0
code is not used in applications.
APSC-DV-003310 - CAT II Production database exports must have database administration

0 0
credentials and sensitive data removed before releasing the export.
APSC-DV-003320 - CAT II Protections against DoS attacks must be implemented. 0 0
APSC-DV-003340 - CAT III At least one application administrator must be registered to

0 0
receive update notifications, or security alerts, when automated alerts are available.
APSC-DV-003360 - CAT III The application must generate audit records when concurrent
0 0
logons from different workstations occur.
APSC-DV-003345 - CAT III The application must provide notifications or alerts when product
0 0
update and security related patches are available.
APSC-DV-003350 - CAT II Connections between the DoD enclave and the Internet or other
0 0
public or commercial wide area networks must require a DMZ.
APSC-DV-003400 - CAT II The Program Manager must verify all levels of program
management, designers, developers, and testers receive annual security training pertaining 0 0
to their job function.
APSC-DV-000010 - CAT II The application must provide a capability to limit the number of
0 0
logon sessions per user.
APSC-DV-000060 - CAT II The application must clear temporary storage and cookies when
0 0
the session is terminated.
APSC-DV-000070 - CAT II The application must automatically terminate the non-privileged

0 0
user session and log off non-privileged users after a 15 minute idle time period has elapsed.
APSC-DV-000080 - CAT II The application must automatically terminate the admin user
0 0
session and log off admin users after a 10 minute idle time period is exceeded.
APSC-DV-000090 - CAT II Applications requiring user access authentication must provide a

0 0
logoff capability for user initiated communication session.
APSC-DV-000100 - CAT III The application must display an explicit logoff message to users 0 0
PAGE 21 OF 42
indicating the reliable termination of authenticated communications sessions.
APSC-DV-000110 - CAT II The application must associate organization-defined types of

security attributes having organization-defined security attribute values with information in 0 0
storage.

process.

transmission.
APSC-DV-000160 - CAT II The application must implement DoD-approved encryption to

0 0
protect the confidentiality of remote access sessions.
APSC-DV-000170 - CAT II The application must implement cryptographic mechanisms to

0 0
protect the integrity of remote access sessions.
APSC-DV-000190 - CAT I Messages protected with WS_Security must use time stamps with
0 0
creation and expiration times.
APSC-DV-000180 - CAT II Applications with SOAP messages requiring integrity must include
the following message elements:-Message ID-Service Request-Timestamp-SAML Assertion 0 0
(optionally included in messages) and all elements of the message must be digitally signed.
APSC-DV-000200 - CAT I Validity periods must be verified on all application messages using
0 0
WS-Security or SAML assertions.
APSC-DV-000210 - CAT II The application must ensure each unique asserting party provides
0 0
unique assertion ID references for each SAML assertion.
APSC-DV-000220 - CAT II The application must ensure encrypted assertions, or equivalent

confidentiality protections are used when assertion data is passed through an intermediary, 0 0
and confidentiality of the assertion data is required when passing through the intermediary.
APSC-DV-000230 - CAT I The application must use the NotOnOrAfter condition when using
0 0
the SubjectConfirmation element in a SAML assertion.
APSC-DV-000240 - CAT I The application must use both the NotBefore and NotOnOrAfter
0 0
elements or OneTimeUse element when using the Conditions element in a SAML assertion.
APSC-DV-000250 - CAT II The application must ensure if a OneTimeUse element is used in

an assertion, there is only one of the same used in the Conditions element portion of an 0 0
assertion.
APSC-DV-000260 - CAT II The application must ensure messages are encrypted when the
0 0
SessionIndex is tied to privacy data.
APSC-DV-000290 - CAT II Shared/group account credentials must be terminated when

0 0
members leave the group.
APSC-DV-000280 - CAT II The application must provide automated mechanisms for

0 0
supporting account management functions.
APSC-DV-000300 - CAT II The application must automatically remove or disable temporary

0 0
user accounts 72 hours after account creation.
APSC-DV-000320 - CAT III The application must automatically disable accounts after a 35
0 0
day period of account inactivity.
APSC-DV-000330 - CAT II Unnecessary application accounts must be disabled, or deleted. 0 0
APSC-DV-000420 - CAT II The application must automatically audit account enabling

