scanners/zap/examples/demo-bodgeit-full-scan/zap-results.json
{
"@version": "D-2020-06-24",
"@generated": "Mon, 29 Jun 2020 08:33:59",
"site": [
{
"@name": "https://bodgeit.demo-targets.svc",
"@host": "bodgeit.demo-targets.svc",
"@port": "443",
"@ssl": "true",
"alerts": [
{
"pluginid": "10106",
"alert": "HTTP Only Site",
"name": "HTTP Only Site",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>The site is only served under HTTP and not HTTPS.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080",
"method": "GET"
}
],
"count": "1",
"solution": "<p>Configure your web or application server to use SSL (https).<\/p>",
"otherinfo": "<p>Failed to connect.<\/p><p>ZAP attempted to connect via: https://bodgeit.demo-targets.svc:443<\/p>",
"reference": "<p>https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html<\/p><p>https://letsencrypt.org/<\/p>",
"cweid": "311",
"wascid": "4",
"sourceid": "1"
}
]
},
{
"@name": "http://bodgeit.demo-targets.svc:8080",
"@host": "bodgeit.demo-targets.svc",
"@port": "8080",
"@ssl": "false",
"alerts": [
{
"pluginid": "90028",
"alert": "Insecure HTTP Method - PUT",
"name": "Insecure HTTP Method - PUT",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>This method was originally intended for file managemant operations. It is now most commonly used in REST services, PUT is most-often utilized for **update** capabilities, PUT-ing to a known resource URI with the request body containing the newly-updated representation of the original resource..<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/misc/EchoAttributesTag.java.html/s8uclk08bz",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp/snoop.html/tzuj5ogtbx",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/forward/fwd.html/3t6zfqtnqe",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/x351y6uhoj",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/manager/psvhs1vz88",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/jts.html/dd6wfwbmkl",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/ServletToJsp.java.html/3vdg6c89rv",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/ktyhhbonqd",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/cal/calendar.html/7rx7ih6pz8",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/composite.jsp.html/2sw49hyduf",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-jndi-realm.html/oz35t93hex",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-interceptor.html/7b3iipmfhp",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/tagfiles/panel.html/o7g7pdpkkz",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/tribes/package-summary.html/q94lxax2bm",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jspapi/tu7ozpyxxx",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/tagfiles/helloWorld.tag.html/wch3hc25o5",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/implicit-objects.html/fzjtgyhfrt",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/aio.html/737jz15t5z",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/transport.html/tme98v7qo3",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/web.xml.txt/3feawr1mrb",
"method": "PUT",
"evidence": "response code 403 for potentially insecure HTTP METHOD"
}
],
"count": "323",
"solution": "<p>TBA<\/p>",
"otherinfo": "<p>See the discussion on stackexchange: https://security.stackexchange.com/questions/21413/how-to-exploit-http-methods, for understanding REST operations see http://www.restapitutorial.com/lessons/httpmethods.html<\/p>",
"reference": "<p>http://projects.webappsec.org/Fingerprinting<\/p><p><\/p>",
"cweid": "200",
"wascid": "45",
"sourceid": "1"
},
{
"pluginid": "10104",
"alert": "User Agent Fuzzer",
"name": "User Agent Fuzzer",
"riskcode": "0",
"confidence": "2",
"riskdesc": "Informational (Medium)",
"desc": "<p>Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/chat",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/host-manager",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/servletapi",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/requestProcess",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/checkbox",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/RequestHeaderExample",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/elapi",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp/snoop.jsp",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/sample",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/security",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute/shuffle.jsp",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/tagfiles",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/websocketapi",
"method": "GET",
"param": "Header User-Agent",
"attack": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute",
"method": "GET",
"param": "Header User-Agent",
"attack": "msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/host-manager",
"method": "GET",
"param": "Header User-Agent",
"attack": "msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
}
],
"count": "455",
"solution": "<p><\/p>",
"reference": "<p>https://owasp.org/wstg<\/p>",
"sourceid": "1"
},
{
"pluginid": "10036",
"alert": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"name": "Server Leaks Version Information via \"Server\" HTTP Response Header Field",
"riskcode": "1",
"confidence": "3",
"riskdesc": "Low (High)",
"desc": "<p>The web/application server is leaking version information via the \"Server\" HTTP response header. Access to such information may facilitate attackers identifying other vulnerabilities your web/application server is subject to.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/implicit-objects.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/index.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute/shuffle.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/ServletToJsp.java.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-default.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/FindBookSimpleTag.java.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp/snoop.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspx/basic.jspx",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/if.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp/snoop.jsp",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/cal/login.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/repeat.jsp",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jndi-resources-howto.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/status.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=foo&datavalue=bar",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/checkbox/checkresult.jsp?fruit=apples&submit=Submit",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/cookies.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/plugin/plugin.jsp",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/monitoring.html",
"method": "GET",
"evidence": "Apache-Coyote/1.1"
}
],
"count": "337",
"solution": "<p>Ensure that your web server, application server, load balancer, etc. is configured to suppress the \"Server\" header or provide generic details.<\/p>",
"reference": "<p>http://httpd.apache.org/docs/current/mod/core.html#servertokens<\/p><p>http://msdn.microsoft.com/en-us/library/ff648552.aspx#ht_urlscan_007<\/p><p>http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-headers.aspx<\/p><p>http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html<\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10020",
"alert": "X-Frame-Options Header Not Set",
"name": "X-Frame-Options Header Not Set",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/include/include.jsp.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/automatic-deployment.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/tagfiles/hello.jsp",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/cluster-howto.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/interceptors.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/installation.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/ValuesBean.java.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/context.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/checkbox/checkresult.jsp.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-receiver.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/index.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/simpletag/foo.jsp.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/book.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/realm-howto.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/ssi-howto.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/index.html",
"method": "GET",
"param": "X-Frame-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/introduction.html",
"method": "GET",
"param": "X-Frame-Options"
}
],
"count": "280",
"solution": "<p>Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).<\/p>",
"reference": "<p>https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options<\/p>",
"cweid": "16",
"wascid": "15",
"sourceid": "3"
},
{
"pluginid": "10063",
"alert": "Feature Policy Header Not Set",
"name": "Feature Policy Header Not Set",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>Feature Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Feature Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/dates/date.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/index.xhtml",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jspapi/index.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/rewrite.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/choose.jsp",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/jts.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/index.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-admin-apps.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/plugin/plugin.jsp",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/comments.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/resources.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/error/err.jsp.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=foo&datavalue=bar",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/foreach.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/hello.jsp.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/Functions.java.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/deployer-howto.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/FindBookSimpleTag.java.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute/shuffle.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/jar-scanner.html",
"method": "GET"
}
],
"count": "298",
"solution": "<p>Ensure that your web server, application server, load balancer, etc. is configured to set the Feature-Policy header.<\/p>",
"reference": "<p>https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy<\/p><p>https://developers.google.com/web/updates/2018/06/feature-policy<\/p><p>https://scotthelme.co.uk/a-new-security-header-feature-policy/<\/p><p>https://w3c.github.io/webappsec-feature-policy/<\/p><p>https://www.smashingmagazine.com/2018/12/feature-policy/<\/p>",
"cweid": "16",
"wascid": "15",
"sourceid": "3"
},
{
"pluginid": "90027",
"alert": "Cookie Slack Detector",
"name": "Cookie Slack Detector",
"riskcode": "1",
"confidence": "1",
"riskdesc": "Low (Low)",
"desc": "<p>Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/images/execute.gif",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/ServletToJsp.java.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/error/er.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.jsp?item=X-files+movie&submit=remove",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/chat",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/num/numguess.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/checkbox/checkresult.jsp?fruit=apples&submit=Submit",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/FindBookSimpleTag.java.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/basic-arithmetic.jsp.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/Functions.java.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/clr.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/images/return.gif",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/if.jsp.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/images/read.gif",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/composite.jsp",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/hello.jsp.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/images",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/images/execute.gif",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/tagfiles/panel.html",
"method": "GET"
}
],
"count": "186",
"solution": "<p><\/p>",
"otherinfo": "<p>NOTE: Because of its name this cookie may be important, but dropping it appears to have no effect: [JSESSIONID] <\/p><p>Cookies that don't have expected effects can reveal flaws in application logic. In the worst case, this can reveal where authentication via cookie token(s) is not actually enforced.<\/p><p>These cookies affected the response: <\/p><p>These cookies did NOT affect the response: JSESSIONID<\/p><p><\/p>",
"reference": "<p>http://projects.webappsec.org/Fingerprinting<\/p><p><\/p>",
"cweid": "200",
"wascid": "45",
"sourceid": "1"
},
{
"pluginid": "10049",
"alert": "Storable and Cacheable Content",
"name": "Storable and Cacheable Content",
"riskcode": "0",
"confidence": "2",
"riskdesc": "Informational (Medium)",
"desc": "<p>The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where \"shared\" caching servers such as \"proxy\" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/jsptoservlet.jsp.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/implicit-objects.jsp?foo=bar",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/sessionidgenerator.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute/jspattribute.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/composite.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-memory-realm.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/cal/cal1.jsp.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/Server.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jdbc-pool.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/reqparams.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/images/update.gif",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/juli/package-summary.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/include/include.jsp",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspattribute/jspattribute.jsp",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/apr.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/class-loader-howto.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/choose.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspx/textRotate.jspx.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/service.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/notes.html",
"method": "GET"
}
],
"count": "329",
"solution": "<p>Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:<\/p><p>Cache-Control: no-cache, no-store, must-revalidate, private<\/p><p>Pragma: no-cache<\/p><p>Expires: 0<\/p><p>This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request. <\/p>",
"otherinfo": "<p>In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.<\/p>",
"reference": "<p>https://tools.ietf.org/html/rfc7234<\/p><p>https://tools.ietf.org/html/rfc7231<\/p><p>http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (obsoleted by rfc7234)<\/p>",
