Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add vulnerability testing for web applications #654

Closed
tomkralidis opened this issue Apr 19, 2024 · 3 comments
Closed

add vulnerability testing for web applications #654

tomkralidis opened this issue Apr 19, 2024 · 3 comments
Labels
security Security web application Web application
Milestone
sprint-015

Comments

@tomkralidis
Copy link
Collaborator

Ensure that web applications are scanned/penetration tested (suggest to use zapproxy to scan for critical alerts).
@tomkralidis tomkralidis added web application Web application security Security labels Apr 19, 2024
@tomkralidis tomkralidis added this to the sprint-015 milestone Apr 19, 2024
@maaikelimper
Copy link
Collaborator

maaikelimper commented Jun 21, 2024
edited
Loading

I ran zaproxy as part of the GitHub-test that runs wis2box-api, it created the following report:
wmo-im/wis2box-api#60

@maaikelimper
Copy link
Collaborator

I checked the items listed in the report, they actually all have "Risk | Medium" or less ...

I will try to study how to only detect higher risk items ...

Risk | Medium

  • Absence of Anti-CSRF Tokens [10202] : Risk | Medium
  • Content Security Policy (CSP) Header Not Set [10038] Risk | Medium
  • Cross-Domain Misconfiguration [10098] Risk | Medium
  • Missing Anti-clickjacking Header [10020] Risk | Medium
  • Sub Resource Integrity Attribute Missing [90003] Risk | Medium
  • Application Error Disclosure [90022] Risk | Medium

Risk | Low

  • Cookie with SameSite Attribute None [10054] Risk | Low
  • Cross-Domain JavaScript Source File Inclusion [10017] Risk | Low
  • Information Disclosure - Debug Error Messages [10023] Risk | Low
  • Permissions Policy Header Not Set [10063] Risk | Low
  • Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] Risk | Low
  • Timestamp Disclosure - Unix [10096] Risk | Low
  • X-Content-Type-Options Header Missing [10021] Risk | Low

Risk | Informational

  • Information Disclosure - Suspicious Comments [10027]
  • Loosely Scoped Cookie [90033] Risk | Informational
  • Non-Storable Content [10049] Risk | Informational
  • Session Management Response Identified [10112] Risk | Informational
  • Storable and Cacheable Content [10049] Risk | Informational

@tomkralidis
Copy link
Collaborator Author

We should run against:

  • wis2box-ui
  • wis2box-api
  • wis2box-webapp

...and inspect all output/report, and action only items that are High or Critical.

This was referenced Jun 24, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Security web application Web application
Projects
None yet
Milestone
sprint-015
Development

No branches or pull requests
2 participants
@tomkralidis @maaikelimper