0 0
actions.
APSC-DV-000340 - CAT II The application must automatically audit account creation. 0 0
APSC-DV-000350 - CAT II The application must automatically audit account modification. 0 0
APSC-DV-000360 - CAT II The application must automatically audit account disabling

0 0
actions.
APSC-DV-000370 - CAT II The application must automatically audit account removal

0 0
actions.
APSC-DV-000380 - CAT III The application must notify System Administrators and
0 0
Information System Security Officers when accounts are created.
APSC-DV-000390 - CAT III The application must notify System Administrators and 0 0
PAGE 22 OF 42
Information System Security Officers when accounts are modified.
0 0
Information System Security Officers of account disabling actions.
0 0
Information System Security Officers of account removal actions.
0 0
Information System Security Officers of account enabling actions.
APSC-DV-000440 - CAT II Application data protection requirements must be identified and

0 0
documented.
APSC-DV-000520 - CAT II The application must audit the execution of privileged functions. 0 0
APSC-DV-000450 - CAT II The application must utilize organization-defined data mining

detection techniques for organization-defined data storage objects to adequately detect data 0 0
mining attempts.
APSC-DV-000460 - CAT I The application must enforce approved authorizations for logical
access to information and system resources in accordance with applicable access control 0 0
policies.
APSC-DV-000470 - CAT II The application must enforce organization-defined discretionary

0 0
access control policies over defined subjects and objects.
APSC-DV-000480 - CAT II The application must enforce approved authorizations for

controlling the flow of information within the system based on organization-defined 0 0
information flow control policies.
APSC-DV-000490 - CAT II The application must enforce approved authorizations for

controlling the flow of information between interconnected systems based on organization- 0 0
defined information flow control policies.
APSC-DV-000500 - CAT II The application must prevent non-privileged users from executing
privileged functions to include disabling, circumventing, or altering implemented security 0 0
safeguards/countermeasures.
APSC-DV-000510 - CAT I The application must execute without excessive account

0 0
permissions.
APSC-DV-000530 - CAT I The application must enforce the limit of three consecutive invalid
0 0
logon attempts by a user during a 15 minute time period.
APSC-DV-000560 - CAT III The application must retain the Standard Mandatory DoD Notice
and Consent Banner on the screen until users acknowledge the usage conditions and take 0 0
explicit actions to log on for further access.
APSC-DV-000540 - CAT II The application administrator must follow an approved process to

0 0
unlock locked user accounts.
APSC-DV-000550 - CAT III The application must display the Standard Mandatory DoD
0 0
Notice and Consent Banner before granting access to the application.
APSC-DV-000570 - CAT III The publicly accessible application must display the Standard
0 0
Mandatory DoD Notice and Consent Banner before granting access to the application.
APSC-DV-000580 - CAT III The application must display the time and date of the users last
0 0
successful logon.
0 0
for the destruction of session IDs.
APSC-DV-000590 - CAT II The application must protect against an individual (or process
acting on behalf of an individual) falsely denying having performed organization-defined 0 0
actions to be covered by non-repudiation.
APSC-DV-000600 - CAT II For applications providing audit record aggregation, the

application must compile audit records from organization-defined information system
0 0
components into a system-wide audit trail that is time-correlated with an organization-
defined level of tolerance
APSC-DV-000610 - CAT II The application must provide the capability for organization-
identified individuals or roles to change the auditing to be performed on all application
0 0
components, based on all selectable event criteria within organization-defined time
thresholds.
0 0
for the creation of session IDs.
PAGE 23 OF 42
standard queries.
PAGE 24 OF 42
Scan Summary - OWASP Top 10 API
Issues Best Fix

Category
Found Locations
API1-Broken Object Level Authorization 0 0
API2-Broken Authentication 0 0
API3-Excessive Data Exposure 0 0
API4-Lack of Resources and Rate Limiting 0 0
API5-Broken Function Level Authorization 0 0
API6-Mass Assignment 0 0
API7-Security Misconfiguration 0 0
API8-Injection 0 0
API9-Improper Assets Management 0 0
API10-Insufficient Logging and Monitoring 0 0
PAGE 25 OF 42
Issues Best Fix

