Professional Documents
Culture Documents
ZAP Scanning Report PDF
ZAP Scanning Report PDF
Alert Detail
https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_rank
URL
er_model_20170329.pb.bin
Method GET
Parameter X-Frame-Options
Instances 1
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web
pages returned by your site (if you expect the page to be framed only by pages on your server
Solution (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never
expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to
frame the web page in supported web browsers).
http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-
Reference
options.aspx
CWE Id 16
WASC Id 15
Source ID 3
http://10.53.240.16:9089/ahp-ext-web/application/feasibility/financial.jsf?
URL
selectedTab=commitmentLetters
Method GET
Parameter X-Frame-Options
URL http://10.53.240.16:9089/ahp-ext-web/initiateApplication/review.jsf
Method GET
Parameter X-Frame-Options
http://10.53.240.16:9089/ahp-ext-web/application/scoring/donatedProperty/donatedProperty.jsf?
URL
selectedTab=donationEvidence
Method GET
file:///C:/Users/bramesh/Desktop/ZapReport.html 1/14
18/02/2020 ZAP Scanning Report
Parameter X-Frame-Options
http://10.53.240.16:9089/ahp-ext-web/application/feasibility/financial.jsf?
URL
selectedTab=homeOwnerRehabilitation
Method GET
Parameter X-Frame-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/firstDistrict/rural.jsf
Method POST
Parameter X-Frame-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/home.jsf
Method GET
Parameter X-Frame-Options
http://10.53.240.16:9089/ahp-ext-
URL
web/application/scoring/secondDistrict/memberFinancialParticipation.jsf
Method POST
Parameter X-Frame-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/housingForHomeless.jsf
Method GET
Parameter X-Frame-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/marketStudy.jsf
Method GET
Parameter X-Frame-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/donatedProperty/donatedProperty.jsf
Method POST
Parameter X-Frame-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/financial.jsf
Method POST
Parameter X-Frame-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/homeOwnership.jsf
Method POST
Parameter X-Frame-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/displacement.jsf
Method POST
Parameter X-Frame-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/targeting.jsf
Method GET
Parameter X-Frame-Options
URL http://10.53.240.16:9089/ahp-ext-web/initiateApplication/inputContact.jsf
Method GET
Parameter X-Frame-Options
URL http://10.53.240.16:9089/ahp-ext-web/initiateApplication/application.jsf
file:///C:/Users/bramesh/Desktop/ZapReport.html 2/14
18/02/2020 ZAP Scanning Report
Method GET
Parameter X-Frame-Options
http://10.53.240.16:9089/ahp-ext-web/application/feasibility/development/developmentTeam.jsf?
URL
selectedTab=roleSelection
Method GET
Parameter X-Frame-Options
http://10.53.240.16:9089/ahp-ext-web/application/feasibility/financial.jsf?
URL
selectedTab=feasibilityAnalysis
Method GET
Parameter X-Frame-Options
http://10.53.240.16:9089/ahp-ext-
URL
web/application/applicationInformation/applicationDescription.jsf?selectedTab=siteInfo
Method GET
Parameter X-Frame-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/sponsorRole.jsf
Method POST
Parameter X-Frame-Options
Instances 60
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web
pages returned by your site (if you expect the page to be framed only by pages on your server
Solution (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never
expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to
frame the web page in supported web browsers).
http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-
Reference
options.aspx
CWE Id 16
WASC Id 15
Source ID 3
https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_rank
URL
er_model_20170329.pb.bin
Method GET
Parameter X-XSS-Protection
Evidence X-XSS-Protection: 0
Instances 1
Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP
Solution
response header to '1'.
Other information The X-XSS-Protection HTTP response header allows the web server to enable or disable the web
browser's XSS protection mechanism. The following values would attempt to enable it:
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=http://www.example.com/xss
The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome
and Safari (WebKit).
Note that this alert is only raised if the response body could potentially contain an XSS payload
(with a text-based content type, with a non-zero length).
