ZAP Scanning Report
ZAP Scanning Report
| Risk Level | Number of Alerts |
|---|---|
|
High
|
0
|
|
Medium
|
1
|
|
Low
|
2
|
|
Informational
|
6
|
|
False Positives:
|
0
|
For each step: result (Pass/Fail) - risk (of highest alert(s) for the step, if any).
| Name | Risk Level | Number of Instances |
|---|---|---|
| Content Security Policy (CSP) Header Not Set | Medium | 1 |
| Permissions Policy Header Not Set | Low | 3 |
| Strict-Transport-Security Header Not Set | Low | 3 |
| Modern Web Application | Informational | 3 |
| Sec-Fetch-Dest Header is Missing | Informational | 3 |
| Sec-Fetch-Mode Header is Missing | Informational | 3 |
| Sec-Fetch-Site Header is Missing | Informational | 3 |
| Sec-Fetch-User Header is Missing | Informational | 3 |
| Storable but Non-Cacheable Content | Informational | 3 |
|
Medium |
Content Security Policy (CSP) Header Not Set |
|---|---|
| Description |
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
|
| URL | https://connect.inclusion.beta.gouv.fr/sitemap.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | 1 |
| Solution |
Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.
|
| Reference |
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html https://www.w3.org/TR/CSP/ https://w3c.github.io/webappsec-csp/ https://web.dev/articles/csp https://caniuse.com/#feat=contentsecuritypolicy https://content-security-policy.com/ |
| CWE Id | 693 |
| WASC Id | 15 |
| Plugin Id | 10038 |
|
Low |
Permissions Policy Header Not Set |
|---|---|
| Description |
Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.
|
| URL | https://connect.inclusion.beta.gouv.fr |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| URL | https://connect.inclusion.beta.gouv.fr/robots.txt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| URL | https://connect.inclusion.beta.gouv.fr/sitemap.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | 3 |
| Solution |
Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header.
|
| Reference |
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
https://developer.chrome.com/blog/feature-policy/ https://scotthelme.co.uk/a-new-security-header-feature-policy/ https://w3c.github.io/webappsec-feature-policy/ https://www.smashingmagazine.com/2018/12/feature-policy/ |
| CWE Id | 693 |
| WASC Id | 15 |
| Plugin Id | 10063 |
|
Low |
Strict-Transport-Security Header Not Set |
|---|---|
| Description |
HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL). HSTS is an IETF standards track protocol and is specified in RFC 6797.
|
| URL | https://connect.inclusion.beta.gouv.fr |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| URL | https://connect.inclusion.beta.gouv.fr/robots.txt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| URL | https://connect.inclusion.beta.gouv.fr/sitemap.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | 3 |
| Solution |
Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.
|
| Reference |
https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
https://owasp.org/www-community/Security_Headers https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security https://caniuse.com/stricttransportsecurity https://datatracker.ietf.org/doc/html/rfc6797 |
| CWE Id | 319 |
| WASC Id | 15 |
| Plugin Id | 10035 |
|
Informational |
Modern Web Application |
|---|---|
| Description |
The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.
|
| URL | https://connect.inclusion.beta.gouv.fr |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | <script> document.addEventListener("DOMContentLoaded", () => { const copyButton = document.querySelector('#copy-btn'); const copiedMessage = document.querySelector('.error-output'); const responseContent = document.querySelector('code#response-content'); copyButton.addEventListener('click', () => { const text = responseContent.innerText; navigator.clipboard.writeText(text).then(() => { copiedMessage.textContent = 'Copied to Clipboard'; setTimeout(() => { copiedMessage.textContent = ' '; }, 5000); }); }); }); </script> |
| Other Info | No links have been found while there are scripts, which is an indication that this is a modern web application. |
| URL | https://connect.inclusion.beta.gouv.fr/robots.txt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | <script> document.addEventListener("DOMContentLoaded", () => { const copyButton = document.querySelector('#copy-btn'); const copiedMessage = document.querySelector('.error-output'); const responseContent = document.querySelector('code#response-content'); copyButton.addEventListener('click', () => { const text = responseContent.innerText; navigator.clipboard.writeText(text).then(() => { copiedMessage.textContent = 'Copied to Clipboard'; setTimeout(() => { copiedMessage.textContent = ' '; }, 5000); }); }); }); </script> |
| Other Info | No links have been found while there are scripts, which is an indication that this is a modern web application. |
| URL | https://connect.inclusion.beta.gouv.fr/sitemap.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | <script> document.addEventListener("DOMContentLoaded", () => { const copyButton = document.querySelector('#copy-btn'); const copiedMessage = document.querySelector('.error-output'); const responseContent = document.querySelector('code#response-content'); copyButton.addEventListener('click', () => { const text = responseContent.innerText; navigator.clipboard.writeText(text).then(() => { copiedMessage.textContent = 'Copied to Clipboard'; setTimeout(() => { copiedMessage.textContent = ' '; }, 5000); }); }); }); </script> |
| Other Info | No links have been found while there are scripts, which is an indication that this is a modern web application. |
| Instances | 3 |
| Solution |
This is an informational alert and so no changes are required.