Category
Found Locations
A1-Injection* 0 0
A2-Cross-Site Scripting (XSS) 0 0
A3-Broken Authentication and Session Management 0 0
A4-Insecure Direct Object References 0 0
A5-Cross-Site Request Forgery (CSRF) 0 0
A6-Security Misconfiguration* 0 0
A7-Insecure Cryptographic Storage 0 0
A8-Failure to Restrict URL Access 0 0
A9-Insufficient Transport Layer Protection 0 0
A10-Unvalidated Redirects and Forwards 0 0
standard queries.
PAGE 26 OF 42
Results Distribution By Status Compared to project scan from 9/29/2022 7:26 PM
High Medium Low Information Total

New Issues 0 0 1 0 1
Recurrent Issues 0 0 10 0 10
Total 0 0 11 0 11
Fixed Issues 0 0 1 0 1
New Scan
Previous Scan
Results Distribution By State

High Medium Low Information Total
To Verify 0 0 11 0 11
Not Exploitable 0 0 0 0 0
Confirmed 0 0 0 0 0
Urgent 0 0 0 0 0
Proposed Not
0 0 0 0 0
Exploitable
Total 0 0 11 0 11
Result Summary
Vulnerability Type Occurrences Severity
Client Hardcoded Domain 5 Low
Log Forging 4 Low
Potential Clickjacking on Legacy Browsers 1 Low
React Deprecated 1 Low
PAGE 27 OF 42
Scan Results Details
Client Hardcoded Domain

Query Path:
JavaScript\Cx\JavaScript Low Visibility\Client Hardcoded Domain Version:3
Categories
NIST SP 800-53: SC-18 Mobile Code (P2)
ASD STIG 4.10: APSC-DV-002490 - CAT I The application must protect from Cross-Site
Scripting (XSS) vulnerabilities.
OWASP Top 10 2021: A8-Software and Data Integrity Failures
Description
Client Hardcoded Domain\Path 1:
Severity Low
Result State To Verify
Online Results https://checkmarkx_vs.axisb.com/CxWebClient/ViewerMain.aspx?scanid=105
8456&projectid=265&pathid=1
Status Recurrent
Detection Date 9/29/2022 11:58:09 AM
The JavaScript file imported in "https://www.googletagmanager.com/gtm.js?id=" in

src/index.html at line 14 is from a remote domain, which may allow attackers to replace its
contents with malicious code.
Source Destination
File src/index.html src/index.html
Line 17 17
Object "https://www.googletagmanager.com/gt insertBefore
m.js?id="
Code Snippet
File Name src/index.html
Method <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
....
17.
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBe
fore(j,f);

Severity Low
Status Recurrent
Detection Date 1/31/2022 5:27:33 PM
The JavaScript file imported in https://www.axisbank.com/assets/images/favicon.ico in

PAGE 28 OF 42
Source Destination
Line 5 5
Object https://www.axisbank.com/assets/image https://www.axisbank.com/assets/image
s/favicon.ico s/favicon.ico
Code Snippet
Method <link rel="shortcut icon"
href="https://www.axisbank.com/assets/images/favicon.ico" />
....
5. <link rel="shortcut icon"

Severity Low
Status Recurrent
The JavaScript file imported in https://www.axisbank.com/assets/images/favicon.ico in

Source Destination
Line 9 9
Object https://www.axisbank.com/assets/image https://www.axisbank.com/assets/image
s/favicon.ico s/favicon.ico
Code Snippet
Method <link rel="apple-touch-icon"
....
9. <link rel="apple-touch-icon"

Severity Low
Status Recurrent
PAGE 29 OF 42
The JavaScript file imported in https://fonts.gstatic.com in src/index.html at line 11 is from a
remote domain, which may allow attackers to replace its contents with malicious code.
Source Destination
Line 11 11
Object https://fonts.gstatic.com https://fonts.gstatic.com
Code Snippet
Method <link rel="preconnect" href="https://fonts.gstatic.com">
....
11. <link rel="preconnect" href="https://fonts.gstatic.com">