"cweid": "524",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10096",
"alert": "Timestamp Disclosure - Unix",
"name": "Timestamp Disclosure - Unix",
"riskcode": "0",
"confidence": "1",
"riskdesc": "Informational (Low)",
"desc": "<p>A timestamp was disclosed by the application/web server - Unix<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000000008"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000018373"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000040687"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000001995"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000000017"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/book.jsp",
"method": "GET",
"evidence": "0618002251"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000000027"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000011633"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000002146"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000000039"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000014963"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000005503"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000016347"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000011768"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000015583"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/images/update.gif",
"method": "GET",
"evidence": "0123456789"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/RequestHeaderExample",
"method": "GET",
"evidence": "20100101"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000000022"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/startup/serverStartup.pdf",
"method": "GET",
"evidence": "0000014864"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp/snoop.jsp",
"method": "GET",
"evidence": "20100101"
}
],
"count": "51",
"solution": "<p>Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.<\/p>",
"otherinfo": "<p>0000000008, which evaluates to: 1970-01-01 00:00:08<\/p>",
"reference": "<p>http://projects.webappsec.org/w/page/13246936/Information%20Leakage<\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10021",
"alert": "X-Content-Type-Options Header Missing",
"name": "X-Content-Type-Options Header Missing",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/jts.html",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/rewrite.html",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-admin-apps.html",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/images/code.gif",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/deployer-howto.html",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/foreach.html",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/favicon.ico",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/RequestHeaderExample",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/plugin/plugin.jsp",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/index.xhtml",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/comments.html",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/tagplugin/choose.jsp",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=foo&datavalue=bar",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspx/textRotate.jspx",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspx/textRotate.jspx.html",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/error/err.jsp.html",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/resources.html",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/class-loader-howto.html",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/FindBookSimpleTag.java.html",
"method": "GET",
"param": "X-Content-Type-Options"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/jar-scanner.html",
"method": "GET",
"param": "X-Content-Type-Options"
}
],
"count": "316",
"solution": "<p>Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.<\/p><p>If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.<\/p>",
"otherinfo": "<p>This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.<\/p><p>At \"High\" threshold this scanner will not alert on client or server error responses.<\/p>",
"reference": "<p>http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx<\/p><p>https://owasp.org/www-community/Security_Headers<\/p>",
"cweid": "16",
"wascid": "15",
"sourceid": "3"
},
{
"pluginid": "10094",
"alert": "Base64 Disclosure",
"name": "Base64 Disclosure",
"riskcode": "0",
"confidence": "2",
"riskdesc": "Informational (Medium)",
"desc": "<p>Base64 encoded data was disclosed by the application/web server. Note: in the interests of performance not all base64 strings in the response were analyzed individually, the entire response should be looked at by the analyst/security team/developer(s).<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/index.html",
"method": "GET",
"evidence": "org/aboutJava/communityprocess/final/jsr340/index"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/windows-auth-howto.html",
"method": "GET",
"evidence": "com/javase/7/docs/technotes/guides/security/jgss/tutorials/Troubleshooting"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/http.html",
"method": "GET",
"evidence": "com/javase/7/docs/api/java/net/Socket"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/book.jsp.html",
"method": "GET",
"evidence": "/WEB-INF/jsp2/jsp2-example-taglib"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jndi-datasource-examples-howto.html",
"method": "GET",
"evidence": "Oracle_8i_with_OCI_client/Introduction"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cookie-processor.html",
"method": "GET",
"evidence": "RFC_6265_Cookie_Processor_-_org"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/cluster-howto.html",
"method": "GET",
"evidence": "0-doc/api/org/apache/catalina/tribes/Channel"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/ajp.html",
"method": "GET",
"evidence": "com/javase/6/docs/api/java/net/Socket"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jdbc-pool.html",
"method": "GET",
"evidence": "com/javase/6/docs/api/javax/sql/DataSource"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/requestProcess.html",
"method": "GET",
"evidence": "0-doc/architecture/requestProcess"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/",
"method": "GET",
"evidence": "org/aboutJava/communityprocess/final/jsr340/index"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/realm-howto.html",
"method": "GET",
"evidence": "com/javase/7/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/manager-howto.html",
"method": "GET",
"evidence": "8080/manager/text/sslConnectorCiphers"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/hello.jsp.html",
"method": "GET",
"evidence": "/WEB-INF/jsp2/jsp2-example-taglib"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/jspx/basic.jspx",
"method": "GET",
"evidence": "org/TR/xhtml-basic/xhtml-basic10"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-sender.html",
"method": "GET",
"evidence": "com/javase/7/docs/api/java/net/Socket"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/filter.html",
"method": "GET",
"evidence": "org/Protocols/rfc2616/rfc2616-sec14"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-interceptor.html",
"method": "GET",
"evidence": "MessageDispatch15Interceptor_Attributes"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/introduction.html",
"method": "GET",
"evidence": "org/aboutJava/communityprocess/mrel/jsr245/index2"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-default.html",
"method": "GET",
"evidence": "org/aboutJava/communityprocess/final/jsr340/index"
}
],
"count": "25",
"solution": "<p>Manually confirm that the Base64 data does not leak sensitive information, and that the data cannot be aggregated/used to exploit other vulnerabilities.<\/p>",
"otherinfo": "<p>��?i�.���k�(�k��ܩ��\\x001e��ߊv��;+ߍ?�w^<\/p>",
"reference": "<p>http://projects.webappsec.org/w/page/13246936/Information%20Leakage<\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10038",
"alert": "Content Security Policy (CSP) Header Not Set",
"name": "Content Security Policy (CSP) Header Not Set",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/connectors.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/listeners.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/helloworld.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/plugin/plugin.jsp.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/virtual-hosting-howto.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/tagfiles/products.jsp.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/simpletag/hello.jsp",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/websocketapi/index.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/windows-auth-howto.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/dates/date.jsp.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/misc/dynamicattrs.jsp.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/xml/xml.jsp",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/architecture/index.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/elapi/index.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/composite.jsp",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/introduction.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/checkbox/check.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/windows-service-howto.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/server.html",
"method": "GET"
}
],
"count": "298",
"solution": "<p>Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header, to achieve optimal browser support: \"Content-Security-Policy\" for Chrome 25+, Firefox 23+ and Safari 7+, \"X-Content-Security-Policy\" for Firefox 4.0+ and Internet Explorer 10+, and \"X-WebKit-CSP\" for Chrome 14+ and Safari 6+.<\/p>",
"reference": "<p>https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy<\/p><p>https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html<\/p><p>http://www.w3.org/TR/CSP/<\/p><p>http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html<\/p><p>http://www.html5rocks.com/en/tutorials/security/content-security-policy/<\/p><p>http://caniuse.com/#feat=contentsecuritypolicy<\/p><p>http://content-security-policy.com/<\/p>",
"cweid": "16",
"wascid": "15",
"sourceid": "3"
},
{
"pluginid": "10108",
"alert": "Reverse Tabnabbing",
"name": "Reverse Tabnabbing",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>At least one link on this page is vulnerable to Reverse tabnabbing as it uses a target attribute without using both of the \"noopener\" and \"noreferrer\" keywords in the \"rel\" attribute, which allows the target page to take control of this page.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-valve.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"../images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jasper-howto.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"./images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/transport.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"../images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/introduction.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"../images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/membership.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"../images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/credentialhandler.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"../images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/cgi-howto.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"./images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/filter.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"../images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/ssi-howto.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"./images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/developers.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"./images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/realm-howto.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"./images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/http.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"../images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/index.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"../images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-admin-objects.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"../images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/cluster-howto.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"./images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/changelog.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"./images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-receiver.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"../images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/setup.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"../images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"../images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/tribes/interceptors.html",
"method": "GET",
"evidence": "<a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"../images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a>"
}
],
"count": "102",
"solution": "<p>Do not use a target attribute, or if you have to then also add the attribute: rel=\"noopener noreferrer\".<\/p>",
"reference": "<p>https://owasp.org/www-community/attacks/Reverse_Tabnabbing<\/p><p>https://dev.to/ben/the-targetblank-vulnerability-by-example<\/p><p>https://mathiasbynens.github.io/rel-noopener/<\/p><p>https://medium.com/@jitbit/target-blank-the-most-underestimated-vulnerability-ever-96e328301f4c<\/p><p><\/p>",
"sourceid": "3"
},
{
"pluginid": "10099",
"alert": "Source Code Disclosure - Servlet",
"name": "Source Code Disclosure - Servlet",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>Application Source Code was disclosed by the web server - Servlet<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/aio.html",
"method": "GET",
"evidence": "public class ChatServlet\n extends HttpServlet"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsptoserv/ServletToJsp.java.html",
"method": "GET",
"evidence": "import javax.servlet.http.HttpServlet;"
}
],
"count": "2",
"solution": "<p>Ensure that application Source Code is not available with alternative extensions, and ensure that source code is not present within other files or data deployed to the web server, or served by the web server. <\/p>",
"otherinfo": "<p>public class ChatServlet<\/p><p> extends HttpServlet<\/p>",
"reference": "<p>http://blogs.wsj.com/cio/2013/10/08/adobe-source-code-leak-is-bad-news-for-u-s-government/<\/p>",
"cweid": "540",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10049",
"alert": "Non-Storable Content",
"name": "Non-Storable Content",
"riskcode": "0",
"confidence": "2",
"riskdesc": "Informational (Medium)",
"desc": "<p>The response contents are not storable by caching components such as proxy servers. If the response does not contain sensitive, personal or user-specific information, it may benefit from being stored and cached, to improve performance.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets",
"method": "GET",
"evidence": "302"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/host-manager/html",
"method": "GET",
"evidence": "private"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/security/protected/index.jsp",
"method": "GET",
"evidence": "private"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/manager/html",
"method": "GET",
"evidence": "private"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/chat/",
"method": "GET",