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Reference
https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/
CWE Id 933
WASC Id 14
Source ID 3
https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_rank
URL
er_model_20170329.pb.bin
Method GET
Parameter Cache-Control
Evidence public, max-age=31536000
Instances 1
Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-
Solution
revalidate; and that the pragma HTTP header is set with no-cache.
Reference https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching
CWE Id 525
WASC Id 13
Source ID 3
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/secondDistrict/readinessToProceed.jsf
Method GET
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/sponsorRole.jsf
Method GET
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/javax.faces.resource/theme.css.jsf?ln=primefaces-aristo
Method GET
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/targeting.jsf
file:///C:/Users/bramesh/Desktop/ZapReport.html 4/14
18/02/2020 ZAP Scanning Report
Method POST
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/applicationInformation/applicationDescription.jsf
Method POST
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/javax.faces.resource/js/common.js.jsf
Method GET
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/home.jsf
Method GET
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/javax.faces.resource/theme/pittsburgh/css/ahp.css.jsf
Method GET
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/readinessToProceed.jsf
Method POST
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/homeOwnership.jsf
Method GET
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/empowerment.jsf
Method GET
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/marketStudy.jsf
Method POST
Parameter X-Content-Type-Options
http://10.53.240.16:9089/ahp-ext-web/application/feasibility/development/developmentTeam.jsf?
URL
selectedTab=teamMembers
Method GET
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/communityStability.jsf
Method GET
Parameter X-Content-Type-Options
http://10.53.240.16:9089/ahp-ext-
URL
web/application/applicationInformation/applicationDescription.jsf?selectedTab=applicationInfo
Method GET
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/development/primaryDeveloper.jsf
Method GET
Parameter X-Content-Type-Options
file:///C:/Users/bramesh/Desktop/ZapReport.html 5/14
18/02/2020 ZAP Scanning Report
URL http://10.53.240.16:9089/ahp-ext-web/application/sponsorApproval.jsf
Method GET
Parameter X-Content-Type-Options
http://10.53.240.16:9089/ahp-ext-web/javax.faces.resource/oamSubmit.js.jsf?
URL
ln=org.apache.myfaces
Method GET
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/initiateApplication/application.jsf
Method GET
Parameter X-Content-Type-Options
URL http://10.53.240.16:9089/ahp-ext-web/javax.faces.resource/theme/pittsburgh/css/wizard.css.jsf
Method GET
Parameter X-Content-Type-Options
Instances 82
Ensure that the application/web server sets the Content-Type header appropriately, and that it sets
the X-Content-Type-Options header to 'nosniff' for all web pages.
Solution
If possible, ensure that the end user uses a standards-compliant and modern web browser that
does not perform MIME-sniffing at all, or that can be directed by the web application/web server to
not perform MIME-sniffing.
This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still
affected by injection issues, in which case there is still concern for browsers sniffing pages away
Other information from their actual content type.
At "High" threshold this scanner will not alert on client or server error responses.
http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
Reference
https://www.owasp.org/index.php/List_of_useful_HTTP_headers
CWE Id 16
WASC Id 15
Source ID 3
A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to
a target destination without their knowledge or intent in order to perform an action as the victim.
The underlying cause is application functionality using predictable URL/form actions in a
repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a
user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like
XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is
also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.
CSRF has primarily been used to perform an action against a target site using the victim's
privileges, but recent techniques have been discovered to disclose information by gaining access
file:///C:/Users/bramesh/Desktop/ZapReport.html 6/14
18/02/2020 ZAP Scanning Report
to the response. The risk of information disclosure is dramatically increased when the target site is
vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to
operate within the bounds of the same-origin policy.
http://10.53.240.16:9089/ahp-ext-web/application/feasibility/financial.jsf?