Severity Low
Status Recurrent
The JavaScript file imported in

https://fonts.googleapis.com/css2?family=Lato:wght@400;700&display=swap in src/index.html
at line 12 is from a remote domain, which may allow attackers to replace its contents with
malicious code.
Source Destination
Line 12 12
Object https://fonts.googleapis.com/css2?family https://fonts.googleapis.com/css2?family
=Lato:wght@400;700&display=swap =Lato:wght@400;700&display=swap
Code Snippet
Method <link
href="https://fonts.googleapis.com/css2?family=Lato:wght@400;700&display=s
wap" rel="stylesheet">
....
12. <link
href="https://fonts.googleapis.com/css2?family=Lato:wght@400;700&display
=swap" rel="stylesheet">
Log Forging
Query Path:
JavaScript\Cx\JavaScript Server Side Vulnerabilities\Log Forging Version:2
Categories
FISMA 2014: System And Information Integrity
PAGE 30 OF 42
NIST SP 800-53: AU-9 Protection of Audit Information (P1)
OWASP Top 10 2017: A1-Injection
ASD STIG 4.10: APSC-DV-002560 - CAT I The application must not be subject to input handling
vulnerabilities.
OWASP Top 10 2021: A9-Security Logging and Monitoring Failures
Description
Log Forging\Path 1:
Severity Low
Status Recurrent
Method handleRequest at line 266 of src/mockServiceWorker.js gets user input from element
method. This element’s value flows through the code without being properly sanitized or
validated, and is eventually used in writing an audit log in handleRequest at line 266 of
src/mockServiceWorker.js.
This may enable Log Forging.
Source Destination
File src/mockServiceWorker.js src/mockServiceWorker.js
Line 269 267
Object method error
Code Snippet
File Name src/mockServiceWorker.js
Method handleRequest(event, requestId).catch((error) => {
....
269. request.method,
....
267. console.error(
Log Forging\Path 2:
Severity Low
Status Recurrent
Method handleRequest at line 266 of src/mockServiceWorker.js gets user input from element
url. This element’s value flows through the code without being properly sanitized or validated,
and is eventually used in writing an audit log in handleRequest at line 266 of
Source Destination
Line 270 267
Object url error
PAGE 31 OF 42
Code Snippet
Method handleRequest(event, requestId).catch((error) => {
....
270. request.url,
....
267. console.error(
Log Forging\Path 3:
Severity Low
Status Recurrent
Method getResponse at line 140 of src/mockServiceWorker.js gets user input from element
method. This element’s value flows through the code without being properly sanitized or
validated, and is eventually used in writing an audit log in getResponse at line 140 of
Source Destination
Line 231 221
Object method error
Code Snippet
Method async function getResponse(event, client, requestId) {
....
231. request.method,
....
221. console.error(
Log Forging\Path 4:
Severity Low
Status Recurrent
Method getResponse at line 140 of src/mockServiceWorker.js gets user input from element url.
This element’s value flows through the code without being properly sanitized or validated, and
is eventually used in writing an audit log in getResponse at line 140 of
Source Destination
PAGE 32 OF 42
Line 232 221
Object url error
Code Snippet
Method async function getResponse(event, client, requestId) {
....
232. request.url,
....
221. console.error(
React Deprecated
Query Path:
JavaScript\Cx\JavaScript Low Visibility\React Deprecated Version:2
Categories
OWASP Top 10 2017: A9-Using Components with Known Vulnerabilities
OWASP Top 10 2021: A6-Vulnerable and Outdated Components
Description
React Deprecated\Path 1:
Severity Low
Status Recurrent
Method main in src/index.tsx, at line 25, calls an obsolete API, render. This has been
deprecated, and should not be used in a modern codebase.
Source Destination
File src/index.tsx src/index.tsx
Line 32 32
Object render render
Code Snippet
File Name src/index.tsx
Method function main(): void {
....
32. ReactDOM.render(<App />, root);
Potential Clickjacking on Legacy Browsers