"evidence": "302"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/manager/status",
"method": "GET",
"evidence": "private"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/error/err.jsp?name=ZAP&submit=Submit",
"method": "GET",
"evidence": "500"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp",
"method": "GET",
"evidence": "302"
}
],
"count": "8",
"solution": "<p>The content may be marked as storable by ensuring that the following conditions are satisfied:<\/p><p>The request method must be understood by the cache and defined as being cacheable (\"GET\", \"HEAD\", and \"POST\" are currently defined as cacheable)<\/p><p>The response status code must be understood by the cache (one of the 1XX, 2XX, 3XX, 4XX, or 5XX response classes are generally understood)<\/p><p>The \"no-store\" cache directive must not appear in the request or response header fields<\/p><p>For caching by \"shared\" caches such as \"proxy\" caches, the \"private\" response directive must not appear in the response<\/p><p>For caching by \"shared\" caches such as \"proxy\" caches, the \"Authorization\" header field must not appear in the request, unless the response explicitly allows it (using one of the \"must-revalidate\", \"public\", or \"s-maxage\" Cache-Control response directives)<\/p><p>In addition to the conditions above, at least one of the following conditions must also be satisfied by the response:<\/p><p>It must contain an \"Expires\" header field<\/p><p>It must contain a \"max-age\" response directive<\/p><p>For \"shared\" caches such as \"proxy\" caches, it must contain a \"s-maxage\" response directive<\/p><p>It must contain a \"Cache Control Extension\" that allows it to be cached<\/p><p>It must have a status code that is defined as cacheable by default (200, 203, 204, 206, 300, 301, 404, 405, 410, 414, 501). <\/p>",
"reference": "<p>https://tools.ietf.org/html/rfc7234<\/p><p>https://tools.ietf.org/html/rfc7231<\/p><p>http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (obsoleted by rfc7234)<\/p>",
"cweid": "524",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "20012",
"alert": "Anti CSRF Tokens Scanner",
"name": "Anti CSRF Tokens Scanner",
"riskcode": "3",
"confidence": "2",
"riskdesc": "High (Medium)",
"desc": "<p>A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.<\/p><p><\/p><p>CSRF attacks are effective in a number of situations, including:<\/p><p> * The victim has an active session on the target site.<\/p><p> * The victim is authenticated via HTTP auth on the target site.<\/p><p> * The victim is on the same local network as the target site.<\/p><p><\/p><p>CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/colors.html",
"method": "GET",
"evidence": "<form method=GET action=colrs.jsp>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/checkbox/check.html",
"method": "GET",
"evidence": "<FORM TYPE=POST ACTION=checkresult.jsp>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/security/protected/index.jsp",
"method": "GET",
"evidence": "<form method=\"POST\" action='j_security_check' >"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/colrs.jsp?action=Hint&color1=ZAP&color2=ZAP",
"method": "GET",
"evidence": "<form method=POST action=colrs.jsp>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/error/error.html",
"method": "GET",
"evidence": "<form method=get action=err.jsp>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/cal/cal1.jsp?action=Submit&email=foo-bar%40example.com&name=ZAP",
"method": "GET",
"evidence": "<FORM METHOD=POST ACTION=cal1.jsp>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/security/protected",
"method": "GET",
"evidence": "<form method=\"POST\" action='j_security_check' >"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP",
"method": "GET",
"evidence": "<form action=\"SessionExample\" method=POST>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5",
"method": "POST",
"evidence": "<form action=\"SessionExample\" method=GET>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample",
"method": "GET",
"evidence": "<form action=\"SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5\" method=GET>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST",
"evidence": "<form action=\"CookieExample\" method=POST>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/cal/login.html",
"method": "GET",
"evidence": "<form method=GET action=cal1.jsp>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/num/numguess.jsp?guess=ZAP",
"method": "GET",
"evidence": "<form method=get>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/num/numguess.jsp",
"method": "GET",
"evidence": "<form method=get>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/RequestParamExample",
"method": "POST",
"evidence": "<form action=\"RequestParamExample\" method=POST>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/implicit-objects.jsp?foo=bar",
"method": "GET",
"evidence": "<form action=\"implicit-objects.jsp\" method=\"GET\">"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/functions.jsp?foo=JSP+2.0",
"method": "GET",
"evidence": "<form action=\"functions.jsp\" method=\"GET\">"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/chat/login.jsp",
"method": "GET",
"evidence": "<form method=\"POST\" action='chat' target=\"_top\" name=\"loginForm\">"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample",
"method": "GET",
"evidence": "<form action=\"SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5\" method=POST>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.html",
"method": "GET",
"evidence": "<form type=POST action=carts.jsp>"
}
],
"count": "26",
"solution": "<p>Phase: Architecture and Design<\/p><p>Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.<\/p><p>For example, use anti-CSRF packages such as the OWASP CSRFGuard.<\/p><p><\/p><p>Phase: Implementation<\/p><p>Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.<\/p><p><\/p><p>Phase: Architecture and Design<\/p><p>Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).<\/p><p>Note that this can be bypassed using XSS.<\/p><p><\/p><p>Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.<\/p><p>Note that this can be bypassed using XSS.<\/p><p><\/p><p>Use the ESAPI Session Management control.<\/p><p>This control includes a component for CSRF.<\/p><p><\/p><p>Do not use the GET method for any request that triggers a state change.<\/p><p><\/p><p>Phase: Implementation<\/p><p>Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.<\/p>",
"reference": "<p>http://projects.webappsec.org/Cross-Site-Request-Forgery<\/p><p>http://cwe.mitre.org/data/definitions/352.html<\/p>",
"cweid": "352",
"wascid": "9",
"sourceid": "1"
},
{
"pluginid": "10099",
"alert": "Source Code Disclosure - ActiveVFP",
"name": "Source Code Disclosure - ActiveVFP",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>Application Source Code was disclosed by the web server - ActiveVFP<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/ssi-howto.html",
"method": "GET",
"evidence": "if (!thisScript) { // Workaround for IE <= 11\n var scripts = document.getElementsByTagName(\"script\");\n thisScript = scripts[scripts.length - 1];\n }\n document.addEventListener(\"DOMContentLoaded\", (function() {\n var commentsDiv = document.getElementById(\"comments_thread\");\n var commentsShortname = \"tomcat\";\n var commentsIdentifier = \"http://tomcat.apache.org/\" +\n thisScript.getAttribute(\"data-comments-identifier\") + \".html\";\n\n (function(w, d) {\n if (w.location.hostname.toLowerCase() == \"tomcat.apache.org\") {\n var s = d.createElement(\"script\");\n s.type = \"application/javascript\";\n s.async = true;\n s.src = \"https://comments.apache.org/show_comments.lua?site=\" +\n encodeURIComponent(commentsShortname) +\n \"&page=\" + encodeURIComponent(commentsIdentifier);\n d.head.appendChild(s);\n } else {\n commentsDiv.appendChild(d.createTextNode(\"Comments are disabled for this page at the moment.\"));\n }\n })(window, document);\n }), false);\n })();\n <\/script><\/head><body><div id=\"wrapper\"><header><div id=\"header\"><div><div><div class=\"logo noPrint\"><a href=\"http://tomcat.apache.org/\"><img alt=\"Tomcat Home\" src=\"./images/tomcat.png\"><\/a><\/div><div style=\"height: 1px;\"><\/div><div class=\"asfLogo noPrint\"><a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"./images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a><\/div><h1>Apache Tomcat 8<\/h1><div class=\"versionInfo\">\n Version 8.0.37,\n <time datetime=\"2016-09-01\">Sep 1 2016<\/time><\/div><div style=\"height: 1px;\"><\/div><div style=\"clear: left;\"><\/div><\/div><\/div><\/div><\/header><div id=\"middle\"><div><div id=\"mainLeft\" class=\"noprint\"><div><nav><div><h2>Links<\/h2><ul><li><a href=\"index.html\">Docs Home<\/a><\/li><li><a href=\"http://wiki.apache.org/tomcat/FAQ\">FAQ<\/a><\/li><li><a href=\"#comments_section\">User Comments<\/a><\/li><\/ul><\/div><div><h2>User Guide<\/h2><ul><li><a href=\"introduction.html\">1) Introduction<\/a><\/li><li><a href=\"setup.html\">2) Setup<\/a><\/li><li><a href=\"appdev/index.html\">3) First webapp<\/a><\/li><li><a href=\"deployer-howto.html\">4) Deployer<\/a><\/li><li><a href=\"manager-howto.html\">5) Manager<\/a><\/li><li><a href=\"realm-howto.html\">6) Realms and AAA<\/a><\/li><li><a href=\"security-manager-howto.html\">7) Security Manager<\/a><\/li><li><a href=\"jndi-resources-howto.html\">8) JNDI Resources<\/a><\/li><li><a href=\"jndi-datasource-examples-howto.html\">9) JDBC DataSources<\/a><\/li><li><a href=\"class-loader-howto.html\">10) Classloading<\/a><\/li><li><a href=\"jasper-howto.html\">11) JSPs<\/a><\/li><li><a href=\"ssl-howto.html\">12) SSL/TLS<\/a><\/li><li><a href=\"ssi-howto.html\">13) SSI<\/a><\/li><li><a href=\"cgi-howto.html\">14) CGI<\/a><\/li><li><a href=\"proxy-howto.html\">15) Proxy Support<\/a><\/li><li><a href=\"mbeans-descriptors-howto.html\">16) MBeans Descriptors<\/a><\/li><li><a href=\"default-servlet.html\">17) Default Servlet<\/a><\/li><li><a href=\"cluster-howto.html\">18) Clustering<\/a><\/li><li><a href=\"balancer-howto.html\">19) Load Balancer<\/a><\/li><li><a href=\"connectors.html\">20) Connectors<\/a><\/li><li><a href=\"monitoring.html\">21) Monitoring and Management<\/a><\/li><li><a href=\"logging.html\">22) Logging<\/a><\/li><li><a href=\"apr.html\">23) APR/Native<\/a><\/li><li><a href=\"virtual-hosting-howto.html\">24) Virtual Hosting<\/a><\/li><li><a href=\"aio.html\">25) Advanced IO<\/a><\/li><li><a href=\"extras.html\">26) Additional Components<\/a><\/li><li><a href=\"maven-jars.html\">27) Mavenized<\/a><\/li><li><a href=\"security-howto.html\">28) Security Considerations<\/a><\/li><li><a href=\"windows-service-howto.html\">29) Windows Service<\/a><\/li><li><a href=\"windows-auth-howto.html\">30) Windows Authentication<\/a><\/li><li><a href=\"jdbc-pool.html\">31) Tomcat's JDBC Pool<\/a><\/li><li><a href=\"web-socket-howto.html\">32) WebSocket<\/a><\/li><li><a href=\"rewrite.html\">33) Rewrite<\/a><\/li><\/ul><\/div><div><h2>Reference<\/h2><ul><li><a href=\"RELEASE-NOTES.txt\">Release Notes<\/a><\/li><li><a href=\"config/index.html\">Configuration<\/a><\/li><li><a href=\"api/index.html\">Tomcat Javadocs<\/a><\/li><li><a href=\"servletapi/index.html\">Servlet Javadocs<\/a><\/li><li><a href=\"jspapi/index.html\">JSP 2.3 Javadocs<\/a><\/li><li><a href=\"elapi/index.html\">EL 3.0 Javadocs<\/a><\/li><li><a href=\"websocketapi/index.html\">WebSocket 1.1 Javadocs<\/a><\/li><li><a href=\"http://tomcat.apache.org/connectors-doc/\">JK 1.2 Documentation<\/a><\/li><\/ul><\/div><div><h2>Apache Tomcat Development<\/h2><ul><li><a href=\"building.html\">Building<\/a><\/li><li><a href=\"changelog.html\">Changelog<\/a><\/li><li><a href=\"http://wiki.apache.org/tomcat/TomcatVersions\">Status<\/a><\/li><li><a href=\"developers.html\">Developers<\/a><\/li><li><a href=\"architecture/index.html\">Architecture<\/a><\/li><li><a href=\"funcspecs/index.html\">Functional Specs.<\/a><\/li><li><a href=\"tribes/introduction.html\">Tribes<\/a><\/li><\/ul><\/div><\/nav><\/div><\/div><div id=\"mainRight\"><div id=\"content\"><h2>SSI How To<\/h2><h3 id=\"Table_of_Contents\">Table of Contents<\/h3><div class=\"text\">\n<ul><li><a href=\"#Introduction\">Introduction<\/a><\/li><li><a href=\"#Installation\">Installation<\/a><\/li><li><a href=\"#Servlet_Configuration\">Servlet Configuration<\/a><\/li><li><a href=\"#Filter_Configuration\">Filter Configuration<\/a><\/li><li><a href=\"#Directives\">Directives<\/a><\/li><li><a href=\"#Variables\">Variables<\/a><\/li><\/ul>\n<\/div><h3 id=\"Introduction\">Introduction<\/h3><div class=\"text\">\n\n<p>SSI (Server Side Includes) are directives that are placed in HTML pages,\nand evaluated on the server while the pages are being served. They let you\nadd dynamically generated content to an existing HTML page, without having\nto serve the entire page via a CGI program, or other dynamic technology.\n<\/p>\n\n<p>Within Tomcat SSI support can be added when using Tomcat as your\nHTTP server and you require SSI support. Typically this is done\nduring development when you don't want to run a web server like Apache.<\/p>\n\n<p>Tomcat SSI support implements the same SSI directives as Apache. See the\n<a href=\"http://httpd.apache.org/docs/howto/ssi.html#basicssidirectives\">\nApache Introduction to SSI<\/a> for information on using SSI directives.<\/p>\n\n<p>SSI support is available as a servlet and as a filter. You should use one\nor the other to provide SSI support but not both.<\/p>\n\n<p>Servlet based SSI support is implemented using the class\n<code>org.apache.catalina.ssi.SSIServlet<\/code>. Traditionally, this servlet\nis mapped to the URL pattern \"*.shtml\".<\/p>\n\n<p>Filter based SSI support is implemented using the class\n<code>org.apache.catalina.ssi.SSIFilter<\/code>. Traditionally, this filter\nis mapped to the URL pattern \"*.shtml\", though it can be mapped to \"*\" as\nit will selectively enable/disable SSI processing based on mime types. The\ncontentType init param allows you to apply SSI processing to JSP pages,\njavascript, or any other content you wish.<\/p>\n<p>By default SSI support is disabled in Tomcat.<\/p>\n<\/div><h3 id=\"Installation\">Installation<\/h3><div class=\"text\">\n\n<p><strong>CAUTION<\/strong> - SSI directives can be used to execute programs\nexternal to the Tomcat JVM. If you are using the Java SecurityManager this\nwill bypass your security policy configuration in <code>catalina.policy.<\/code>\n<\/p>\n\n<p>To use the SSI servlet, remove the XML comments from around the SSI servlet\nand servlet-mapping configuration in\n<code>$CATALINA_BASE/conf/web.xml<\/code>.<\/p>\n\n<p>To use the SSI filter, remove the XML comments from around the SSI filter\nand filter-mapping configuration in\n<code>$CATALINA_BASE/conf/web.xml<\/code>.<\/p>\n\n<p>Only Contexts which are marked as privileged may use SSI features (see the\nprivileged property of the Context element).<\/p>\n\n<\/div><h3 id=\"Servlet_Configuration\">Servlet Configuration<\/h3><div class=\"text\">\n\n<p>There are several servlet init parameters which can be used to\nconfigure the behaviour of the SSI servlet.<\/p>\n<ul>\n<li><strong>buffered<\/strong> - Should output from this servlet be buffered?\n(0=false, 1=true) Default 0 (false).<\/li>\n<li><strong>debug<\/strong> - Debugging detail level for messages logged\nby this servlet. Default 0.<\/li>\n<li><strong>expires<\/strong> - The number of seconds before a page with SSI\ndirectives will expire. Default behaviour is for all SSI directives to be\nevaluated for every request.<\/li>\n<li><strong>isVirtualWebappRelative<\/strong> - Should \"virtual\" SSI directive\npaths be interpreted as relative to the context root, instead of the server\nroot? Default false.