|
| Reference | |
| CWE Id | |
| WASC Id | |
| Plugin Id | 10109 |
|
Informational |
Sec-Fetch-Dest Header is Missing |
|---|---|
| Description |
Specifies how and where the data would be used. For instance, if the value is audio, then the requested resource must be audio data and not any other type of resource.
|
| URL | https://connect.inclusion.beta.gouv.fr |
| Method | GET |
| Parameter | Sec-Fetch-Dest |
| Attack | |
| Evidence | |
| Other Info | |
| URL | https://connect.inclusion.beta.gouv.fr/robots.txt |
| Method | GET |
| Parameter | Sec-Fetch-Dest |
| Attack | |
| Evidence | |
| Other Info | |
| URL | https://connect.inclusion.beta.gouv.fr/sitemap.xml |
| Method | GET |
| Parameter | Sec-Fetch-Dest |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | 3 |
| Solution |
Ensure that Sec-Fetch-Dest header is included in request headers.
|
| Reference | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest |
| CWE Id | 352 |
| WASC Id | 9 |
| Plugin Id | 90005 |
|
Informational |
Sec-Fetch-Mode Header is Missing |
|---|---|
| Description |
Allows to differentiate between requests for navigating between HTML pages and requests for loading resources like images, audio etc.
|
| URL | https://connect.inclusion.beta.gouv.fr |
| Method | GET |
| Parameter | Sec-Fetch-Mode |
| Attack | |
| Evidence | |
| Other Info | |
| URL | https://connect.inclusion.beta.gouv.fr/robots.txt |
| Method | GET |
| Parameter | Sec-Fetch-Mode |
| Attack | |
| Evidence | |
| Other Info | |
| URL | https://connect.inclusion.beta.gouv.fr/sitemap.xml |
| Method | GET |
| Parameter | Sec-Fetch-Mode |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | 3 |
| Solution |
Ensure that Sec-Fetch-Mode header is included in request headers.
|
| Reference | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode |
| CWE Id | 352 |
| WASC Id | 9 |
| Plugin Id | 90005 |
|
Informational |
Sec-Fetch-Site Header is Missing |
|---|---|
| Description |
Specifies the relationship between request initiator's origin and target's origin.
|
| URL | https://connect.inclusion.beta.gouv.fr |
| Method | GET |
| Parameter | Sec-Fetch-Site |
| Attack | |
| Evidence | |
| Other Info | |
| URL | https://connect.inclusion.beta.gouv.fr/robots.txt |
| Method | GET |
| Parameter | Sec-Fetch-Site |
| Attack | |
| Evidence | |
| Other Info | |
| URL | https://connect.inclusion.beta.gouv.fr/sitemap.xml |
| Method | GET |
| Parameter | Sec-Fetch-Site |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | 3 |
| Solution |
Ensure that Sec-Fetch-Site header is included in request headers.
|
| Reference | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site |
| CWE Id | 352 |
| WASC Id | 9 |
| Plugin Id | 90005 |
|
Informational |
Sec-Fetch-User Header is Missing |
|---|---|
| Description |
Specifies if a navigation request was initiated by a user.
|
| URL | https://connect.inclusion.beta.gouv.fr |
| Method | GET |
| Parameter | Sec-Fetch-User |
| Attack | |
| Evidence | |
| Other Info | |
| URL | https://connect.inclusion.beta.gouv.fr/robots.txt |
| Method | GET |
| Parameter | Sec-Fetch-User |
| Attack | |
| Evidence | |
| Other Info | |
| URL | https://connect.inclusion.beta.gouv.fr/sitemap.xml |
| Method | GET |
| Parameter | Sec-Fetch-User |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | 3 |
| Solution |
Ensure that Sec-Fetch-User header is included in user initiated requests.
|
| Reference | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User |
| CWE Id | 352 |
| WASC Id | 9 |
| Plugin Id | 90005 |
|
Informational |
Storable but Non-Cacheable Content |
|---|---|
| Description |
The response contents are storable by caching components such as proxy servers, but will not be retrieved directly from the cache, without validating the request upstream, in response to similar requests from other users.
|
| URL | https://connect.inclusion.beta.gouv.fr |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | no-cache |
| Other Info | |
| URL | https://connect.inclusion.beta.gouv.fr/robots.txt |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | no-cache |
| Other Info | |
| URL | https://connect.inclusion.beta.gouv.fr/sitemap.xml |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | no-cache |
| Other Info | |
| Instances | 3 |
| Solution | |
| Reference |
https://datatracker.ietf.org/doc/html/rfc7234
https://datatracker.ietf.org/doc/html/rfc7231 https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html |
| CWE Id | 524 |
| WASC Id | 13 |
| Plugin Id | 10049 |