Query Path:
JavaScript\Cx\JavaScript Low Visibility\Potential Clickjacking on Legacy Browsers Version:3
Categories
FISMA 2014: Configuration Management
PAGE 33 OF 42
NIST SP 800-53: SC-8 Transmission Confidentiality and Integrity (P1)
ASD STIG 4.10: APSC-DV-002330 - CAT II The application must protect the confidentiality and
integrity of stored information when required by DoD policy or the information owner.
Description
Potential Clickjacking on Legacy Browsers\Path 1:
Severity Low
Status New
The application does not protect the web page src/index.html from clickjacking attacks in legacy
browsers, by using framebusting scripts.
Source Destination
Line 1 1
Object < <
Code Snippet
Method <html>
....
1. <html>
Client Hardcoded Domain

Risk
What might happen
An externally imported Javascript file may leave users vulnerable to attack - if the Javascript's host is
compromised, if communications with the host are intercepted or if the host itself is not trustworthy, then
the contents of the Javascript file may change to have malicious code, which could result in a Cross-Site
Scripting (XSS) attack.
Cause
How does it happen
Javascript files can be imported dynamically from remote hosts when they are embedded into HTML.
However, this reliance on a remote host for these scripts may diminish security, as web-application's
users are only ever as secure as the remote host serving these Javascript files.
General Recommendations
How to avoid it
Where possible, host all script files locally, rather than remotely. Ensure that locally hosted 3rd party
script files are constantly updated and maintained.
Source Code Examples
PAGE 34 OF 42
JavaScript
Remote Importation of A Script File
<script src="https://example.com/scripts/jquery.js" />
Local Importation of A Script File
<script src="/scripts/jquery.js" />
PAGE 35 OF 42
React Deprecated
Risk
What might happen
Referencing deprecated modules can cause an application to be exposed to known vulnerabilities, that
have been publicly reported and already fixed. A common attack technique is to scan applications for
these known vulnerabilities, and then exploit the application through these deprecated versions.
However, even if deprecated code is used in a way that is completely secure, its very use and inclusion in
the code base would encourage developers to re-use the deprecated element in the future, potentially
leaving the application vulnerable to attack, which is why deprecated code should be eliminated from the
code-base as a matter of practice.
Note that the actual risk involved depends on the specifics of any known vulnerabilities in older versions.
Use of a deprecated API on client code may leave users vulnerable to browser-based attacks; this is
exacerbated by the fact client-side code is available to any attacker with client access, who may be able
to trivially detect use of this deprecated API.
Cause
How does it happen
The application references code elements that have been declared as deprecated. This could include
classes, functions, methods, properties, modules, or obsolete library versions that are either out of date
by version, or have been entirely deprecated. It is likely that the code that references the obsolete
element was developed before it was declared as obsolete, and in the meantime the referenced code was
updated.
How to avoid it
 Always prefer to use the most updated versions of libraries, packages, and other dependancies.
 Do not use or reference any class, method, function, property, or other element that has been
declared deprecated.
JavaScript
ReactJS - Using a Deprecated Method to Interact with DOM
// Using findDOMNode to access a component is highly discouraged, because it breaks React

component abstraction by treating it like a normal Javascript DOM object; this may result in
unexpected or dangerous behavior
ReactDOM.findDOMNode(component);
Obtain Year via Deprecated JavaScript Method
var d = new Date();