<\/li>\n<li><strong>inputEncoding<\/strong> - The encoding to be assumed for SSI\nresources if one cannot be determined from the resource itself. Default is\nthe default platform encoding.<\/li>\n<li><strong>outputEncoding<\/strong> - The encoding to be used for the result\nof the SSI processing. Default is UTF-8.<\/li>\n<li><strong>allowExec<\/strong> - Is the exec command enabled? Default is\nfalse.<\/li>\n<\/ul>\n\n\n<\/div><h3 id=\"Filter_Configuration\">Filter Configuration<\/h3><div class=\"text\">\n\n<p>There are several filter init parameters which can be used to\nconfigure the behaviour of the SSI filter.<\/p>\n<ul>\n<li><strong>contentType<\/strong> - A regex pattern that must be matched before\nSSI processing is applied. When crafting your own pattern, don't forget that a\nmime content type may be followed by an optional character set in the form\n\"mime/type; charset=set\" that you must take into account. Default is\n\"text/x-server-parsed-html(;.*)?\".<\/li>\n<li><strong>debug<\/strong> - Debugging detail level for messages logged\nby this servlet. Default 0.<\/li>\n<li><strong>expires<\/strong> - The number of seconds before a page with SSI\ndirectives will expire. Default behaviour is for all SSI directives to be\nevaluated for every request.<\/li>\n<li><strong>isVirtualWebappRelative<\/strong> - Should \"virtual\" SSI directive\npaths be interpreted as relative to the context root, instead of the server\nroot? Default false.<\/li>\n<li><strong>allowExec<\/strong> - Is the exec command enabled? Default is\nfalse.<\/li>\n<\/ul>\n\n\n<\/div><h3 id=\"Directives\">Directives<\/h3><div class=\"text\">\n<p>Server Side Includes are invoked by embedding SSI directives in an HTML document\n whose type will be processed by the SSI servlet. The directives take the form of an HTML\n comment. The directive is replaced by the results of interpreting it before sending the\n page to the client. The general form of a directive is: <\/p>\n<p> <code><!--#directive [parm=value] --><\/code><\/p>\n<p>The directives are:<\/p>\n<ul>\n<li>\n<strong>config<\/strong> - <code><!--#config timefmt=\"%B %Y\" --><\/code>\nUsed to set the format of dates and other items processed by SSI\n<\/li>\n<li>\n<strong>echo<\/strong> - <code><!--#echo var=\"VARIABLE_NAME\" --><\/code>\nwill be replaced by the value of the variable.\n<\/li>\n<li>\n<strong>exec<\/strong> - Used to run commands on the host system.\n<\/li>\n<li>\n<strong>include<\/strong> - <code><!--#include virtual=\"file-name\" --><\/code>\ninserts the contents\n<\/li>\n<li>\n<strong>flastmod<\/strong> - <code><!--#flastmod file=\"filename.shtml\" --><\/code>\nReturns the time that a file was lost modified.\n<\/li>\n<li>\n<strong>fsize<\/strong> - <code><!--#fsize file=\"filename.shtml\" --><\/code>\nReturns the size of a file.\n<\/li>\n<li>\n<strong>printenv<\/strong> - <code><!--#printenv --><\/code>\nReturns the list of all the defined variables.\n<\/li>\n<li>\n<strong>set<\/strong> - <code><!--#set var=\"foo\" value=\"Bar\" --><\/code>\nis used to assign a value to a user-defined variable.\n<\/li>\n<li>\n<strong>if elif endif"
}
],
"count": "1",
"solution": "<p>Ensure that application Source Code is not available with alternative extensions, and ensure that source code is not present within other files or data deployed to the web server, or served by the web server. <\/p>",
"otherinfo": "<p>if (!thisScript) { // Workaround for IE <= 11<\/p><p> var scripts = document.getElementsByTagName(\"script\");<\/p><p> thisScript = scripts[scripts.length - 1];<\/p><p> }<\/p><p> document.addEventListener(\"DOMContentLoaded\", (function() {<\/p><p> var commentsDiv = document.getElementById(\"comments_thread\");<\/p><p> var commentsShortname = \"tomcat\";<\/p><p> var commentsIdentifier = \"http://tomcat.apache.org/\" +<\/p><p> thisScript.getAttribute(\"data-comments-identifier\") + \".html\";<\/p><p><\/p><p> (function(w, d) {<\/p><p> if (w.location.hostname.toLowerCase() == \"tomcat.apache.org\") {<\/p><p> var s = d.createElement(\"script\");<\/p><p> s.type = \"application/javascript\";<\/p><p> s.async = true;<\/p><p> s.src = \"https://comments.apache.org/show_comments.lua?site=\" +<\/p><p> encodeURIComponent(commentsShortname) +<\/p><p> \"&page=\" + encodeURIComponent(commentsIdentifier);<\/p><p> d.head.appendChild(s);<\/p><p> } else {<\/p><p> commentsDiv.appendChild(d.createTextNode(\"Comments are disabled for this page at the moment.\"));<\/p><p> }<\/p><p> })(window, document);<\/p><p> }), false);<\/p><p> })();<\/p><p> <\/script><\/head><body><div id=\"wrapper\"><header><div id=\"header\"><div><div><div class=\"logo noPrint\"><a href=\"http://tomcat.apache.org/\"><img alt=\"Tomcat Home\" src=\"./images/tomcat.png\"><\/a><\/div><div style=\"height: 1px;\"><\/div><div class=\"asfLogo noPrint\"><a href=\"http://www.apache.org/\" target=\"_blank\"><img src=\"./images/asf-feather.png\" alt=\"The Apache Software Foundation\" style=\"width: 266px; height: 83px;\"><\/a><\/div><h1>Apache Tomcat 8<\/h1><div class=\"versionInfo\"><\/p><p> Version 8.0.37,<\/p><p> <time datetime=\"2016-09-01\">Sep 1 2016<\/time><\/div><div style=\"height: 1px;\"><\/div><div style=\"clear: left;\"><\/div><\/div><\/div><\/div><\/header><div id=\"middle\"><div><div id=\"mainLeft\" class=\"noprint\"><div><nav><div><h2>Links<\/h2><ul><li><a href=\"index.html\">Docs Home<\/a><\/li><li><a href=\"http://wiki.apache.org/tomcat/FAQ\">FAQ<\/a><\/li><li><a href=\"#comments_section\">User Comments<\/a><\/li><\/ul><\/div><div><h2>User Guide<\/h2><ul><li><a href=\"introduction.html\">1) Introduction<\/a><\/li><li><a href=\"setup.html\">2) Setup<\/a><\/li><li><a href=\"appdev/index.html\">3) First webapp<\/a><\/li><li><a href=\"deployer-howto.html\">4) Deployer<\/a><\/li><li><a href=\"manager-howto.html\">5) Manager<\/a><\/li><li><a href=\"realm-howto.html\">6) Realms and AAA<\/a><\/li><li><a href=\"security-manager-howto.html\">7) Security Manager<\/a><\/li><li><a href=\"jndi-resources-howto.html\">8) JNDI Resources<\/a><\/li><li><a href=\"jndi-datasource-examples-howto.html\">9) JDBC DataSources<\/a><\/li><li><a href=\"class-loader-howto.html\">10) Classloading<\/a><\/li><li><a href=\"jasper-howto.html\">11) JSPs<\/a><\/li><li><a href=\"ssl-howto.html\">12) SSL/TLS<\/a><\/li><li><a href=\"ssi-howto.html\">13) SSI<\/a><\/li><li><a href=\"cgi-howto.html\">14) CGI<\/a><\/li><li><a href=\"proxy-howto.html\">15) Proxy Support<\/a><\/li><li><a href=\"mbeans-descriptors-howto.html\">16) MBeans Descriptors<\/a><\/li><li><a href=\"default-servlet.html\">17) Default Servlet<\/a><\/li><li><a href=\"cluster-howto.html\">18) Clustering<\/a><\/li><li><a href=\"balancer-howto.html\">19) Load Balancer<\/a><\/li><li><a href=\"connectors.html\">20) Connectors<\/a><\/li><li><a href=\"monitoring.html\">21) Monitoring and Management<\/a><\/li><li><a href=\"logging.html\">22) Logging<\/a><\/li><li><a href=\"apr.html\">23) APR/Native<\/a><\/li><li><a href=\"virtual-hosting-howto.html\">24) Virtual Hosting<\/a><\/li><li><a href=\"aio.html\">25) Advanced IO<\/a><\/li><li><a href=\"extras.html\">26) Additional Components<\/a><\/li><li><a href=\"maven-jars.html\">27) Mavenized<\/a><\/li><li><a href=\"security-howto.html\">28) Security Considerations<\/a><\/li><li><a href=\"windows-service-howto.html\">29) Windows Service<\/a><\/li><li><a href=\"windows-auth-howto.html\">30) Windows Authentication<\/a><\/li><li><a href=\"jdbc-pool.html\">31) Tomcat's JDBC Pool<\/a><\/li><li><a href=\"web-socket-howto.html\">32) WebSocket<\/a><\/li><li><a href=\"rewrite.html\">33) Rewrite<\/a><\/li><\/ul><\/div><div><h2>Reference<\/h2><ul><li><a href=\"RELEASE-NOTES.txt\">Release Notes<\/a><\/li><li><a href=\"config/index.html\">Configuration<\/a><\/li><li><a href=\"api/index.html\">Tomcat Javadocs<\/a><\/li><li><a href=\"servletapi/index.html\">Servlet Javadocs<\/a><\/li><li><a href=\"jspapi/index.html\">JSP 2.3 Javadocs<\/a><\/li><li><a href=\"elapi/index.html\">EL 3.0 Javadocs<\/a><\/li><li><a href=\"websocketapi/index.html\">WebSocket 1.1 Javadocs<\/a><\/li><li><a href=\"http://tomcat.apache.org/connectors-doc/\">JK 1.2 Documentation<\/a><\/li><\/ul><\/div><div><h2>Apache Tomcat Development<\/h2><ul><li><a href=\"building.html\">Building<\/a><\/li><li><a href=\"changelog.html\">Changelog<\/a><\/li><li><a href=\"http://wiki.apache.org/tomcat/TomcatVersions\">Status<\/a><\/li><li><a href=\"developers.html\">Developers<\/a><\/li><li><a href=\"architecture/index.html\">Architecture<\/a><\/li><li><a href=\"funcspecs/index.html\">Functional Specs.<\/a><\/li><li><a href=\"tribes/introduction.html\">Tribes<\/a><\/li><\/ul><\/div><\/nav><\/div><\/div><div id=\"mainRight\"><div id=\"content\"><h2>SSI How To<\/h2><h3 id=\"Table_of_Contents\">Table of Contents<\/h3><div class=\"text\"><\/p><p><ul><li><a href=\"#Introduction\">Introduction<\/a><\/li><li><a href=\"#Installation\">Installation<\/a><\/li><li><a href=\"#Servlet_Configuration\">Servlet Configuration<\/a><\/li><li><a href=\"#Filter_Configuration\">Filter Configuration<\/a><\/li><li><a href=\"#Directives\">Directives<\/a><\/li><li><a href=\"#Variables\">Variables<\/a><\/li><\/ul><\/p><p><\/div><h3 id=\"Introduction\">Introduction<\/h3><div class=\"text\"><\/p><p><\/p><p><p>SSI (Server Side Includes) are directives that are placed in HTML pages,<\/p><p>and evaluated on the server while the pages are being served. They let you<\/p><p>add dynamically generated content to an existing HTML page, without having<\/p><p>to serve the entire page via a CGI program, or other dynamic technology.<\/p><p><\/p><\/p><p><\/p><p><p>Within Tomcat SSI support can be added when using Tomcat as your<\/p><p>HTTP server and you require SSI support. Typically this is done<\/p><p>during development when you don't want to run a web server like Apache.<\/p><\/p><p><\/p><p><p>Tomcat SSI support implements the same SSI directives as Apache. See the<\/p><p><a href=\"http://httpd.apache.org/docs/howto/ssi.html#basicssidirectives\"><\/p><p>Apache Introduction to SSI<\/a> for information on using SSI directives.<\/p><\/p><p><\/p><p><p>SSI support is available as a servlet and as a filter. You should use one<\/p><p>or the other to provide SSI support but not both.<\/p><\/p><p><\/p><p><p>Servlet based SSI support is implemented using the class<\/p><p><code>org.apache.catalina.ssi.SSIServlet<\/code>. Traditionally, this servlet<\/p><p>is mapped to the URL pattern \"*.shtml\".<\/p><\/p><p><\/p><p><p>Filter based SSI support is implemented using the class<\/p><p><code>org.apache.catalina.ssi.SSIFilter<\/code>. Traditionally, this filter<\/p><p>is mapped to the URL pattern \"*.shtml\", though it can be mapped to \"*\" as<\/p><p>it will selectively enable/disable SSI processing based on mime types. The<\/p><p>contentType init param allows you to apply SSI processing to JSP pages,<\/p><p>javascript, or any other content you wish.<\/p><\/p><p><p>By default SSI support is disabled in Tomcat.<\/p><\/p><p><\/div><h3 id=\"Installation\">Installation<\/h3><div class=\"text\"><\/p><p><\/p><p><p><strong>CAUTION<\/strong> - SSI directives can be used to execute programs<\/p><p>external to the Tomcat JVM. If you are using the Java SecurityManager this<\/p><p>will bypass your security policy configuration in <code>catalina.policy.<\/code><\/p><p><\/p><\/p><p><\/p><p><p>To use the SSI servlet, remove the XML comments from around the SSI servlet<\/p><p>and servlet-mapping configuration in<\/p><p><code>$CATALINA_BASE/conf/web.xml<\/code>.<\/p><\/p><p><\/p><p><p>To use the SSI filter, remove the XML comments from around the SSI filter<\/p><p>and filter-mapping configuration in<\/p><p><code>$CATALINA_BASE/conf/web.xml<\/code>.<\/p><\/p><p><\/p><p><p>Only Contexts which are marked as privileged may use SSI features (see the<\/p><p>privileged property of the Context element).<\/p><\/p><p><\/p><p><\/div><h3 id=\"Servlet_Configuration\">Servlet Configuration<\/h3><div class=\"text\"><\/p><p><\/p><p><p>There are several servlet init parameters which can be used to<\/p><p>configure the behaviour of the SSI servlet.<\/p><\/p><p><ul><\/p><p><li><strong>buffered<\/strong> - Should output from this servlet be buffered?<\/p><p>(0=false, 1=true) Default 0 (false).<\/li><\/p><p><li><strong>debug<\/strong> - Debugging detail level for messages logged<\/p><p>by this servlet. Default 0.<\/li><\/p><p><li><strong>expires<\/strong> - The number of seconds before a page with SSI<\/p><p>directives will expire. Default behaviour is for all SSI directives to be<\/p><p>evaluated for every request.<\/li><\/p><p><li><strong>isVirtualWebappRelative<\/strong> - Should \"virtual\" SSI directive<\/p><p>paths be interpreted as relative to the context root, instead of the server<\/p><p>root? Default false.<\/li><\/p><p><li><strong>inputEncoding<\/strong> - The encoding to be assumed for SSI<\/p><p>resources if one cannot be determined from the resource itself. Default is<\/p><p>the default platform encoding.<\/li><\/p><p><li><strong>outputEncoding<\/strong> - The encoding to be used for the result<\/p><p>of the SSI processing. Default is UTF-8.<\/li><\/p><p><li><strong>allowExec<\/strong> - Is the exec command enabled? Default is<\/p><p>false.<\/li><\/p><p><\/ul><\/p><p><\/p><p><\/p><p><\/div><h3 id=\"Filter_Configuration\">Filter Configuration<\/h3><div class=\"text\"><\/p><p><\/p><p><p>There are several filter init parameters which can be used to<\/p><p>configure the behaviour of the SSI filter.<\/p><\/p><p><ul><\/p><p><li><strong>contentType<\/strong> - A regex pattern that must be matched before<\/p><p>SSI processing is applied. When crafting your own pattern, don't forget that a<\/p><p>mime content type may be followed by an optional character set in the form<\/p><p>\"mime/type; charset=set\" that you must take into account. Default is<\/p><p>\"text/x-server-parsed-html(;.*)?\".<\/li><\/p><p><li><strong>debug<\/strong> - Debugging detail level for messages logged<\/p><p>by this servlet. Default 0.<\/li><\/p><p><li><strong>expires<\/strong> - The number of seconds before a page with SSI<\/p><p>directives will expire. Default behaviour is for all SSI directives to be<\/p><p>evaluated for every request.<\/li><\/p><p><li><strong>isVirtualWebappRelative<\/strong> - Should \"virtual\" SSI directive<\/p><p>paths be interpreted as relative to the context root, instead of the server<\/p><p>root? Default false.<\/li><\/p><p><li><strong>allowExec<\/strong> - Is the exec command enabled? Default is<\/p><p>false.<\/li><\/p><p><\/ul><\/p><p><\/p><p><\/p><p><\/div><h3 id=\"Directives\">Directives<\/h3><div class=\"text\"><\/p><p><p>Server Side Includes are invoked by embedding SSI directives in an HTML document<\/p><p> whose type will be processed by the SSI servlet. The directives take the form of an HTML<\/p><p> comment. The directive is replaced by the results of interpreting it before sending the<\/p><p> page to the client. The general form of a directive is: <\/p><\/p><p><p> <code><!--#directive [parm=value] --><\/code><\/p><\/p><p><p>The directives are:<\/p><\/p><p><ul><\/p><p><li><\/p><p><strong>config<\/strong> - <code><!--#config timefmt=\"%B %Y\" --><\/code><\/p><p>Used to set the format of dates and other items processed by SSI<\/p><p><\/li><\/p><p><li><\/p><p><strong>echo<\/strong> - <code><!--#echo var=\"VARIABLE_NAME\" --><\/code><\/p><p>will be replaced by the value of the variable.<\/p><p><\/li><\/p><p><li><\/p><p><strong>exec<\/strong> - Used to run commands on the host system.<\/p><p><\/li><\/p><p><li><\/p><p><strong>include<\/strong> - <code><!--#include virtual=\"file-name\" --><\/code><\/p><p>inserts the contents<\/p><p><\/li><\/p><p><li><\/p><p><strong>flastmod<\/strong> - <code><!--#flastmod file=\"filename.shtml\" --><\/code><\/p><p>Returns the time that a file was lost modified.<\/p><p><\/li><\/p><p><li><\/p><p><strong>fsize<\/strong> - <code><!--#fsize file=\"filename.shtml\" --><\/code><\/p><p>Returns the size of a file.<\/p><p><\/li><\/p><p><li><\/p><p><strong>printenv<\/strong> - <code><!--#printenv --><\/code><\/p><p>Returns the list of all the defined variables.<\/p><p><\/li><\/p><p><li><\/p><p><strong>set<\/strong> - <code><!--#set var=\"foo\" value=\"Bar\" --><\/code><\/p><p>is used to assign a value to a user-defined variable.<\/p><p><\/li><\/p><p><li><\/p><p><strong>if elif endif<\/p>",