URL
selectedTab=homeOwnerRehabilitation
Method GET
<form id="menuForm" name="menuForm" method="post" action="/ahp-ext-
Evidence
web/application/feasibility/financial.jsf" enctype="application/x-www-form-urlencoded">
http://10.53.240.16:9089/ahp-ext-
URL
web/application/applicationInformation/applicationDescription.jsf?selectedTab=fairHousing
Method GET
<form id="menuForm" name="menuForm" method="post" action="/ahp-ext-
Evidence web/application/applicationInformation/applicationDescription.jsf" enctype="application/x-www-
form-urlencoded">
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/development/primaryDeveloper.jsf
Method GET
<form id="j_id669617207_1b60292e" name="j_id669617207_1b60292e" method="post"
Evidence action="/ahp-ext-web/application/feasibility/development/primaryDeveloper.jsf"
enctype="application/x-www-form-urlencoded">
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/firstDistrict/rural.jsf
Method POST
<form id="pageTemplateForm" name="pageTemplateForm" method="post" action="/ahp-ext-
Evidence
web/application/scoring/firstDistrict/rural.jsf" enctype="multipart/form-data">
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/development/primaryDeveloper.jsf
Method POST
<form id="wbcform" name="wbcform" method="post" action="/ahp-ext-
Evidence web/application/feasibility/development/primaryDeveloper.jsf" enctype="application/x-www-form-
urlencoded">
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/readinessToProceed.jsf
Method GET
<form id="j_id1226792662_1b60292e" name="j_id1226792662_1b60292e" method="post"
Evidence action="/ahp-ext-web/application/feasibility/readinessToProceed.jsf" enctype="application/x-www-
form-urlencoded">
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/homeOwnership.jsf
Method GET
<form id="j_id1001201811_1b60292e" name="j_id1001201811_1b60292e" method="post"
Evidence action="/ahp-ext-web/application/scoring/homeOwnership.jsf" enctype="application/x-www-form-
urlencoded">
URL http://10.53.240.16:9089/ahp-ext-web/application/sponsorApproval.jsf
Method GET
<form id="j_id1531965843_1b60292e" name="j_id1531965843_1b60292e" method="post"
Evidence action="/ahp-ext-web/application/sponsorApproval.jsf" enctype="application/x-www-form-
urlencoded">
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/secondDistrict/readinessToProceed.jsf
Method GET
<form id="pageTemplateForm" name="pageTemplateForm" method="post" action="/ahp-ext-
Evidence
web/application/scoring/secondDistrict/readinessToProceed.jsf" enctype="multipart/form-data">
file:///C:/Users/bramesh/Desktop/ZapReport.html 7/14
18/02/2020 ZAP Scanning Report
URL http://10.53.240.16:9089/ahp-ext-web/initiateApplication/review.jsf
Method GET
<form id="j_id623173305_1b60292e" name="j_id623173305_1b60292e" method="post"
Evidence
action="/ahp-ext-web/initiateApplication/review.jsf" enctype="application/x-www-form-urlencoded">
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/development/developmentTeam.jsf
Method POST
<form id="pageTemplateForm" name="pageTemplateForm" method="post" action="/ahp-ext-
Evidence
web/application/feasibility/development/developmentTeam.jsf" enctype="multipart/form-data">
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/development/disclosure.jsf
Method GET
<form id="wbcform" name="wbcform" method="post" action="/ahp-ext-
Evidence web/application/feasibility/development/disclosure.jsf" enctype="application/x-www-form-
urlencoded">
URL http://10.53.240.16:9089/ahp-ext-web/initiateApplication/inputContact.jsf
Method GET
<form id="j_id22929303_1b60292e" name="j_id22929303_1b60292e" method="post"
Evidence action="/ahp-ext-web/initiateApplication/inputContact.jsf" enctype="application/x-www-form-
urlencoded">
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/empowerment.jsf
Method GET
<form id="j_id421423842_1b60292e" name="j_id421423842_1b60292e" method="post"
Evidence action="/ahp-ext-web/application/scoring/empowerment.jsf" enctype="application/x-www-form-
urlencoded">
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/financial.jsf
Method POST
<form id="pageTemplateForm" name="pageTemplateForm" method="post" action="/ahp-ext-
