add vulnerability testing for web applications

[tomkralidis]

Ensure that web applications are scanned/penetration tested (suggest to use zapproxy to scan for critical alerts).

[maaikelimper]

I ran zaproxy as part of the GitHub-test that runs wis2box-api, it created the following report: https://github.com/wmo-im/wis2box-api/issues/60

[maaikelimper]

I checked the items listed in the report, they actually all have "Risk | Medium" or less ...

I will try to study how to only detect higher risk items ...

Risk | Medium

• Absence of Anti-CSRF Tokens [10202] : Risk | Medium
• Content Security Policy (CSP) Header Not Set [10038] Risk | Medium
• Cross-Domain Misconfiguration [10098] Risk | Medium
• Missing Anti-clickjacking Header [10020] Risk | Medium
• Sub Resource Integrity Attribute Missing [90003] Risk | Medium
• Application Error Disclosure [90022] Risk | Medium

Risk | Low

• Cookie with SameSite Attribute None [10054] Risk | Low
• Cross-Domain JavaScript Source File Inclusion [10017] Risk | Low
• Information Disclosure - Debug Error Messages [10023] Risk | Low
• Permissions Policy Header Not Set [10063] Risk | Low
• Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] Risk | Low
• Timestamp Disclosure - Unix [10096] Risk | Low
• X-Content-Type-Options Header Missing [10021] Risk | Low

Risk | Informational

• Information Disclosure - Suspicious Comments [10027]
• Loosely Scoped Cookie [90033] Risk | Informational
• Non-Storable Content [10049] Risk | Informational
• Session Management Response Identified [10112] Risk | Informational
• Storable and Cacheable Content [10049] Risk | Informational

[tomkralidis]

We should run against:

• wis2box-ui
• wis2box-api
• wis2box-webapp

...and inspect all output/report, and action only items that are High or Critical.