var year = d.getYear(); // getYear() is deprecated and affected by Y2K; for a given year,
20xx, it will return 1xx.
Obtain Year via a Supported JavaScript Method
PAGE 36 OF 42
var d = new Date();
var year = d.getFullYear();
Invoking a Deprecated Function, Denoted Using JSDoc
/** @deprecated */
function myOldFunction() {
/* Code that is deprecated */
}
myOldFunction();
PAGE 37 OF 42
Potential Clickjacking on Legacy Browsers
Risk
What might happen
Clickjacking attacks allow an attacker to "hijack" a user's mouse clicks on a webpage, by invisibly framing
the application, and superimposing it in front of a bogus site. When the user is convinced to click on the
bogus website, e.g. on a link or a button, the user's mouse is actually clicking on the target webpage,
despite being invisible.
This could allow the attacker to craft an overlay that, when clicked, would lead the user to perform
undesirable actions in the vulnerable application, e.g. enabling the user's webcam, deleting all the
user's records, changing the user's settings, or causing clickfraud.
Cause
How does it happen
The root cause of vulnerability to a clickjacking attack, is that the application's web pages can be loaded
into a frame of another website. The application does not implement a proper frame-busting script, that
would prevent the page from being loaded into another frame. Note that there are many types of
simplistic redirection scripts that still leave the application vulnerable to clickjacking techniques, and
should not be used.
When dealing with modern browsers, applications mitigate this vulnerability by issuing appropriate
Content-Security-Policy or X-Frame-Options headers to indicate to the browser to disallow framing.
However, many legacy browsers do not support this feature, and require a more manual approach by
implementing a mitigation in Javascript. To ensure legacy support, a framebusting script is required.
How to avoid it
Generic Guidance:
 Define and implement a a Content Security Policy (CSP) on the server side, including a frame-
ancestors directive. Enforce the CSP on all relevant webpages.
 If certain webpages are required to be loaded into a frame, define a specific, whitelisted target
URL.
 Alternatively, return a "X-Frame-Options" header on all HTTP responses. If it is necessary to allow
a particular webpage to be loaded into a frame, define a specific, whitelisted target URL.
 For legacy support, implement framebusting code using Javascript and CSS to ensure that, if a
page is framed, it is never displayed, and attempt to navigate into the frame to prevent attack.
Even if navigation fails, the page is not displayed and is therefore not interactive, mitigating
potential clickjacking attacks.
Specific Recommendations:
 Implement a proper framebuster script on the client, that is not vulnerable to frame-buster-
busting attacks.
o Code should first disable the UI, such that even if frame-busting is successfully evaded, the
UI cannot be clicked. This can be done by setting the CSS value of the "display" attribute
to "none" on either the "body" or "html" tags. This is done because, if a frame attempts to
redirect and become the parent, the malicious parent can still prevent redirection via
various techniques.
o Code should then determine whether no framing occurs by comparing self === top; if the
result is true, can the UI be enabled. If it is false, attempt to navigate away from the
framing page by setting the top.location attribute to self.location.
JavaScript
Clickjackable Webpage
PAGE 38 OF 42
<html>
<body>
<button onclick="clicked();">
Click here if you love ducks
</button>
</body>
</html>
Bustable Framebuster
<html>
<head>
<script>
if ( window.self.location != window.top.location ) {
window.top.location = window.self.location;
}
</script>
</head>
<body>
</button>
</body>
</html>
Proper Framebusterbusterbusting
<html>
<head>
<style> html {display : none; } </style>
<script>
if ( self === top ) {
document.documentElement.style.display = 'block';
}
else {
top.location = self.location;
}
</script>
</head>
<body>
</button>
</body>
</html>
PAGE 39 OF 42
Log Forging
Risk
What might happen
An attacker could engineer audit logs of security-sensitive actions and lay a false audit trail, potentially
implicating an innocent user or hiding an incident.
Cause
How does it happen
The application writes audit logs upon security-sensitive actions. Since the audit log includes user input
that is neither checked for data type validity nor subsequently sanitized, the input could contain false
information made to look like legitimate audit log data,
How to avoid it
1. Validate all input, regardless of source. Validation should be based on a whitelist: accept only data
fitting a specified structure, rather than reject bad patterns. Check for:
o Data type
o Size
o Range
o Format
o Expected values
2. Validation is not a replacement for encoding. Fully encode all dynamic data, regardless of source,
before embedding it in logs.
3. Use a secure logging mechanism.
JavaScript
Passing Unsanitized Values to HAPI server.log()
var id = request.query["id"];
try {
var val = tryGetById(id); // Assume this throws an exception if "id" is not found
// Handle val
}
catch(err) {
server.log(['error','id'],id); // Log unsanitized values, which could also not be
sanitized downstream, and could contain CRLF
}
Passing Sanitized Values to HAPI server.log()
var id = request.query["id"];
try {
var val = tryGetById(id); // Assume this throws an exception if "id" is not found
// Handle val
}
catch(err) {
server.log(['error','id'],encodeURI(id)); // encodeURI() is a sufficient sanitizer for
CRLF, as it URL-encodes the line break characters
PAGE 40 OF 42
}
PAGE 41 OF 42
Scanned Languages
Language Hash Number Change Date
JavaScript 9095271965336651 1/28/2022
VbScript 0386000544005133 1/28/2022
Scala 7845933579377594 1/28/2022
Common 0318477963775793 1/28/2022
PAGE 42 OF 42

