Skip to content

Vulnerabilities not detected behind the authcation #100

New issue
New issue
Open
Open
Vulnerabilities not detected behind the authcation#100
@fdarul

Description

@fdarul
fdarul
opened on Mar 4, 2021

I try to launch zap-cli on the WebGoat application.
It just detect near 20 vulnerabilities.

In fact, it does not seems to scan the url behind the authentication (basics form authent).
I create a context file form the UI, with a registered user (forced user, ..etc)
It seems that the spider-ajax does not pass behind the authentication.

zap-cli session new
zap-cli context import webgoat.context
zap-cli open-url http://localhost/WebGoat
zap-cli spider -c WebGoat -u tester http://localhost/WebGoat
zap-cli ajax-spider http://localhost/WebGoat
zap-cli -v quick-scan -c WebGoat -u tester --scanners all,xss,sqli,xss_persistent,xss_reflected --spider --ajax-spider --recursive -l Informational http://localhost/WebGoat

And i just found this :
89 SQLInjection High http://localhost/WebGoat/register.mvc
6 X-Frame-OptionsHeaderNotSet Medium http://localhost
472 ParameterTampering Medium http://localhost/WebGoat/register.mvc
16 CookieNoHttpOnlyFlag Low http://localhost/WebGoat/
16 CookieWithoutSameSiteAttribute Low http://localhost/WebGoat/
352 AbsenceofAnti-CSRFTokens Low http://localhost/WebGoat/login
352 AbsenceofAnti-CSRFTokens Low http://localhost/WebGoat/registration
352 AbsenceofAnti-CSRFTokens Low http://localhost/WebGoat/login?error
352 AbsenceofAnti-CSRFTokens Low http://localhost/WebGoat/register.mvc
16 X-Content-Type-OptionsHeaderMissing Low http://localhost
565 LooselyScopedCookie Informational http://localhost/WebGoat/
565 LooselyScopedCookie Informational http://localhost/WebGoat/
200 TimestampDisclosure-Unix Informational http://localhost/WebGoat/plugins/bootstrap/css/bootstrap.min.css
200 TimestampDisclosure-Unix Informational http://localhost/WebGoat/plugins/bootstrap/css/bootstrap.min.css
200 TimestampDisclosure-Unix Informational http://localhost/WebGoat/plugins/bootstrap/css/bootstrap.min.css
200 TimestampDisclosure-Unix Informational http://localhost/WebGoat/plugins/bootstrap/css/bootstrap.min.css
200 TimestampDisclosure-Unix Informational http://localhost/WebGoat/plugins/bootstrap/css/bootstrap.min.css
565 LooselyScopedCookie Informational http://localhost/WebGoat/
565 LooselyScopedCookie Informational http://localhost/WebGoat/
565 LooselyScopedCookie Informational http://localhost/WebGoat/

Is there any problem ? Or do i misconfigured the zap-cli ?
Thank you.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions