ZAP Scan Baseline Report

[github-actions[bot]]

• Site: https://www.zaproxy.org New Alerts

  • Modern Web Application [10109] total: 11:
    • https://www.zaproxy.org/download/
    • https://www.zaproxy.org/docs/
    • https://www.zaproxy.org/docs/automate/
    • https://www.zaproxy.org/videos/
    • https://www.zaproxy.org/blog/
    • ..
  • Absence of Anti-CSRF Tokens [10202] total: 11:
    • https://www.zaproxy.org/docs/
    • https://www.zaproxy.org/
    • https://www.zaproxy.org/community/
    • https://www.zaproxy.org/download/
    • https://www.zaproxy.org/robots.txt
    • ..

  • Content-Type Header Missing [10019] total: 2:

    • https://www.zaproxy.org/docs/desktop/addons/graphql-support/index.xml
    • https://www.zaproxy.org/blog/2020-08-28-introducing-the-graphql-add-on-for-zap/

    Ignored Alerts

  • X-Content-Type-Options Header Missing [10021] total: 12:
  • Information Disclosure - Suspicious Comments [10027] total: 3:
  • Content Security Policy (CSP) Header Not Set [10038] total: 11:
  • Retrieved from Cache [10050] total: 12:
  • Private IP Disclosure [2] total: 8:
  • Application Error Disclosure [90022] total: 9:
  • Incomplete or No Cache-control and Pragma HTTP Header Set [10015] total: 11:
  • Cross-Domain JavaScript Source File Inclusion [10017] total: 10:
  • Strict-Transport-Security Header Not Set [10035] total: 12:
  • Information Disclosure - Debug Error Messages [10023] total: 5:
  • Cross-Domain Misconfiguration [10098] total: 12:
  • PII Disclosure [10062] total: 2:
  • Timestamp Disclosure - Unix [10096] total: 5:

View the following link to download the report. RunnerID:862420546

[github-actions[bot]]

• Site: http://www.zaproxy.org

• Site: https://www.zaproxy.org

View the following link to download the report. RunnerID:984757042

[kingthorin]

Something needs to be tweaked to not post empty results?

[github-actions[bot]]

• Site: http://www.zaproxy.org

• Site: https://www.zaproxy.org New Alerts

  • Hash Disclosure - Mac OSX salted SHA-1 [10097] total: 1:
    • https://www.zaproxy.org/search/index.json

View the following link to download the report. RunnerID:1196398412

[github-actions[bot]]

• Site: https://www.zaproxy.org Resolved Alerts
  • Hash Disclosure - Mac OSX salted SHA-1 [10097] total: 1:

View the following link to download the report. RunnerID:1410452254

[github-actions[bot]]

• Site: https://www.zaproxy.org New Alerts
  • User Controllable HTML Element Attribute (Potential XSS) [10031] total: 8:
    • https://www.zaproxy.org/search/?q=ZAP
    • https://www.zaproxy.org/search/?q=ZAP
    • https://www.zaproxy.org/search/?q=ZAP
    • https://www.zaproxy.org/search/?q=ZAP
    • https://www.zaproxy.org/search/?q=ZAP
    • ..

View the following link to download the report. RunnerID:1609472728

[Anthonymcqueen21]

Does Cacheable HTTPS response count as a valid informational vulnerability ?

[kingthorin]

No all the information the site serves is public.

[Anthonymcqueen21]

Okay thank you what informational bugs do you accept ?

[kingthorin]

For the BugBounty I can't think of any. The BugCrowd program is more for high impact stuff. For ZAP itself we only payout for RCEs, though we've accepted some other lower impact things like protocol usage, lack or password masking, etc. For the site we've accepted some reports like link/domain squatting. Hope that helps.

Keep in mind what ZAP is and that it's an Open Source project with very limited funds and a small team.

[Anthonymcqueen21]

Thank you well i recently sent a informational that was accepted no payout that is totally fine the fact i got accepted and not denied i was grateful.

[Anthonymcqueen21]

Remote Code Executions the holy grail of bugs well time to figure it out thank you.

[Anthonymcqueen21]

One last question, if found do you accept Path Traversal bugs ?

[kingthorin]

I guess we'd be concerned if the traversal was outside of the web root. (Well actually GitHub probably would.)

Ex: No we aren't concerned that: www.zaproxy.org/blog/../ works. However, if you can get access to /etc/passwd or something that we don't intend to have web accessible then yes obviously that's an issue.

[Anthonymcqueen21]

Okay thank you just wanted to ask RCE only got it.

[thc202]

It's preferable to use the mailing lists (Get in Touch) for these type of queries.

[Anthonymcqueen21]

Besides RCE are there any other critical or high bugs that you might be interested in or it just depends on the impact ?

[kingthorin]

It really depends on impact. RCE is currently the only thing we consistently payout for. As mentioned earlier there are things we accepted but didn't payout for, it just depends on the issue. As @thc202 mentioned if there's more to this discussion it should be moved to the User Group :wink:

[kingthorin]

https://github.com/zaproxy/zaproxy-website/issues/874