PDF Report

Uploaded by

Copyright:

Available Formats

PDF Report

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PDF Report

Uploaded by

Copyright:

Available Formats

What vulnerabilities were found in the scan and what are the recommendations to address them?

What vulnerabilities were found in the scan and what are the recommendations to address them?

What risks are associated with log forging?

What risks are associated with log forging?

dbat-dev-al-jobs Scan Report

Project Name dbat-dev-al-jobs

Threat Weakness Weakness Technical Business Issues Best Fix

A2-Broken App. App.

A3-Sensitive App. App.

A4-XML External App. App.

A5-Broken App. App.

A6-Security App. App.

A8-Insecure App. App.

Issues Best Fix

A6-Vulnerable and Outdated Components 1 1

A7-Identification and Authentication Failures* 0 0

A8-Software and Data Integrity Failures* 5 5

A9-Security Logging and Monitoring Failures 4 2

A10-Server-Side Request Forgery 0 0

Threat Attack Weakness Weakness Technical Business Issues Best Fix

A7-Missing EXTERNAL, EXPOSED

Issues Best Fix

PCI DSS (3.2.1) - 6.5.2 - Buffer overflows 0 0

PCI DSS (3.2.1) - 6.5.3 - Insecure cryptographic storage 0 0

PCI DSS (3.2.1) - 6.5.4 - Insecure communications 0 0

PCI DSS (3.2.1) - 6.5.5 - Improper error handling 0 0

PCI DSS (3.2.1) - 6.5.7 - Cross-site scripting (XSS) 0 0

PCI DSS (3.2.1) - 6.5.8 - Improper access control 0 0

PCI DSS (3.2.1) - 6.5.9 - Cross-site request forgery* 0 0

PCI DSS (3.2.1) - 6.5.10 - Broken authentication and session management 0 0

Issues Best Fix

Organizations must: (i) create, protect, and

Organizations must: (i) establish and

Organizations must identify information

Organizations must: (i) protect information

Organizations must: (i) monitor, control, and

Organizations must: (i) identify, report, and

Issues Best Fix

AC-3 Access Enforcement (P1) 0 0

AC-4 Information Flow Enforcement (P1) 0 0

AC-6 Least Privilege (P1) 0 0

AU-9 Protection of Audit Information (P1) 4 2

CM-6 Configuration Settings (P2) 0 0

IA-5 Authenticator Management (P1) 0 0

IA-6 Authenticator Feedback (P2) 0 0

IA-8 Identification and Authentication (Non-Organizational Users) (P1) 0 0

SC-12 Cryptographic Key Establishment and Management (P1) 0 0

SC-13 Cryptographic Protection (P1) 0 0

SC-17 Public Key Infrastructure Certificates (P1) 0 0

SC-18 Mobile Code (P2) 5 5

SC-23 Session Authenticity (P1)* 0 0

SC-28 Protection of Information at Rest (P1) 0 0

SC-4 Information in Shared Resources (P1) 0 0

SC-5 Denial of Service Protection (P1) 0 0

SC-8 Transmission Confidentiality and Integrity (P1) 1 1

SI-10 Information Input Validation (P1)* 0 0

SI-11 Error Handling (P2) 0 0

SI-15 Information Output Filtering (P0)* 0 0

SI-16 Memory Protection (P1) 0 0

Issues Best Fix