Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZAP Full Scan Report #29

Closed
github-actions bot opened this issue Apr 4, 2021 · 16 comments
Closed

ZAP Full Scan Report #29

github-actions bot opened this issue Apr 4, 2021 · 16 comments
Assignees
@elrido

Comments

@github-actions
Copy link

github-actions bot commented Apr 4, 2021

View the following link to download the report.
RunnerID:716506686
This was referenced Apr 5, 2021
Merged
Closed
@rugk
Copy link
Member

rugk commented Apr 5, 2021
edited
Loading

BTW, the HTML report goes into more details…

Apache Range Header DoS (CVE-2011-3192) [10053] total: 20:

Huh? We don't even use Apache… 🙈

User Agent Fuzzer [10104] total: 20:

It claims with a different User-Agent different things are returned… I doubt… so… ?

(see HTMl for example URls etc)

Also ignored some more rules & false-positives: #30

The other results are valid and basically covered by a stricter CSP (PrivateBin/PrivateBin#108) and stuff like that,

@rugk
Copy link
Member

rugk commented Apr 5, 2021

BTW also checked the production website with https://observatory.mozilla.org/analyze/privatebin.net and we get an A+.
Also, it returns the content-type-header, so you likely do that in your own nginx config there.

@elrido
Copy link
Contributor

elrido commented Apr 5, 2021

Yes, these settings are packaged into the nginx container that contains and hosts the static site and are found here:
https://github.com/PrivateBin/privatebin.info-pelican/blob/3637cc005be7c28992eb3d6ceef122fb25145b43/nginx.conf#L107-L115

@rugk rugk mentioned this issue Apr 5, 2021
Closed
elrido added a commit that referenced this issue Apr 5, 2021
@elrido
new security headers, recommended by ZAP scan #29
7b367ca
@github-actions
Copy link
Author

github-actions bot commented Apr 5, 2021

  • Site: http://localhost:8080
    Resolved Alerts

    • Apache Range Header DoS (CVE-2011-3192) [10053] total: 20:
    • .env Information Leak [40034] total: 6:
    • Anti-CSRF Tokens Check [20012] total: 3:
    • Trace.axd Information Leak [40029] total: 6:
    • Cloud Metadata Potentially Exposed [90034] total: 1:

    Ignored Alerts

    • Information Disclosure - Suspicious Comments [10027] total: 12:
    • Timestamp Disclosure - Unix [10096] total: 5:
    • Absence of Anti-CSRF Tokens [10202] total: 3:

View the following link to download the report.
RunnerID:719746958

elrido added a commit that referenced this issue Apr 6, 2021
@elrido
Merge pull request #32 from PrivateBin/security-headers
bd1a39f 
new security headers, recommended by ZAP scan #29
@rugk rugk removed their assignment Apr 15, 2021
@github-actions
Copy link
Author

View the following link to download the report.
RunnerID:754213528

@elrido elrido mentioned this issue Apr 16, 2021
Closed
@elrido elrido self-assigned this Apr 16, 2021
@elrido
Copy link
Contributor

elrido commented Apr 16, 2021

Ok, I think we may have to go for a more complex solution. I'll try to use a map to add only missing headers, so they aren't duplicated for the dynamic content.

elrido added a commit that referenced this issue Apr 16, 2021
@elrido
working on improving #29
453cff7
@rugk
Copy link
Member

rugk commented Apr 16, 2021
edited
Loading

…uhm… ok, as long as that is not a too big negative performance impact.

@elrido
Copy link
Contributor

elrido commented Apr 17, 2021

FYI, in 453cff7 I ended up using a different approach to solve this: I remove these headers if present in the fastCGI response, then always set them with the rule we previously introduced. The problem is that nginx' add_header only adds headers and there is no mod or other command to replace headers, so the map approach didn't work out in my tests. Aside: maps are more performant then if-conditions, in nginx configs.

@github-actions
Copy link
Author

View the following link to download the report.
RunnerID:759852652

@elrido
Copy link
Contributor

elrido commented Apr 18, 2021

There are only two medium issues remaining:

  • these 3 directives are not defined or use a wildcard in our CSP rule: connect-src, frame-ancestors, form-action - I think the last one is already tracked over in the main project. The connect-src * is required for the paste manager feature, if a site wants allows other instances to use it's API for data storage. frame-ancestors isn't tracked, AFAIK.
  • "The identified library bootstrap, version 3.3.7 is vulnerable." Fair point and so is our jQuery version - both are tracked in the main project and bootstrap 3 is the reason we haven't been able to upgrade jQuery as with >=3.5 our bootstrap breaks.

On the other reports: None of our forms make use of Anti-CSRF tokens, because none of them are sent to the server - all are processed on the JS side.

@rugk
Copy link
Member

rugk commented Apr 18, 2021

form-action - I think the last one is already tracked over in the main project.

correct: PrivateBin/PrivateBin#778

jQuery: PrivateBin/PrivateBin#608

@elrido elrido mentioned this issue Apr 22, 2021
Closed
@github-actions
Copy link
Author

  • Site: http://localhost:8080
    Resolved Alerts

    • User Agent Fuzzer [10104] total: 20:

    Ignored Alerts

    • CSP: Wildcard Directive [10055] total: 3:
    • Modern Web Application [10109] total: 5:
    • CSP: Notices [10055] total: 3:

View the following link to download the report.
RunnerID:775043757

@github-actions
Copy link
Author

View the following link to download the report.
RunnerID:966558993

@elrido
Copy link
Contributor

elrido commented Jun 26, 2021

svn_dir: We let all requests that don't match a static file (css, js, images) be handled by the index.php, so it just returns the app on that path.

elrido added a commit that referenced this issue Jun 26, 2021
@elrido
ignore false positive in ZAP report #29
edc857a
@github-actions
Copy link
Author

View the following link to download the report.
RunnerID:973478204

@rugk rugk mentioned this issue Sep 27, 2021
Closed
@rugk
Copy link
Member

rugk commented Feb 28, 2022

Closing this as ZAP has apparently decided to use a new issue for the reports hehe: #69

@rugk rugk closed this as completed Feb 28, 2022
elsoa-invitech pushed a commit to elsoa-invitech/docker-nginx-fpm-alpine that referenced this issue Oct 31, 2023
@elrido
new security headers, recommended by ZAP scan PrivateBin#29
58a0e52
elsoa-invitech pushed a commit to elsoa-invitech/docker-nginx-fpm-alpine that referenced this issue Oct 31, 2023
@elrido
Merge pull request PrivateBin#32 from PrivateBin/security-headers
87fdfcb 
new security headers, recommended by ZAP scan PrivateBin#29
elsoa-invitech pushed a commit to elsoa-invitech/docker-nginx-fpm-alpine that referenced this issue Oct 31, 2023
@elrido
working on improving PrivateBin#29
957a016
elsoa-invitech pushed a commit to elsoa-invitech/docker-nginx-fpm-alpine that referenced this issue Oct 31, 2023
@elrido
ignore false positive in ZAP report PrivateBin#29
b68720b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@elrido elrido

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elrido @rugk