"reference": "<p>http://blogs.wsj.com/cio/2013/10/08/adobe-source-code-leak-is-bad-news-for-u-s-government/<\/p>",
"cweid": "540",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10095",
"alert": "Backup File Disclosure",
"name": "Backup File Disclosure",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>A backup of the file was disclosed by the web server<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.log",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.log",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.log]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5%20-%20Copy%20(3)",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5 - Copy (3)",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5 - Copy (3)]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.zip",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.zip",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.zip]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5%20-%20Copy%20(3)",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5 - Copy (3)",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5 - Copy (3)]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.bak",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.bak",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.bak]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.jar",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.jar",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.jar]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.zip",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.zip",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.zip]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5backup",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5backup",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5backup]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.tar",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.tar",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.tar]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.log",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.log",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.log]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.old",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.old",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.old]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.swp",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.swp",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.swp]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.backup",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.backup",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.backup]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.old",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.old",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.old]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.jar",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.jar",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.jar]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.backup",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.backup",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.backup]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.swp",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.swp",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.swp]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.tar",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.tar",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.tar]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5backup",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5backup",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5backup]"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.~bk",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.~bk",
"evidence": "A backup of [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP] is available at [http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5.~bk]"
}
],
"count": "30",
"solution": "<p>Do not edit files in-situ on the web server, and ensure that un-necessary files (including hidden files) are removed from the web server.<\/p>",
"otherinfo": "<p>http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP<\/p>",
"reference": "<p>https://cwe.mitre.org/data/definitions/530.html<\/p><p>https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information.html<\/p>",
"cweid": "530",
"wascid": "34",
"sourceid": "1"
},
{
"pluginid": "10029",
"alert": "Cookie Poisoning",
"name": "Cookie Poisoning",
"riskcode": "0",
"confidence": "1",
"riskdesc": "Informational (Low)",
"desc": "<p>This check looks at user-supplied input in query string parameters and POST data to identify where cookie parameters might be controlled. This is called a cookie poisoning attack, and becomes exploitable when an attacker can manipulate the cookie in various ways. In some cases this will not be exploitable, however, allowing URL parameters to set cookie values is generally considered a bug.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST",
"param": "cookievalue"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST",
"param": "cookiename"
}
],
"count": "2",
"solution": "<p>Do not allow user input to control cookie names and values. If some query string parameters must be set in cookie values, be sure to filter out semicolon's that can serve as name/value pair delimiters.<\/p>",
"otherinfo": "<p>An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, you should try resending that request as a GET, with the POST parameter included as a query string parameter. For example: http://nottrusted.com/page?value=maliciousInput.<\/p><p><\/p><p>This was identified at:<\/p><p><\/p><p>http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample<\/p><p><\/p><p>User-input was found in the following cookie:<\/p><p>ZAP=ZAP; Path=/examples/<\/p><p><\/p><p>The user input was:<\/p><p>cookievalue=ZAP<\/p>",
"reference": "<p>http://websecuritytool.codeplex.com/wikipage?title=Checks#user-controlled-cookie<\/p>",
"cweid": "20",
"wascid": "20",
"sourceid": "3"
},
{
"pluginid": "10099",
"alert": "Source Code Disclosure - SQL",
"name": "Source Code Disclosure - SQL",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>Application Source Code was disclosed by the web server - SQL<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/manager.html",
"method": "GET",
"evidence": "create table tomcat_sessions (\n session_id varchar(100)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/",
"method": "GET",
"evidence": "Select one of the links from the navigation menu "
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jndi-datasource-examples-howto.html",
"method": "GET",
"evidence": "select * from testdata"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-memory-realm.html",
"method": "GET",
"evidence": "Select the one and only \"user\" instance from the in"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/index.html",
"method": "GET",
"evidence": "Select one of the links from the navigation menu "
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/extras.html",
"method": "GET",
"evidence": "select \"Browse\" from the Quick Navigation Links. The extras components"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/realm-howto.html",
"method": "GET",
"evidence": "create table users (\n user_name varchar(15)"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jdbc-pool.html",
"method": "GET",
"evidence": "select 1 from dual"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-jdbc-realm.html",
"method": "GET",
"evidence": "Select the one and only row from the user"
}
],
"count": "9",
"solution": "<p>Ensure that application Source Code is not available with alternative extensions, and ensure that source code is not present within other files or data deployed to the web server, or served by the web server. <\/p>",
"otherinfo": "<p>create table tomcat_sessions (<\/p><p> session_id varchar(100)<\/p>",
"reference": "<p>http://blogs.wsj.com/cio/2013/10/08/adobe-source-code-leak-is-bad-news-for-u-s-government/<\/p>",
"cweid": "540",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10054",
"alert": "Cookie Without SameSite Attribute",
"name": "Cookie Without SameSite Attribute",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample",
"method": "GET",
"param": "JSESSIONID",
"evidence": "Set-Cookie: JSESSIONID"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST",
"param": "ZAP",
"evidence": "Set-Cookie: ZAP"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/basic-arithmetic.jsp",
"method": "GET",
"param": "JSESSIONID",
"evidence": "Set-Cookie: JSESSIONID"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/security/protected/index.jsp",
"method": "GET",
"param": "JSESSIONID",
"evidence": "Set-Cookie: JSESSIONID"
}
],
"count": "4",
"solution": "<p>Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.<\/p>",
"reference": "<p>https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site<\/p>",
"cweid": "16",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "90022",
"alert": "Application Error Disclosure",
"name": "Application Error Disclosure",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/error/err.jsp?name=ZAP&submit=Submit",
"method": "GET",
"evidence": "HTTP/1.1 500 Internal Server Error"
}
],
"count": "1",
"solution": "<p>Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.<\/p>",
"reference": "<p><\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10027",
"alert": "Information Disclosure - Suspicious Comments",
"name": "Information Disclosure - Suspicious Comments",
"riskcode": "0",
"confidence": "2",
"riskdesc": "Informational (Medium)",
"desc": "<p>The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/web.xml.txt",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/build.xml.txt",
"method": "GET"
}
],
"count": "2",
"solution": "<p>Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.<\/p>",
"otherinfo": "<p>The following comment/snippet was identified via the pattern: \\bADMINISTRATOR\\b<\/p><p><!-- Context initialization parameters that define shared<\/p><p> String constants used within your application, which<\/p><p> can be customized by the system administrator who is<\/p><p> installing your application. The values actually<\/p><p> assigned to these parameters can be retrieved in a<\/p><p> servlet or JSP page by calling:<\/p><p><\/p><p> String value =<\/p><p> getServletContext().getInitParameter(\"name\");<\/p><p><\/p><p> where \"name\" matches the <param-name> element of<\/p><p> one of these initialization parameters.<\/p><p><\/p><p> You can define any number of context initialization<\/p><p> parameters, including zero.<\/p><p> --><\/p><p>The following comment/snippet was identified via the pattern: \\bWHERE\\b<\/p><p><!-- Servlet definitions for the servlets that make up<\/p><p> your web application, including initialization<\/p><p> parameters. With Tomcat, you can also send requests<\/p><p> to servlets not listed here with a request like this:<\/p><p><\/p><p> http://localhost:8080/{context-path}/servlet/{classname}<\/p><p><\/p><p> but this usage is not guaranteed to be portable. It also<\/p><p> makes relative references to images and other resources<\/p><p> required by your servlet more complicated, so defining<\/p><p> all of your servlets (and defining a mapping to them with<\/p><p> a servlet-mapping element) is recommended.<\/p><p><\/p><p> Servlet initialization parameters can be retrieved in a<\/p><p> servlet or JSP page by calling:<\/p><p><\/p><p> String value =<\/p><p> getServletConfig().getInitParameter(\"name\");<\/p><p><\/p><p> where \"name\" matches the <param-name> element of<\/p><p> one of these initialization parameters.<\/p><p><\/p><p> You can define any number of servlets, including zero.<\/p><p> --><\/p><p>The following comment/snippet was identified via the pattern: \\bFROM\\b<\/p><p><!-- Define the default session timeout for your application,<\/p><p> in minutes. From a servlet or JSP page, you can modify<\/p><p> the timeout for a particular session dynamically by using<\/p><p> HttpSession.getMaxInactiveInterval(). --><\/p><p><\/p>",
"reference": "<p><\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10051",
"alert": "Relative Path Confusion",
"name": "Relative Path Confusion",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>The web server is configured to serve responses to ambiguous URLs in a manner that is likely to lead to confusion about the correct \"relative path\" for the URL. Resources (CSS, images, etc.) are also specified in the page response using relative, rather than absolute URLs. In an attack, if the web browser parses the \"cross-content\" response in a permissive manner, or can be tricked into permissively parsing the \"cross-content\" response, using techniques such as framing, then the web browser may be fooled into interpreting HTML as CSS (or other content types), leading to an XSS vulnerability.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/security/protected/index.jsp",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/examples/jsp/security/protected/index.jsp/ezusw/0t643",
"evidence": "<form method=\"POST\" action=\"j_security_check\"> \n <table border=\"0\" cellspacing=\"5\"> \n <tbody>\n <tr> \n <th align=\"right\">Username:<\/th> \n <td align=\"left\"><input type=\"text\" name=\"j_username\"><\/td> \n <\/tr> \n <tr> \n <th align=\"right\">Password:<\/th> \n <td align=\"left\"><input type=\"password\" name=\"j_password\"><\/td> \n <\/tr> \n <tr> \n <td align=\"right\"><input type=\"submit\" value=\"Log In\"><\/td> \n <td align=\"left\"><input type=\"reset\"><\/td> \n <\/tr> \n <\/tbody>\n <\/table> \n<\/form>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-manager.html#The_<Manager>",
"method": "GET",
"attack": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-manager.html",
"evidence": "<link href=\"../images/docs-stylesheet.css\" rel=\"stylesheet\" type=\"text/css\">"
}
],
"count": "2",
"solution": "<p>Web servers and frameworks should be updated to be configured to not serve responses to ambiguous URLs in such a way that the relative path of such URLs could be mis-interpreted by components on either the client side, or server side.<\/p><p>Within the application, the correct use of the \"<base>\" HTML tag in the HTTP response will unambiguously specify the base URL for all relative URLs in the document.<\/p><p>Use the \"Content-Type\" HTTP response header to make it harder for the attacker to force the web browser to mis-interpret the content type of the response.<\/p><p>Use the \"X-Content-Type-Options: nosniff\" HTTP response header to prevent the web browser from \"sniffing\" the content type of the response.<\/p><p>Use a modern DOCTYPE such as \"<!doctype html>\" to prevent the page from being rendered in the web browser using \"Quirks Mode\", since this results in the content type being ignored by the web browser.<\/p><p>Specify the \"X-Frame-Options\" HTTP response header to prevent Quirks Mode from being enabled in the web browser using framing attacks. <\/p>",