Evidence
web/application/feasibility/financial.jsf" enctype="multipart/form-data">
http://10.53.240.16:9089/ahp-ext-
URL
web/application/applicationInformation/applicationDescription.jsf?selectedTab=siteInfo
Method GET
<form id="pageTemplateForm" name="pageTemplateForm" method="post" action="/ahp-ext-
Evidence
web/application/applicationInformation/applicationDescription.jsf" enctype="multipart/form-data">
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/development/disclosure.jsf
Method GET
<form id="j_id133040814_1b60292e" name="j_id133040814_1b60292e" method="post"
Evidence action="/ahp-ext-web/application/feasibility/development/disclosure.jsf" enctype="application/x-
www-form-urlencoded">
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/targeting.jsf
Method POST
<form id="pageTemplateForm" name="pageTemplateForm" method="post" action="/ahp-ext-
Evidence
web/application/scoring/targeting.jsf" enctype="multipart/form-data">
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/firstDistrict/rural.jsf
Method GET
<form id="wbcform" name="wbcform" method="post" action="/ahp-ext-
Evidence
web/application/scoring/firstDistrict/rural.jsf" enctype="application/x-www-form-urlencoded">
URL http://10.53.240.16:9089/ahp-ext-web/application/home.jsf
file:///C:/Users/bramesh/Desktop/ZapReport.html 8/14
18/02/2020 ZAP Scanning Report
Method GET
<form id="j_id839252005_1b60292e" name="j_id839252005_1b60292e" method="post"
Evidence
action="/ahp-ext-web/application/home.jsf" enctype="application/x-www-form-urlencoded">
Instances 248
Phase: Architecture and Design
Use a vetted library or framework that does not allow this weakness to occur or provides
constructs that make this weakness easier to avoid.
Phase: Implementation
Ensure that your application is free of cross-site scripting issues, because most CSRF defenses
can be bypassed using attacker-controlled script.
Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon
receipt of the form. Be sure that the nonce is not predictable (CWE-330).
Identify especially dangerous operations. When the user performs a dangerous operation, send a
separate confirmation request to ensure that the user intended to perform that operation.
Do not use the GET method for any request that triggers a state change.
Phase: Implementation
Check the HTTP Referer header to see if the request originated from an expected page. This
could break legitimate functionality, because users or proxies may have disabled sending the
Referer for privacy reasons.
No known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken,
csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf,
Other information
_csrfSecret] was found in the following HTML form: [Form 3: "menuForm_SUBMIT"
"javax.faces.ViewState" ].
http://projects.webappsec.org/Cross-Site-Request-Forgery
Reference
http://cwe.mitre.org/data/definitions/352.html
CWE Id 352
WASC Id 9
Source ID 3
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/housingForHomeless.jsf
Method POST
Parameter oam.Flash.RENDERMAP.TOKEN
Evidence Set-Cookie: oam.Flash.RENDERMAP.TOKEN
file:///C:/Users/bramesh/Desktop/ZapReport.html 9/14
18/02/2020 ZAP Scanning Report
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/development/primaryDeveloper.jsf
Method GET
Parameter oam.Flash.RENDERMAP.TOKEN
Evidence Set-Cookie: oam.Flash.RENDERMAP.TOKEN
URL http://10.53.240.16:9089/ahp-ext-web/initiateApplication/leadMember.jsf
Method GET
Parameter oam.Flash.REDIRECT
Evidence Set-Cookie: oam.Flash.REDIRECT
URL http://10.53.240.16:9089/ahp-ext-web/initiateApplication/leadContact.jsf
Method GET
Parameter oam.Flash.RENDERMAP.TOKEN
Evidence Set-Cookie: oam.Flash.RENDERMAP.TOKEN
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/firstDistrict/rural.jsf
Method GET
Parameter oam.Flash.RENDERMAP.TOKEN
Evidence Set-Cookie: oam.Flash.RENDERMAP.TOKEN
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/development/disclosure.jsf
Method POST
Parameter oam.Flash.RENDERMAP.TOKEN
Evidence Set-Cookie: oam.Flash.RENDERMAP.TOKEN
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/development/developmentTeam.jsf
