Feature/lab9

.github/pull_request_template.md

@@ -0,0 +1,13 @@
+# Goal 
+Describe the goal of the PR
+
+# Changes
+Describe the changes made to the codebase
+
+# Testing
+Describe the actions made to test the changes
+
+# Checklist
+- [ ] Clear title?
+- [ ] docs/README updated if needed?
+- [ ] No secrets/large temp files?

gen.conf

@@ -0,0 +1,70 @@
+# zap-baseline rule configuration file
+# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
+# Only the rule identifiers are used - the names are just for info
+# You can add your own messages to each rule by appending them after a tab on each line.
+10003	WARN	(Vulnerable JS Library (Powered by Retire.js))
+10009	WARN	(In Page Banner Information Leak)
+10010	WARN	(Cookie No HttpOnly Flag)
+10011	WARN	(Cookie Without Secure Flag)
+10015	WARN	(Re-examine Cache-control Directives)
+10017	WARN	(Cross-Domain JavaScript Source File Inclusion)
+10019	WARN	(Content-Type Header Missing)
+10020	WARN	(Anti-clickjacking Header)
+10021	WARN	(X-Content-Type-Options Header Missing)
+10023	WARN	(Information Disclosure - Debug Error Messages)
+10024	WARN	(Information Disclosure - Sensitive Information in URL)
+10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header)
+10026	WARN	(HTTP Parameter Override)
+10027	WARN	(Information Disclosure - Suspicious Comments)
+10028	WARN	(Off-site Redirect)
+10029	WARN	(Cookie Poisoning)
+10030	WARN	(User Controllable Charset)
+10031	WARN	(User Controllable HTML Element Attribute (Potential XSS))
+10032	WARN	(Viewstate)
+10033	WARN	(Directory Browsing)
+10034	WARN	(Heartbleed OpenSSL Vulnerability (Indicative))
+10035	WARN	(Strict-Transport-Security Header)
+10036	WARN	(HTTP Server Response Header)
+10037	WARN	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s))
+10038	WARN	(Content Security Policy (CSP) Header Not Set)
+10039	WARN	(X-Backend-Server Header Information Leak)
+10040	WARN	(Secure Pages Include Mixed Content)
+10041	WARN	(HTTP to HTTPS Insecure Transition in Form Post)
+10042	WARN	(HTTPS to HTTP Insecure Transition in Form Post)
+10043	WARN	(User Controllable JavaScript Event (XSS))
+10044	WARN	(Big Redirect Detected (Potential Sensitive Information Leak))
+10049	WARN	(Content Cacheability)
+10050	WARN	(Retrieved from Cache)
+10052	WARN	(X-ChromeLogger-Data (XCOLD) Header Information Leak)
+10054	WARN	(Cookie without SameSite Attribute)
+10055	WARN	(CSP)
+10056	WARN	(X-Debug-Token Information Leak)
+10057	WARN	(Username Hash Found)
+10061	WARN	(X-AspNet-Version Response Header)
+10062	WARN	(PII Disclosure)
+10063	WARN	(Permissions Policy Header Not Set)
+10096	WARN	(Timestamp Disclosure)
+10097	WARN	(Hash Disclosure)
+10098	WARN	(Cross-Domain Misconfiguration)
+10099	WARN	(Source Code Disclosure)
+10105	WARN	(Weak Authentication Method)
+10108	WARN	(Reverse Tabnabbing)
+10109	WARN	(Modern Web Application)
+10110	WARN	(Dangerous JS Functions)
+10111	WARN	(Authentication Request Identified)
+10112	WARN	(Session Management Response Identified)
+10113	WARN	(Verification Request Identified)
+10115	WARN	(Script Served From Malicious Domain (polyfill))
+10116	WARN	(ZAP is Out of Date)
+10202	WARN	(Absence of Anti-CSRF Tokens)
+2	WARN	(Private IP Disclosure)
+3	WARN	(Session ID in URL Rewrite)
+50001	WARN	(Script Passive Scan Rules)
+90001	WARN	(Insecure JSF ViewState)
+90002	WARN	(Java Serialization Object)
+90003	WARN	(Sub Resource Integrity Attribute Missing)
+90004	WARN	(Insufficient Site Isolation Against Spectre Vulnerability)
+90011	WARN	(Charset Mismatch)
+90022	WARN	(Application Error Disclosure)
+90030	WARN	(WSDL File Detection)
+90033	WARN	(Loosely Scoped Cookie)

labs/submission9.md

@@ -0,0 +1,39 @@
+## Task 1
+
+Alerts Summary:
+![scanning report](../screenshots/image-3.png)
+![alerts summary](../screenshots/image.png)
+2 Medium vulnerabilities
+
+Misssing header: Content Security Policy (CSP)
+
+Depercated header: Feature-Policy, instead of Permissions-Policy
+
+Personally interesting vulnerabilities:
+
+Dangerous JS Functions
+![dangerous js functions](../screenshots/image-1.png)
+
+Timestamp Disclosure
+![timestamp disclosure](../screenshots/image-2.png)
+
+From my experience, the most common vulnerability is misused headers, mostly because nobody cares to use them correctly
+
+## Task 2
+
+```sh
+sudo docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image --severity HIGH,CRITICAL bkimminich/juice-shop > Desktop/out.txt 
+[RatPC|rightrat ~] cat Desktop/out.txt | grep Total
+Total: 31 (HIGH: 23, CRITICAL: 8)
+```
+Vulnerabilities:
+crypto-js (package.json) (CRITICAL), as per CVE-2023-46233
+marsdb (package.json) (CRITICAL), as per GHSA-5mrr-rgp6-x4gr
+
+Most common type: node-pkg
+
+A screenshot of Trivy would be too big to attach, so instead the output is in the out.txt file.
+
+It is neccessary to scan images before deployment because as soon as you deploy anything, robots will swarm your service in order to attack it/you. Cybersecurity cannot be overlooked, especially in enterprise.
+
+I would add a requirement for passing the image scan without any non-low vulnerabilities before deployment, failing the deployment otherwise.