"otherinfo": "<p>No <base> tag was specified in the HTML <head> tag to define the location for relative URLs.<\/p><p>A Content Type of \"text/html;charset=ISO-8859-1\" was specified. If the web browser is employing strict parsing rules, this will prevent cross-content attacks from succeeding. Quirks Mode in the web browser would disable strict parsing. <\/p><p>Quirks Mode is implicitly enabled via the absence of a DOCTYPE, allowing the specified Content Type to be bypassed.<\/p>",
"reference": "<p>http://www.thespanner.co.uk/2014/03/21/rpo/<\/p><p>https://hsivonen.fi/doctype/<\/p><p>http://www.w3schools.com/tags/tag_base.asp<\/p>",
"cweid": "20",
"wascid": "20",
"sourceid": "1"
},
{
"pluginid": "10202",
"alert": "Absence of Anti-CSRF Tokens",
"name": "Absence of Anti-CSRF Tokens",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>No Anti-CSRF tokens were found in a HTML submission form.<\/p><p>A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.<\/p><p><\/p><p>CSRF attacks are effective in a number of situations, including:<\/p><p> * The victim has an active session on the target site.<\/p><p> * The victim is authenticated via HTTP auth on the target site.<\/p><p> * The victim is on the same local network as the target site.<\/p><p><\/p><p>CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/RequestParamExample",
"method": "GET",
"evidence": "<form action=\"RequestParamExample\" method=POST>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST",
"evidence": "<form action=\"CookieExample\" method=POST>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/colors.html",
"method": "GET",
"evidence": "<form method=GET action=colrs.jsp>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/cal/login.html",
"method": "GET",
"evidence": "<form method=GET action=cal1.jsp>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample",
"method": "GET",
"evidence": "<form action=\"SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5\" method=GET>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.html",
"method": "GET",
"evidence": "<form type=POST action=carts.jsp>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/nonblocking/bytecounter.html",
"method": "GET",
"evidence": "<form method=\"POST\" enctype=\"multipart/form-data\" action=\"bytecounter\" >"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/num/numguess.jsp?guess=ZAP",
"method": "GET",
"evidence": "<form method=get>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5",
"method": "POST",
"evidence": "<form action=\"SessionExample\" method=POST>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "GET",
"evidence": "<form action=\"CookieExample\" method=POST>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.jsp?item=X-files+movie&submit=remove",
"method": "GET",
"evidence": "<form type=POST action=carts.jsp>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/colrs.jsp?action=Submit&color1=ZAP&color2=ZAP",
"method": "GET",
"evidence": "<form method=POST action=colrs.jsp>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/RequestParamExample",
"method": "POST",
"evidence": "<form action=\"RequestParamExample\" method=POST>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5",
"method": "POST",
"evidence": "<form action=\"SessionExample\" method=GET>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=foo&datavalue=bar",
"method": "GET",
"evidence": "<form action=\"SessionExample\" method=GET>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/num/numguess.jsp",
"method": "GET",
"evidence": "<form method=get>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample",
"method": "GET",
"evidence": "<form action=\"SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5\" method=POST>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/checkbox/check.html",
"method": "GET",
"evidence": "<FORM TYPE=POST ACTION=checkresult.jsp>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.jsp?item=X-files+movie&submit=add",
"method": "GET",
"evidence": "<form type=POST action=carts.jsp>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/cal/cal1.jsp?action=Submit&email=foo-bar%40example.com&name=ZAP",
"method": "GET",
"evidence": "<FORM METHOD=POST ACTION=cal1.jsp>"
}
],
"count": "29",
"solution": "<p>Phase: Architecture and Design<\/p><p>Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.<\/p><p>For example, use anti-CSRF packages such as the OWASP CSRFGuard.<\/p><p><\/p><p>Phase: Implementation<\/p><p>Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.<\/p><p><\/p><p>Phase: Architecture and Design<\/p><p>Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).<\/p><p>Note that this can be bypassed using XSS.<\/p><p><\/p><p>Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.<\/p><p>Note that this can be bypassed using XSS.<\/p><p><\/p><p>Use the ESAPI Session Management control.<\/p><p>This control includes a component for CSRF.<\/p><p><\/p><p>Do not use the GET method for any request that triggers a state change.<\/p><p><\/p><p>Phase: Implementation<\/p><p>Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.<\/p>",
"otherinfo": "<p>No known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret, __csrf_magic] was found in the following HTML form: [Form 1: \"firstname\" \"lastname\" ].<\/p>",
"reference": "<p>http://projects.webappsec.org/Cross-Site-Request-Forgery<\/p><p>http://cwe.mitre.org/data/definitions/352.html<\/p>",
"cweid": "352",
"wascid": "9",
"sourceid": "3"
},
{
"pluginid": "90027",
"alert": "Cookie Slack Detector",
"name": "Cookie Slack Detector",
"riskcode": "0",
"confidence": "1",
"riskdesc": "Informational (Low)",
"desc": "<p>Repeated GET requests: drop a different cookie each time, followed by normal request with all cookies to stabilize session, compare responses against original baseline GET. This can reveal areas where cookie based authentication/attributes are not actually enforced.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5",
"method": "POST"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/async/stockticker",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/forward/forward.jsp",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/security/protected/j_security_check",
"method": "POST"
}
],
"count": "7",
"solution": "<p><\/p>",
"otherinfo": "<p>Dropping this cookie appears to have invalidated the session: [JSESSIONID] A follow-on request with all original cookies still had a different response than the original request. <\/p><p><\/p>",
"reference": "<p>http://projects.webappsec.org/Fingerprinting<\/p><p><\/p>",
"cweid": "200",
"wascid": "45",
"sourceid": "1"
},
{
"pluginid": "10027",
"alert": "Information Disclosure - Suspicious Comments",
"name": "Information Disclosure - Suspicious Comments",
"riskcode": "0",
"confidence": "1",
"riskdesc": "Informational (Low)",
"desc": "<p>The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/drawboard.xhtml",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-admin-objects.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/echo.xhtml",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-admin-opers.html",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/funcspecs/fs-admin-apps.html",
"method": "GET"
}
],
"count": "5",
"solution": "<p>Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.<\/p>",
"otherinfo": "<p>The following comment/snippet was identified via the pattern: \\bFROM\\b<\/p><p><script type=\"application/javascript\"><![CDATA[<\/p><p> \"use strict\";<\/p><p><\/p><p> (function() {<\/p><p><\/p><p> document.addEventListener(\"DOMContentLoaded\", function() {<\/p><p> // Remove elements with \"noscript\" class - <noscript> is not<\/p><p> // allowed in XHTML<\/p><p> var noscripts = document.getElementsByClassName(\"noscript\");<\/p><p> for (var i = 0; i < noscripts.length; i++) {<\/p><p> noscripts[i].parentNode.removeChild(noscripts[i]);<\/p><p> }<\/p><p><\/p><p> // Add script for expand content.<\/p><p> var expandElements = document.getElementsByClassName(\"expand\");<\/p><p> for (var ixx = 0; ixx < expandElements.length; ixx++) {<\/p><p> (function(el) {<\/p><p> var expandContent = document.getElementById(el.getAttribute(\"data-content-id\"));<\/p><p> expandContent.style.display = \"none\";<\/p><p> var arrow = document.createTextNode(\"◢ \");<\/p><p> var arrowSpan = document.createElement(\"span\");<\/p><p> arrowSpan.appendChild(arrow);<\/p><p><\/p><p> var link = document.createElement(\"a\");<\/p><p> link.setAttribute(\"href\", \"#!\");<\/p><p> while (el.firstChild != null) {<\/p><p> link.appendChild(el.removeChild(el.firstChild));<\/p><p> }<\/p><p> el.appendChild(arrowSpan);<\/p><p> el.appendChild(link);<\/p><p><\/p><p> var textSpan = document.createElement(\"span\");<\/p><p> textSpan.setAttribute(\"style\", \"font-weight: normal;\");<\/p><p> textSpan.appendChild(document.createTextNode(\" (click to expand)\"));<\/p><p> el.appendChild(textSpan);<\/p><p><\/p><p><\/p><p> var visible = true;<\/p><p><\/p><p> var switchExpand = function() {<\/p><p> visible = !visible;<\/p><p> expandContent.style.display = visible ? \"block\" : \"none\";<\/p><p> arrowSpan.style.color = visible ? \"#000\" : \"#888\";<\/p><p> return false;<\/p><p> };<\/p><p><\/p><p> link.onclick = switchExpand;<\/p><p> switchExpand();<\/p><p><\/p><p> })(expandElements[ixx]);<\/p><p> }<\/p><p><\/p><p><\/p><p> var Console = {};<\/p><p><\/p><p> Console.log = (function() {<\/p><p> var consoleContainer =<\/p><p> document.getElementById(\"console-container\");<\/p><p> var console = document.createElement(\"div\");<\/p><p> console.setAttribute(\"id\", \"console\");<\/p><p> consoleContainer.appendChild(console);<\/p><p><\/p><p> return function(message) {<\/p><p> var p = document.createElement('p');<\/p><p> p.style.wordWrap = \"break-word\";<\/p><p> p.appendChild(document.createTextNode(message));<\/p><p> console.appendChild(p);<\/p><p> while (console.childNodes.length > 25) {<\/p><p> console.removeChild(console.firstChild);<\/p><p> }<\/p><p> console.scrollTop = console.scrollHeight;<\/p><p> }<\/p><p> })();<\/p><p><\/p><p><\/p><p> function Room(drawContainer) {<\/p><p><\/p><p> /* A pausable event forwarder that can be used to pause and<\/p><p> * resume handling of events (e.g. when we need to wait<\/p><p> * for a Image's load event before we can process further<\/p><p> * WebSocket messages).<\/p><p> * The object's callFunction(func) should be called from an<\/p><p> * event handler and give the function to handle the event as<\/p><p> * argument.<\/p><p> * Call pauseProcessing() to suspend event forwarding and<\/p><p> * resumeProcessing() to resume it.<\/p><p> */<\/p><p> function PausableEventForwarder() {<\/p><p><\/p><p> var pauseProcessing = false;<\/p><p> // Queue for buffering functions to be called.<\/p><p> var functionQueue = [];<\/p><p><\/p><p> this.callFunction = function(func) {<\/p><p> // If message processing is paused, we push it<\/p><p> // into the queue - otherwise we process it directly.<\/p><p> if (pauseProcessing) {<\/p><p> functionQueue.push(func);<\/p><p> } else {<\/p><p> func();<\/p><p> }<\/p><p> };<\/p><p><\/p><p> this.pauseProcessing = function() {<\/p><p> pauseProcessing = true;<\/p><p> };<\/p><p><\/p><p> this.resumeProcessing = function() {<\/p><p> pauseProcessing = false;<\/p><p><\/p><p> // Process all queued functions until some handler calls<\/p><p> // pauseProcessing() again.<\/p><p> while (functionQueue.length > 0 && !pauseProcessing) {<\/p><p> var func = functionQueue.pop();<\/p><p> func();<\/p><p> }<\/p><p> };<\/p><p> }<\/p><p><\/p><p> // The WebSocket object.<\/p><p> var socket;<\/p><p> // ID of the timer which sends ping messages.<\/p><p> var pingTimerId;<\/p><p><\/p><p> var isStarted = false;<\/p><p> var playerCount = 0;<\/p><p><\/p><p> // An array of PathIdContainer objects that the server<\/p><p> // did not yet handle.<\/p><p> // They are ordered by id (ascending).<\/p><p> var pathsNotHandled = [];<\/p><p><\/p><p> var nextMsgId = 1;<\/p><p><\/p><p> var canvasDisplay = document.createElement(\"canvas\");<\/p><p> var canvasBackground = document.createElement(\"canvas\");<\/p><p> var canvasServerImage = document.createElement(\"canvas\");<\/p><p> var canvasArray = [canvasDisplay, canvasBackground,<\/p><p> canvasServerImage];<\/p><p> canvasDisplay.addEventListener(\"mousedown\", function(e) {<\/p><p> // Prevent default mouse event to prevent browsers from marking text<\/p><p> // (and Chrome from displaying the \"text\" cursor).<\/p><p> e.preventDefault();<\/p><p> }, false);<\/p><p><\/p><p> var labelPlayerCount = document.createTextNode(\"0\");<\/p><p> var optionContainer = document.createElement(\"div\");<\/p><p><\/p><p><\/p><p> var canvasDisplayCtx = canvasDisplay.getContext(\"2d\");<\/p><p> var canvasBackgroundCtx = canvasBackground.getContext(\"2d\");<\/p><p> var canvasServerImageCtx = canvasServerImage.getContext(\"2d\");<\/p><p> var canvasMouseMoveHandler;<\/p><p> var canvasMouseDownHandler;<\/p><p><\/p><p> var isActive = false;<\/p><p> var mouseInWindow = false;<\/p><p> var mouseDown = false;<\/p><p> var currentMouseX = 0, currentMouseY = 0;<\/p><p> var currentPreviewPath = null;<\/p><p><\/p><p> var availableColors = [];<\/p><p> var currentColorIndex;<\/p><p> var colorContainers;<\/p><p> var previewTransparency = 0.65;<\/p><p><\/p><p> var availableThicknesses = [2, 3, 6, 10, 16, 28, 50];<\/p><p> var currentThicknessIndex;<\/p><p> var thicknessContainers;<\/p><p><\/p><p> var availableDrawTypes = [<\/p><p> { name: \"Brush\", id: 1, continuous: true },<\/p><p> { name: \"Line\", id: 2, continuous: false },<\/p><p> { name: \"Rectangle\", id: 3, continuous: false },<\/p><p> { name: \"Ellipse\", id: 4, continuous: false }<\/p><p> ];<\/p><p> var currentDrawTypeIndex;<\/p><p> var drawTypeContainers;<\/p><p><\/p><p><\/p><p> var labelContainer = document.getElementById(\"labelContainer\");<\/p><p> var placeholder = document.createElement(\"div\");<\/p><p> placeholder.appendChild(document.createTextNode(\"Loading... \"));<\/p><p> var progressElem = document.createElement(\"progress\");<\/p><p> placeholder.appendChild(progressElem);<\/p><p><\/p><p> labelContainer.appendChild(placeholder);<\/p><p><\/p><p> function rgb(color) {<\/p><p> return \"rgba(\" + color[0] + \",\" + color[1] + \",\"<\/p><p> + color[2] + \",\" + color[3] + \")\";<\/p><p> }<\/p><p><\/p><p> function PathIdContainer(path, id) {<\/p><p> this.path = path;<\/p><p> this.id = id;<\/p><p> }<\/p><p><\/p><p> function Path(type, color, thickness, x1, y1, x2, y2, lastInChain) {<\/p><p> this.type = type;<\/p><p> this.color = color;<\/p><p> this.thickness = thickness;<\/p><p> this.x1 = x1;<\/p><p> this.y1 = y1;<\/p><p> this.x2 = x2;<\/p><p> this.y2 = y2;<\/p><p> this.lastInChain = lastInChain;<\/p><p><\/p><p> function ellipse(ctx, x, y, w, h) {<\/p><p> /* Drawing a ellipse cannot be done directly in a<\/p><p> * CanvasRenderingContext2D - we need to use drawArc()<\/p><p> * in conjunction with scaling the context so that we<\/p><p> * get the needed proportion.<\/p><p> */<\/p><p> ctx.save();<\/p><p><\/p><p> // Translate and scale the context so that we can draw<\/p><p> // an arc at (0, 0) with a radius of 1.