ZAP Rules for Detecting Vulnerabilities

Jit runs the following ZAP rules during Dynamic Application Security Testing (DAST). Note that the text in the Description Summary has been adapted from ZAP documentation and ChatGPT.

RulePassiveActiveWebAPIAlertDescription Summary
6Path TraversalManipulates URLs to access files, directories and commands that potentially reside outside the web document's root directory.
7Remote File Inclusion Exploits the Dynamic File Include mechanism in web applications by manipulating them to include remote files holding malicious code when taking user input which is then transferred into File Include commands.
41Source Code Disclosure - Git The source code of the current page has been disclosed by the web server.
42Source Code Disclosure - SVN The source code of the current page has been disclosed by the web server.
43Source Code Disclosure - File InclusionUnauthorized access to the source code of a web application. Attackers may exploit this vulnerability to identify weaknesses in the code and potentially find other security issues.
10003Vulnerable JS LibraryThe identified ExampleLibrary x.y.z library is vulnerable.
10020Anti-clickjacking Header10020-1, Missing Anti-Clickjacking header.
10020-2 Multiple X-Frame-Options header entries.
10020-3 X-Frame-Options Defined via META. An X-Frame-Options (XFO) META tag was found.
10020-4 X-Frame-Options Setting Malformed.
10028Open RedirectExamines user-supplied input in query string parameters and POST data to identify open redirects which occur when an application allows user-supplied input.
10033Directory BrowsingA listing of a directory's sensitive contents may be accessed for example to reveal hidden scripts, include files, backup source files.
10035Strict-Transport-Security HeaderHSTS is a web security policy mechanism where a web server declares that complying user agents are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL).
10038Content Security Policy (CSP) Header Not Set 10038-1 Content Security Policy (CSP) Header Not Set.
10038-2 Obsolete Content Security Policy (CSP) Header Found.
10038-3 Content Security Policy (CSP) Report-Only Header Found.
10041HTTP to HTTPS Insecure Transition in Form PostSearches for insecure HTTP pages that host HTTPS forms. An insecure HTTP page might be hijacked through MITM whereby the secure HTTPS form is replaced or spoofed.
10042HTTPS to HTTP Insecure Transition in Form PostIdentifies secure HTTPS pages that host insecure HTTP forms. When a secure page transitions to an insecure page, data is uploaded through a form. The user may think they are submitting data to a secure page when in fact they are not.
10045Source Code Disclosure - /WEB-INF folder Unauthorized access to the content of the /WEB-INF folder, allowing attackers to view sensitive files, including Java classes, configuration files, and potentially other resources.
10048Remote Code Execution - Shell ShockThe server is running a version of the Bash shell that allows remote attackers to execute arbitrary code.
10055CSPCSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers may load on a page.
10055-1 CSP: X-Content-Security-Policy
10055-2 CSP: X-WebKit-CSP.
10055-3 CSP: Notices.
10055-4 CSP: Wildcard Directive.
10055-5 CSP: script-src unsafe-inline.
10055-6 CSP: style-src unsafe-inline.
10055-7 CSP: script-src unsafe-hashes.
10055-8 CSP: style-src unsafe-hashes.
10055-9 CSP: Malformed Policy (Non-ASCII).
10055-10 CSP: script-src unsafe-eval.
10055-11 CSP: Meta Policy Invalid. Directive.
10055-12 CSP: Header & Meta.
10108Reverse TabnabbingAt least one link on this page is vulnerable to Reverse tabnabbing since it uses a target attribute without using both of the noopener and noreferrer keywords in the rel attribute.
10109Modern Web ApplicationAn informal alert indicating that the application appears to be a modern web application.
20017Source Code Disclosure - CVE-2012-1823A security issue in PHP programming language that allows remote attackers to execute arbitrary code and possibly gain unauthorized access to a server.
20019External RedirectURL redirectors are employed by websites to forward an incoming request to an alternate resource.
40009Server Side IncludeSpecific parameters may cause Server Side Include commands to be executed. This may allow connecting to a database or arbitrary code to be executed.
40012Cross Site Scripting (Reflected)Cross-site Scripting attacks can be either:
Non-persistent or DOM-based attacks, where users access a malicious link or website, often when the vulnerable resource only accepts HTTP POST requests.
Persistent attacks, where malicious code is saved on a website for a period. Targets include message board posts, web mail messages, and web chat software.
40018SQL InjectionPossible SQL injection.
90019Server Side Code Injection 90019-1 Server side code injection - PHP code injection, possible code injection including custom code to be evaluated by the scripting engine.
90019-2 Server side code injection - ASP code injection, possible code injection including custom code to be evaluated by the scripting engine.
90020Remote OS Command InjectionUnauthorized execution of operating system commands occurring when an application accepts untrusted input to build insecure operating system commands involving improper data sanitization, and/or improper calling of external programs.
90021 XPath InjectionExploits applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
90022Application Error DisclosureError/warning message that may disclose sensitive information which may be used to launch further attacks against the web application. The alert could be a false positive if the error message is found in a documentation page.
90023XML External Entity AttackUses XML to build documents dynamically at the time of processing. An XML message can either provide data explicitly or by pointing to the data's URL.
90024 Generic Padding OracleManipulates the padding on an encrypted string by generating a suspected Padding oracle vulnerability error message.
90025Expression Language InjectionThe software constructs all or part of an EL statement in a JSP using externally-influenced input from an upstream component. It does not neutralize or incorrectly neutralize special elements that could modify the intended EL statement before it is executed.
90034Cloud Metadata Potentially ExposedAttempts to abuse a misconfigured NGINX server to access the instance metadata maintained by cloud service providers like AWS, GCP and Azure.