Method POST
Parameter oam.Flash.RENDERMAP.TOKEN
Evidence Set-Cookie: oam.Flash.RENDERMAP.TOKEN
http://10.53.240.16:9089/ahp-ext-
URL
web/application/applicationInformation/applicationDescription.jsf?selectedTab=applicationInfo
Method GET
Parameter oam.Flash.RENDERMAP.TOKEN
Evidence Set-Cookie: oam.Flash.RENDERMAP.TOKEN
URL http://10.53.240.16:9089/ahp-ext-web/initiateApplication/application.jsf
Method POST
Parameter oam.Flash.REDIRECT
Evidence Set-Cookie: oam.Flash.REDIRECT
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/homeOwnership.jsf
Method GET
Parameter oam.Flash.RENDERMAP.TOKEN
Evidence Set-Cookie: oam.Flash.RENDERMAP.TOKEN
http://10.53.240.16:9089/ahp-ext-
URL
web/application/scoring/secondDistrict/memberFinancialParticipation.jsf
Method GET
file:///C:/Users/bramesh/Desktop/ZapReport.html 10/14
18/02/2020 ZAP Scanning Report
Parameter oam.Flash.RENDERMAP.TOKEN
Solution Ensure that the HttpOnly flag is set for all cookies.
Reference http://www.owasp.org/index.php/HttpOnly
CWE Id 16
WASC Id 13
Source ID 3
http://10.53.240.16:9089/ahp-ext-web/application/scoring/donatedProperty/donatedProperty.jsf?
URL
selectedTab=donationInfo
Method GET
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/development/developmentTeam.jsf
Method POST
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/firstDistrict/rural.jsf
Method GET
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/initiateApplication/leadContact.jsf
Method GET
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/homeOwnership.jsf
Method GET
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/home.jsf
Method GET
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/targeting.jsf
Method POST
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/housingForHomeless.jsf
Method POST
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/communityStability.jsf
Method POST
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/initiateApplication/confirmation.jsf
Method GET
Parameter X-XSS-Protection
file:///C:/Users/bramesh/Desktop/ZapReport.html 12/14
18/02/2020 ZAP Scanning Report
URL http://10.53.240.16:9089/ahp-ext-web/mockLogin.jsf
Method GET
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/empowerment.jsf
Method GET
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/communityStability.jsf
Method GET
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/application/scoring/empowerment.jsf
Method POST
Parameter X-XSS-Protection
http://10.53.240.16:9089/ahp-ext-web/application/feasibility/development/developmentTeam.jsf?
URL
selectedTab=teamMembers
Method GET
Parameter X-XSS-Protection
http://10.53.240.16:9089/ahp-ext-
URL
web/application/applicationInformation/applicationDescription.jsf?selectedTab=siteParcel
Method GET
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/application/feasibility/marketStudy.jsf
Method POST
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/application/sponsorApproval.jsf
Method POST
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/application/home.jsf?id=6134
Method GET
Parameter X-XSS-Protection
URL http://10.53.240.16:9089/ahp-ext-web/initiateApplication/leadMember.jsf
Method GET
Parameter X-XSS-Protection
Instances 60
Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP
Solution
response header to '1'.
Other information The X-XSS-Protection HTTP response header allows the web server to enable or disable the web
browser's XSS protection mechanism. The following values would attempt to enable it:
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=http://www.example.com/xss
X-XSS-Protection: 0
file:///C:/Users/bramesh/Desktop/ZapReport.html 13/14
18/02/2020 ZAP Scanning Report
The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome
and Safari (WebKit).
Note that this alert is only raised if the response body could potentially contain an XSS payload
(with a text-based content type, with a non-zero length).
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Reference
https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/
CWE Id 933
WASC Id 14
Source ID 3
file:///C:/Users/bramesh/Desktop/ZapReport.html 14/14