<\/p><p> ctx.translate(x + w / 2, y + h / 2);<\/p><p> ctx.scale(w / 2, h / 2);<\/p><p><\/p><p> ctx.beginPath();<\/p><p> ctx.arc(0, 0, 1, 0, Math.PI * 2, false);<\/p><p><\/p><p> ctx.restore();<\/p><p> }<\/p><p><\/p><p> this.draw = function(ctx) {<\/p><p> ctx.beginPath();<\/p><p> ctx.lineCap = \"round\";<\/p><p> ctx.lineWidth = thickness;<\/p><p> var style = rgb(color);<\/p><p> ctx.strokeStyle = style;<\/p><p><\/p><p> if (x1 == x2 && y1 == y2) {<\/p><p> // Always draw as arc to meet the behavior<\/p><p> // in Java2D.<\/p><p> ctx.fillStyle = style;<\/p><p> ctx.arc(x1, y1, thickness / 2.0, 0,<\/p><p> Math.PI * 2.0, false);<\/p><p> ctx.fill();<\/p><p> } else {<\/p><p> if (type == 1 || type == 2) {<\/p><p> // Draw a line.<\/p><p> ctx.moveTo(x1, y1);<\/p><p> ctx.lineTo(x2, y2);<\/p><p> ctx.stroke();<\/p><p> } else if (type == 3) {<\/p><p> // Draw a rectangle.<\/p><p> if (x1 == x2 || y1 == y2) {<\/p><p> // Draw as line<\/p><p> ctx.moveTo(x1, y1);<\/p><p> ctx.lineTo(x2, y2);<\/p><p> ctx.stroke();<\/p><p> } else {<\/p><p> ctx.strokeRect(x1, y1, x2 - x1, y2 - y1);<\/p><p> }<\/p><p> } else if (type == 4) {<\/p><p> // Draw a ellipse.<\/p><p> ellipse(ctx, x1, y1, x2 - x1, y2 - y1);<\/p><p> ctx.closePath();<\/p><p> ctx.stroke();<\/p><p> }<\/p><p> }<\/p><p> };<\/p><p> }<\/p><p><\/p><p><\/p><p> function connect() {<\/p><p> var host = (window.location.protocol == \"https:\"<\/p><p> ? \"wss://\" : \"ws://\") + window.location.host<\/p><p> + \"/examples/websocket/drawboard\";<\/p><p> socket = new WebSocket(host);<\/p><p><\/p><p> /* Use a pausable event forwarder.<\/p><p> * This is needed when we load an Image object with data<\/p><p> * from a previous message, because we must wait until the<\/p><p> * Image's load event it raised before we can use it (and<\/p><p> * in the meantime the socket.message event could be<\/p><p> * raised).<\/p><p> * Therefore we need this pausable event handler to handle<\/p><p> * e.g. socket.onmessage and socket.onclose.<\/p><p> */<\/p><p> var eventForwarder = new PausableEventForwarder();<\/p><p><\/p><p> socket.onopen = function () {<\/p><p> // Socket has opened. Now wait for the server to<\/p><p> // send us the initial packet.<\/p><p> Console.log(\"WebSocket connection opened.\");<\/p><p><\/p><p> // Set up a timer for pong messages.<\/p><p> pingTimerId = window.setInterval(function() {<\/p><p> socket.send(\"0\");<\/p><p> }, 30000);<\/p><p> };<\/p><p><\/p><p> socket.onclose = function () {<\/p><p> eventForwarder.callFunction(function() {<\/p><p> Console.log(\"WebSocket connection closed.\");<\/p><p> disableControls();<\/p><p><\/p><p> // Disable pong timer.<\/p><p> window.clearInterval(pingTimerId);<\/p><p> });<\/p><p> };<\/p><p><\/p><p> // Handles an incoming Websocket message.<\/p><p> var handleOnMessage = function(message) {<\/p><p><\/p><p> // Split joined message and process them<\/p><p> // invidividually.<\/p><p> var messages = message.data.split(\";\");<\/p><p> for (var msgArrIdx = 0; msgArrIdx < messages.length;<\/p><p> msgArrIdx++) {<\/p><p> var msg = messages[msgArrIdx];<\/p><p> var type = msg.substring(0, 1);<\/p><p><\/p><p> if (type == \"0\") {<\/p><p> // Error message.<\/p><p> var error = msg.substring(1);<\/p><p> // Log it to the console and show an alert.<\/p><p> Console.log(\"Error: \" + error);<\/p><p> alert(error);<\/p><p><\/p><p> } else {<\/p><p> if (!isStarted) {<\/p><p> if (type == \"2\") {<\/p><p> // Initial message. It contains the<\/p><p> // number of players.<\/p><p> // After this message we will receive<\/p><p> // a binary message containing the current<\/p><p> // room image as PNG.<\/p><p> playerCount = parseInt(msg.substring(1));<\/p><p><\/p><p> refreshPlayerCount();<\/p><p><\/p><p> // The next message will be a binary<\/p><p> // message containing the room images<\/p><p> // as PNG. Therefore we temporarily swap<\/p><p> // the message handler.<\/p><p> var originalHandler = handleOnMessage;<\/p><p> handleOnMessage = function(message) {<\/p><p> // First, we restore the original handler.<\/p><p> handleOnMessage = originalHandler;<\/p><p><\/p><p> // Read the image.<\/p><p> var blob = message.data;<\/p><p> // Create new blob with correct MIME type.<\/p><p> blob = new Blob([blob], {type : \"image/png\"});<\/p><p><\/p><p> var url = URL.createObjectURL(blob);<\/p><p><\/p><p> var img = new Image();<\/p><p><\/p><p> // We must wait until the onload event is<\/p><p> // raised until we can draw the image onto<\/p><p> // the canvas.<\/p><p> // Therefore we need to pause the event<\/p><p> // forwarder until the image is loaded.<\/p><p> eventForwarder.pauseProcessing();<\/p><p><\/p><p> img.onload = function() {<\/p><p><\/p><p> // Release the object URL.<\/p><p> URL.revokeObjectURL(url);<\/p><p><\/p><p> // Set the canvases to the correct size.<\/p><p> for (var i = 0; i < canvasArray.length; i++) {<\/p><p> canvasArray[i].width = img.width;<\/p><p> canvasArray[i].height = img.height;<\/p><p> }<\/p><p><\/p><p> // Now draw the image on the last canvas.<\/p><p> canvasServerImageCtx.clearRect(0, 0,<\/p><p> canvasServerImage.width,<\/p><p> canvasServerImage.height);<\/p><p> canvasServerImageCtx.drawImage(img, 0, 0);<\/p><p><\/p><p> // Draw it on the background canvas.<\/p><p> canvasBackgroundCtx.drawImage(canvasServerImage,<\/p><p> 0, 0);<\/p><p><\/p><p> isStarted = true;<\/p><p> startControls();<\/p><p><\/p><p> // Refresh the display canvas.<\/p><p> refreshDisplayCanvas();<\/p><p><\/p><p><\/p><p> // Finally, resume the event forwarder.<\/p><p> eventForwarder.resumeProcessing();<\/p><p> };<\/p><p><\/p><p> img.src = url;<\/p><p> };<\/p><p> }<\/p><p> } else {<\/p><p> if (type == \"3\") {<\/p><p> // The number of players in this room changed.<\/p><p> var playerAdded = msg.substring(1) == \"+\";<\/p><p> playerCount += playerAdded ? 1 : -1;<\/p><p> refreshPlayerCount();<\/p><p><\/p><p> Console.log(\"Player \" + (playerAdded<\/p><p> ? \"joined.\" : \"left.\"));<\/p><p><\/p><p> } else if (type == \"1\") {<\/p><p> // We received a new DrawMessage.<\/p><p> var maxLastHandledId = -1;<\/p><p> var drawMessages = msg.substring(1).split(\"|\");<\/p><p> for (var i = 0; i < drawMessages.length; i++) {<\/p><p> var elements = drawMessages[i].split(\",\");<\/p><p> var lastHandledId = parseInt(elements[0]);<\/p><p> maxLastHandledId = Math.max(maxLastHandledId,<\/p><p> lastHandledId);<\/p><p><\/p><p> var path = new Path(<\/p><p> parseInt(elements[1]),<\/p><p> [parseInt(elements[2]),<\/p><p> parseInt(elements[3]),<\/p><p> parseInt(elements[4]),<\/p><p> parseInt(elements[5]) / 255.0],<\/p><p> parseFloat(elements[6]),<\/p><p> parseFloat(elements[7]),<\/p><p> parseFloat(elements[8]),<\/p><p> parseFloat(elements[9]),<\/p><p> parseFloat(elements[10]),<\/p><p> elements[11] != \"0\");<\/p><p><\/p><p> // Draw the path onto the last canvas.<\/p><p> path.draw(canvasServerImageCtx);<\/p><p> }<\/p><p><\/p><p> // Draw the last canvas onto the background one.<\/p><p> canvasBackgroundCtx.drawImage(canvasServerImage,<\/p><p> 0, 0);<\/p><p><\/p><p> // Now go through the pathsNotHandled array and<\/p><p> // remove the paths that were already handled by<\/p><p> // the server.<\/p><p> while (pathsNotHandled.length > 0<\/p><p> && pathsNotHandled[0].id <= maxLastHandledId)<\/p><p> pathsNotHandled.shift();<\/p><p><\/p><p> // Now me must draw the remaining paths onto<\/p><p> // the background canvas.<\/p><p> for (var i = 0; i < pathsNotHandled.length; i++) {<\/p><p> pathsNotHandled[i].path.draw(canvasBackgroundCtx);<\/p><p> }<\/p><p><\/p><p> refreshDisplayCanvas();<\/p><p> }<\/p><p> }<\/p><p> }<\/p><p> }<\/p><p> };<\/p><p><\/p><p> socket.onmessage = function(message) {<\/p><p> eventForwarder.callFunction(function() {<\/p><p> handleOnMessage(message);<\/p><p> });<\/p><p> };<\/p><p><\/p><p> }<\/p><p><\/p><p><\/p><p> function refreshPlayerCount() {<\/p><p> labelPlayerCount.nodeValue = String(playerCount);<\/p><p> }<\/p><p><\/p><p> function refreshDisplayCanvas() {<\/p><p> if (!isActive) { // Don't draw a curser when not active.<\/p><p> return;<\/p><p> }<\/p><p><\/p><p> canvasDisplayCtx.drawImage(canvasBackground, 0, 0);<\/p><p> if (currentPreviewPath != null) {<\/p><p> // Draw the preview path.<\/p><p> currentPreviewPath.draw(canvasDisplayCtx);<\/p><p><\/p><p> } else if (mouseInWindow && !mouseDown) {<\/p><p> canvasDisplayCtx.beginPath();<\/p><p> var color = availableColors[currentColorIndex].slice(0);<\/p><p> color[3] = previewTransparency;<\/p><p> canvasDisplayCtx.fillStyle = rgb(color);<\/p><p><\/p><p> canvasDisplayCtx.arc(currentMouseX, currentMouseY,<\/p><p> availableThicknesses[currentThicknessIndex] / 2,<\/p><p> 0, Math.PI * 2.0, true);<\/p><p> canvasDisplayCtx.fill();<\/p><p> }<\/p><p><\/p><p> }<\/p><p><\/p><p> function startControls() {<\/p><p> isActive = true;<\/p><p><\/p><p> labelContainer.removeChild(placeholder);<\/p><p> placeholder = undefined;<\/p><p><\/p><p> labelContainer.appendChild(<\/p><p> document.createTextNode(\"Number of Players: \"));<\/p><p> labelContainer.appendChild(labelPlayerCount);<\/p><p><\/p><p><\/p><p> drawContainer.style.display = \"block\";<\/p><p> drawContainer.appendChild(canvasDisplay);<\/p><p><\/p><p> drawContainer.appendChild(optionContainer);<\/p><p><\/p><p> canvasMouseDownHandler = function(e) {<\/p><p> if (e.button == 0) {<\/p><p> currentMouseX = e.pageX - canvasDisplay.offsetLeft;<\/p><p> currentMouseY = e.pageY - canvasDisplay.offsetTop;<\/p><p><\/p><p> mouseDown = true;<\/p><p> canvasMouseMoveHandler(e);<\/p><p><\/p><p> } else if (mouseDown) {<\/p><p> // Cancel drawing.<\/p><p> mouseDown = false;<\/p><p> currentPreviewPath = null;<\/p><p><\/p><p> currentMouseX = e.pageX - canvasDisplay.offsetLeft;<\/p><p> currentMouseY = e.pageY - canvasDisplay.offsetTop;<\/p><p><\/p><p> refreshDisplayCanvas();<\/p><p> }<\/p><p> };<\/p><p> canvasDisplay.addEventListener(\"mousedown\", canvasMouseDownHandler, false);<\/p><p><\/p><p> canvasMouseMoveHandler = function(e) {<\/p><p> var mouseX = e.pageX - canvasDisplay.offsetLeft;<\/p><p> var mouseY = e.pageY - canvasDisplay.offsetTop;<\/p><p><\/p><p> if (mouseDown) {<\/p><p> var drawType = availableDrawTypes[currentDrawTypeIndex];<\/p><p><\/p><p> if (drawType.continuous) {<\/p><p><\/p><p> var path = new Path(drawType.id,<\/p><p> availableColors[currentColorIndex],<\/p><p> availableThicknesses[currentThicknessIndex],<\/p><p> currentMouseX, currentMouseY, mouseX,<\/p><p> mouseY, false);<\/p><p> // Draw it on the background canvas.<\/p><p> path.draw(canvasBackgroundCtx);<\/p><p><\/p><p> // Send it to the sever.<\/p><p> pushPath(path);<\/p><p><\/p><p> // Refresh old coordinates<\/p><p> currentMouseX = mouseX;<\/p><p> currentMouseY = mouseY;<\/p><p><\/p><p> } else {<\/p><p> // Create a new preview path.<\/p><p> var color = availableColors[currentColorIndex].slice(0);<\/p><p> color[3] = previewTransparency;<\/p><p> currentPreviewPath = new Path(drawType.id,<\/p><p> color,<\/p><p> availableThicknesses[currentThicknessIndex],<\/p><p> currentMouseX, currentMouseY, mouseX,<\/p><p> mouseY, false);<\/p><p> }<\/p><p><\/p><p> refreshDisplayCanvas();<\/p><p> } else {<\/p><p> currentMouseX = mouseX;<\/p><p> currentMouseY = mouseY;<\/p><p><\/p><p> if (mouseInWindow) {<\/p><p> refreshDisplayCanvas();<\/p><p> }<\/p><p> }<\/p><p><\/p><p> };<\/p><p> document.addEventListener(\"mousemove\", canvasMouseMoveHandler, false);<\/p><p><\/p><p> document.addEventListener(\"mouseup\", function(e) {<\/p><p> if (e.button == 0) {<\/p><p> if (mouseDown) {<\/p><p> mouseDown = false;<\/p><p> currentPreviewPath = null;<\/p><p><\/p><p> var mouseX = e.pageX - canvasDisplay.offsetLeft;<\/p><p> var mouseY = e.pageY - canvasDisplay.offsetTop;<\/p><p> var drawType = availableDrawTypes[currentDrawTypeIndex];<\/p><p><\/p><p> var path = new Path(drawType.id, availableColors[currentColorIndex],<\/p><p> availableThicknesses[currentThicknessIndex],<\/p><p> currentMouseX, currentMouseY, mouseX,<\/p><p> mouseY, true);<\/p><p> // Draw it on the background canvas.<\/p><p> path.draw(canvasBackgroundCtx);<\/p><p><\/p><p> // Send it to the sever.<\/p><p> pushPath(path);<\/p><p><\/p><p> // Refresh old coordinates<\/p><p> currentMouseX = mouseX;<\/p><p> currentMouseY = mouseY;<\/p><p><\/p><p> refreshDisplayCanvas();<\/p><p> }<\/p><p> }<\/p><p> }, false);<\/p><p><\/p><p> canvasDisplay.addEventListener(\"mouseout\", function(e) {<\/p><p> mouseInWindow = false;<\/p><p> refreshDisplayCanvas();<\/p><p> }, false);<\/p><p><\/p><p> canvasDisplay.addEventListener(\"mousemove\", function(e) {<\/p><p> if (!mouseInWindow) {<\/p><p> mouseInWindow = true;<\/p><p> refreshDisplayCanvas();<\/p><p> }<\/p><p> }, false);<\/p><p><\/p><p><\/p><p> // Create color and thickness controls.<\/p><p> var colorContainersBox = document.createElement(\"div\");<\/p><p> colorContainersBox.setAttribute(\"style\",<\/p><p> \"margin: 4px; border: 1px solid #bbb; border-radius: 3px;\");<\/p><p> optionContainer.appendChild(colorContainersBox);<\/p><p><\/p><p> colorContainers = new Array(3 * 3 * 3);<\/p><p> for (var i = 0; i < colorContainers.length; i++) {<\/p><p> var colorContainer = colorContainers[i] =<\/p><p> document.createElement(\"div\");<\/p><p> var color = availableColors[i] =<\/p><p> [<\/p><p> Math.floor((i % 3) * 255 / 2),<\/p><p> Math.floor((Math.floor(i / 3) % 3) * 255 / 2),<\/p><p> Math.floor((Math.floor(i / (3 * 3)) % 3) * 255 / 2),<\/p><p> 1.0<\/p><p> ];<\/p><p> colorContainer.setAttribute(\"style\",<\/p><p> \"margin: 3px; width: 18px; height: 18px; \"<\/p><p> + \"float: left; background-color: \" + rgb(color));<\/p><p> colorContainer.style.border = '2px solid #000';<\/p><p> colorContainer.addEventListener(\"mousedown\", (function(ix) {<\/p><p> return function() {<\/p><p> setColor(ix);<\/p><p> };<\/p><p> })(i), false);<\/p><p><\/p><p> colorContainersBox.appendChild(colorContainer);<\/p><p> }<\/p><p><\/p><p> var divClearLeft = document.createElement(\"div\");<\/p><p> divClearLeft.setAttribute(\"style\", \"clear: left;\");<\/p><p> colorContainersBox.appendChild(divClearLeft);<\/p><p><\/p><p><\/p><p> var drawTypeContainersBox = document.createElement(\"div\");<\/p><p> drawTypeContainersBox.setAttribute(\"style\",<\/p><p> \"float: right; margin-right: 3px; margin-top: 1px;\");<\/p><p> optionContainer.appendChild(drawTypeContainersBox);<\/p><p><\/p><p> drawTypeContainers = new Array(availableDrawTypes.length);<\/p><p> for (var i = 0; i < drawTypeContainers.length; i++) {<\/p><p> var drawTypeContainer = drawTypeContainers[i] =<\/p><p> document.createElement(\"div\");<\/p><p> drawTypeContainer.setAttribute(\"style\",<\/p><p> \"text-align: center; margin: 3px; padding: 0 3px;\"<\/p><p> + \"height: 18px; float: left;\");<\/p><p> drawTypeContainer.style.border = \"2px solid #000\";<\/p><p> drawTypeContainer.appendChild(document.createTextNode(<\/p><p> String(availableDrawTypes[i].name)));<\/p><p> drawTypeContainer.addEventListener(\"mousedown\", (function(ix) {<\/p><p> return function() {<\/p><p> setDrawType(ix);<\/p><p> };<\/p><p> })(i), false);<\/p><p><\/p><p> drawTypeContainersBox.appendChild(drawTypeContainer);<\/p><p> }<\/p><p><\/p><p><\/p><p> var thicknessContainersBox = document.createElement(\"div\");<\/p><p> thicknessContainersBox.setAttribute(\"style\",<\/p><p> \"margin: 3px; border: 1px solid #bbb; border-radius: 3px;\");<\/p><p> optionContainer.appendChild(thicknessContainersBox);<\/p><p><\/p><p> thicknessContainers = new Array(availableThicknesses.length);<\/p><p> for (var i = 0; i < thicknessContainers.length; i++) {<\/p><p> var thicknessContainer = thicknessContainers[i] =<\/p><p> document.createElement(\"div\");<\/p><p> thicknessContainer.setAttribute(\"style\",<\/p><p> \"text-align: center; margin: 3px; width: 18px; \"<\/p><p> + \"height: 18px; float: left;\");<\/p><p> thicknessContainer.style.border = \"2px solid #000\";<\/p><p> thicknessContainer.appendChild(document.createTextNode(<\/p><p> String(availableThicknesses[i])));<\/p><p> thicknessContainer.addEventListener(\"mousedown\", (function(ix) {<\/p><p> return function() {<\/p><p> setThickness(ix);<\/p><p> };<\/p><p> })(i), false);<\/p><p><\/p><p> thicknessContainersBox.appendChild(thicknessContainer);<\/p><p> }<\/p><p><\/p><p><\/p><p> divClearLeft = document.createElement(\"div\");<\/p><p> divClearLeft.setAttribute(\"style\", \"clear: left;\");<\/p><p> thicknessContainersBox.appendChild(divClearLeft);<\/p><p><\/p><p><\/p><p> setColor(0);<\/p><p> setThickness(0);<\/p><p> setDrawType(0);<\/p><p><\/p><p> }<\/p><p><\/p><p> function disableControls() {<\/p><p> document.removeEventListener(\"mousedown\", canvasMouseDownHandler);<\/p><p> document.removeEventListener(\"mousemove\", canvasMouseMoveHandler);<\/p><p> mouseInWindow = false;<\/p><p> refreshDisplayCanvas();<\/p><p><\/p><p> isActive = false;<\/p><p> }<\/p><p><\/p><p> function pushPath(path) {<\/p><p><\/p><p> // Push it into the pathsNotHandled array.<\/p><p> var container = new PathIdContainer(path, nextMsgId++);<\/p><p> pathsNotHandled.push(container);<\/p><p><\/p><p> // Send the path to the server.<\/p><p> var message = container.id + \"|\" + path.type + \",\"<\/p><p> + path.color[0] + \",\" + path.color[1] + \",\"<\/p><p> + path.color[2] + \",\"<\/p><p> + Math.round(path.color[3] * 255.0) + \",\"<\/p><p> + path.thickness + \",\" + path.x1 + \",\"<\/p><p> + path.y1 + \",\" + path.x2 + \",\" + path.y2 + \",\"<\/p><p> + (path.lastInChain ? \"1\" : \"0\");<\/p><p><\/p><p> socket.send(\"1\" + message);<\/p><p> }<\/p><p><\/p><p> function setThickness(thicknessIndex) {<\/p><p> if (typeof currentThicknessIndex !== \"undefined\")<\/p><p> thicknessContainers[currentThicknessIndex]<\/p><p> .style.borderColor = \"#000\";<\/p><p> currentThicknessIndex = thicknessIndex;<\/p><p> thicknessContainers[currentThicknessIndex]<\/p><p> .style.borderColor = \"#d08\";<\/p><p> }<\/p><p><\/p><p> function setColor(colorIndex) {<\/p><p> if (typeof currentColorIndex !== \"undefined\")<\/p><p> colorContainers[currentColorIndex]<\/p><p> .style.borderColor = \"#000\";<\/p><p> currentColorIndex = colorIndex;<\/p><p> colorContainers[currentColorIndex]<\/p><p> .style.borderColor = \"#d08\";<\/p><p> }<\/p><p><\/p><p> function setDrawType(drawTypeIndex) {<\/p><p> if (typeof currentDrawTypeIndex !== \"undefined\")<\/p><p> drawTypeContainers[currentDrawTypeIndex]<\/p><p> .style.borderColor = \"#000\";<\/p><p> currentDrawTypeIndex = drawTypeIndex;<\/p><p> drawTypeContainers[currentDrawTypeIndex]<\/p><p> .style.borderColor = \"#d08\";<\/p><p> }<\/p><p><\/p><p><\/p><p> connect();<\/p><p><\/p><p> }<\/p><p><\/p><p><\/p><p> // Initialize the room<\/p><p> var room = new Room(document.getElementById(\"drawContainer\"));<\/p><p><\/p><p><\/p><p> }, false);<\/p><p><\/p><p> })();<\/p><p> ]]><\/script><\/p><p><\/p>",
"reference": "<p><\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10031",
"alert": "User Controllable HTML Element Attribute (Potential XSS)",
"name": "User Controllable HTML Element Attribute (Potential XSS)",
"riskcode": "0",
"confidence": "1",
"riskdesc": "Informational (Low)",
"desc": "<p>This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/implicit-objects.jsp?foo=bar",
"method": "GET",
"param": "foo"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.jsp?item=X-files+movie&submit=remove",
"method": "GET",
"param": "submit"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/functions.jsp?foo=JSP+2.0",
"method": "GET",
"param": "foo"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/colrs.jsp?action=Submit&color1=ZAP&color2=ZAP",
"method": "GET",
"param": "action"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/colrs.jsp?action=Submit&color1=ZAP&color2=ZAP",
"method": "GET",
"param": "action"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/colors/colrs.jsp?action=Hint&color1=ZAP&color2=ZAP",
"method": "GET",
"param": "action"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/sessions/carts.jsp?item=X-files+movie&submit=add",
"method": "GET",
"param": "submit"
}
],
"count": "7",
"solution": "<p>Validate all input and sanitize output it before writing to any HTML attributes.<\/p>",
"otherinfo": "<p>User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:<\/p><p><\/p><p>http://bodgeit.demo-targets.svc:8080/examples/jsp/jsp2/el/implicit-objects.jsp?foo=bar<\/p><p><\/p><p>appears to include user input in: <\/p><p><\/p><p>a(n) [input] tag [value] attribute <\/p><p><\/p><p>The user input found was:<\/p><p>foo=bar<\/p><p><\/p><p>The user-controlled value was:<\/p><p>bar<\/p>",
"reference": "<p>http://websecuritytool.codeplex.com/wikipage?title=Checks#user-controlled-html-attribute<\/p>",
"cweid": "20",
"wascid": "20",
"sourceid": "3"
},
{
"pluginid": "10009",
"alert": "In Page Banner Information Leak",
"name": "In Page Banner Information Leak",
"riskcode": "1",
"confidence": "3",
"riskdesc": "Low (High)",
"desc": "<p>The server returned a version banner string in the response content. Such information leaks may allow attackers to further target specific issues impacting the product and version in use.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/juli/package-summary.html",
"method": "GET",
"evidence": "Tomcat/8.0.37"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/Context.html",
"method": "GET",
"evidence": "Tomcat/8.0.37"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/manager/JMXProxyServlet.html",
"method": "GET",
"evidence": "Tomcat/8.0.37"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/tribes/package-summary.html",
"method": "GET",
"evidence": "Tomcat/8.0.37"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/images/read.gif",
"method": "GET",
"evidence": "Tomcat/8.0.37"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/Host.html",
"method": "GET",
"evidence": "Tomcat/8.0.37"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/Engine.html",
"method": "GET",
"evidence": "Tomcat/8.0.37"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/Service.html",
"method": "GET",
"evidence": "Tomcat/8.0.37"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/robots.txt",
"method": "GET",
"evidence": "Tomcat/8.0.37"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/core/StandardHost.html",
"method": "GET",
"evidence": "Tomcat/8.0.37"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/core/StandardContext.html",
"method": "GET",
"evidence": "Tomcat/8.0.37"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/sitemap.xml",
"method": "GET",
"evidence": "Tomcat/8.0.37"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/api/org/apache/catalina/Server.html",
"method": "GET",
"evidence": "Tomcat/8.0.37"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/cluster-manager.html%23The_%3CManager%3E",
"method": "GET",
"evidence": "Tomcat/8.0.37"
}
],
"count": "14",
"solution": "<p>Configure the server to prevent such information leaks. For example:<\/p><p>Under Tomcat this is done via the \"server\" directive and implementation of custom error pages.<\/p><p>Under Apache this is done via the \"ServerSignature\" and \"ServerTokens\" directives.<\/p>",
"otherinfo": "<p>There is a chance that the highlight in the finding is on a value in the headers, versus the actual matched string in the response body.<\/p>",
"reference": "<p>https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/<\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "90022",
"alert": "Application Error Disclosure",
"name": "Application Error Disclosure",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>This page contains an error/warning message that may disclose sensitive information like the location of the file that produced the unhandled exception. This information can be used to launch further attacks against the web application. The alert could be a false positive if the error message is found inside a documentation page.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/listeners.html",
"method": "GET",
"evidence": "JDBC Driver"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jndi-resources-howto.html",
"method": "GET",
"evidence": "JDBC Driver"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/manager-howto.html",
"method": "GET",
"evidence": "java.lang.NumberFormatException: For input string:"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/jndi-datasource-examples-howto.html",
"method": "GET",
"evidence": "JDBC Driver"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/valve.html",
"method": "GET",
"evidence": "Error Report"
}
],
"count": "5",
"solution": "<p>Review the source code of this page. Implement custom error pages. Consider implementing a mechanism to provide a unique error reference/identifier to the client (browser) while logging the details on the server side and not exposing them to the user.<\/p>",
"reference": "<p><\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "40034",
"alert": ".env Information Leak",
"name": ".env Information Leak",
"riskcode": "2",
"confidence": "3",
"riskdesc": "Medium (High)",
"desc": "<p>One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information. <\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/security/protected/.env",
"method": "GET",
"evidence": "HTTP/1.1 200 OK"
}
],
"count": "1",
"solution": "<p>Ensure the .env file is not accessible.<\/p>",
"reference": "<p>https://www.google.com/search?q=db_password+filetype%3Aenv<\/p><p>https://mobile.twitter.com/svblxyz/status/1045013939904532482<\/p>",
"cweid": "215",
"wascid": "13",
"sourceid": "1"
},
{
"pluginid": "10019",
"alert": "Content-Type Header Missing",
"name": "Content-Type Header Missing",
"riskcode": "0",
"confidence": "2",
"riskdesc": "Informational (Medium)",
"desc": "<p>The Content-Type header was either missing or empty.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/async/async2",
"method": "GET"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/appdev/sample/sample.war",
"method": "GET"
}
],
"count": "2",
"solution": "<p>Ensure each page is setting the specific and appropriate content-type value for the content being delivered.<\/p>",
"reference": "<p>http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx<\/p>",
"cweid": "345",
"wascid": "12",
"sourceid": "3"
},
{
"pluginid": "10058",
"alert": "GET for POST",
"name": "GET for POST",
"riskcode": "0",
"confidence": "3",
"riskdesc": "Informational (High)",
"desc": "<p>A request that was originally observed as a POST was also accepted as a GET. This issue does not represent a security weakness unto itself, however, it may facilitate simplification of other attacks. For example if the original POST is subject to Cross-Site Scripting (XSS), then this finding may indicate that a simplified (GET based) XSS may also be possible.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/RequestParamExample",
"method": "GET",
"evidence": "GET http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/RequestParamExample?firstname=ZAP&lastname=ZAP HTTP/1.1"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/security/protected/j_security_check",
"method": "GET",
"evidence": "GET http://bodgeit.demo-targets.svc:8080/examples/jsp/security/protected/j_security_check?j_password=ZAP&j_username=ZAP HTTP/1.1"
}
],
"count": "2",
"solution": "<p>Ensure that only POST is accepted where POST is expected.<\/p>",
"reference": "<p><\/p>",
"cweid": "16",
"wascid": "20",
"sourceid": "1"
},
{
"pluginid": "10109",
"alert": "Modern Web Application",
"name": "Modern Web Application",
"riskcode": "0",
"confidence": "2",
"riskdesc": "Informational (Medium)",
"desc": "<p>The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/echo.xhtml",
"method": "GET",
"evidence": "<script type=\"application/javascript\"><![CDATA[\n \"use strict\";\n\n var ws = null;\n\n function setConnected(connected) {\n document.getElementById('connect').disabled = connected;\n document.getElementById('disconnect').disabled = !connected;\n document.getElementById('echo').disabled = !connected;\n }\n\n function connect() {\n var target = document.getElementById('target').value;\n if (target == '') {\n alert('Please select server side connection implementation.');\n return;\n }\n if ('WebSocket' in window) {\n ws = new WebSocket(target);\n } else if ('MozWebSocket' in window) {\n ws = new MozWebSocket(target);\n } else {\n alert('WebSocket is not supported by this browser.');\n return;\n }\n ws.onopen = function () {\n setConnected(true);\n log('Info: WebSocket connection opened.');\n };\n ws.onmessage = function (event) {\n log('Received: ' + event.data);\n };\n ws.onclose = function (event) {\n setConnected(false);\n log('Info: WebSocket connection closed, Code: ' + event.code + (event.reason == \"\" ? \"\" : \", Reason: \" + event.reason));\n };\n }\n\n function disconnect() {\n if (ws != null) {\n ws.close();\n ws = null;\n }\n setConnected(false);\n }\n\n function echo() {\n if (ws != null) {\n var message = document.getElementById('message').value;\n log('Sent: ' + message);\n ws.send(message);\n } else {\n alert('WebSocket connection not established, please connect.');\n }\n }\n\n function updateTarget(target) {\n if (window.location.protocol == 'http:') {\n document.getElementById('target').value = 'ws://' + window.location.host + target;\n } else {\n document.getElementById('target').value = 'wss://' + window.location.host + target;\n }\n }\n\n function log(message) {\n var console = document.getElementById('console');\n var p = document.createElement('p');\n p.style.wordWrap = 'break-word';\n p.appendChild(document.createTextNode(message));\n console.appendChild(p);\n while (console.childNodes.length > 25) {\n console.removeChild(console.firstChild);\n }\n console.scrollTop = console.scrollHeight;\n }\n\n\n document.addEventListener(\"DOMContentLoaded\", function() {\n // Remove elements with \"noscript\" class - <noscript> is not allowed in XHTML\n var noscripts = document.getElementsByClassName(\"noscript\");\n for (var i = 0; i < noscripts.length; i++) {\n noscripts[i].parentNode.removeChild(noscripts[i]);\n }\n }, false);\n ]]><\/script>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/drawboard.xhtml",
"method": "GET",
"evidence": "<script type=\"application/javascript\"><![CDATA[\n \"use strict\";\n\n (function() {\n\n document.addEventListener(\"DOMContentLoaded\", function() {\n // Remove elements with \"noscript\" class - <noscript> is not\n // allowed in XHTML\n var noscripts = document.getElementsByClassName(\"noscript\");\n for (var i = 0; i < noscripts.length; i++) {\n noscripts[i].parentNode.removeChild(noscripts[i]);\n }\n\n // Add script for expand content.\n var expandElements = document.getElementsByClassName(\"expand\");\n for (var ixx = 0; ixx < expandElements.length; ixx++) {\n (function(el) {\n var expandContent = document.getElementById(el.getAttribute(\"data-content-id\"));\n expandContent.style.display = \"none\";\n var arrow = document.createTextNode(\"◢ \");\n var arrowSpan = document.createElement(\"span\");\n arrowSpan.appendChild(arrow);\n\n var link = document.createElement(\"a\");\n link.setAttribute(\"href\", \"#!\");\n while (el.firstChild != null) {\n link.appendChild(el.removeChild(el.firstChild));\n }\n el.appendChild(arrowSpan);\n el.appendChild(link);\n\n var textSpan = document.createElement(\"span\");\n textSpan.setAttribute(\"style\", \"font-weight: normal;\");\n textSpan.appendChild(document.createTextNode(\" (click to expand)\"));\n el.appendChild(textSpan);\n\n\n var visible = true;\n\n var switchExpand = function() {\n visible = !visible;\n expandContent.style.display = visible ? \"block\" : \"none\";\n arrowSpan.style.color = visible ? \"#000\" : \"#888\";\n return false;\n };\n\n link.onclick = switchExpand;\n switchExpand();\n\n })(expandElements[ixx]);\n }\n\n\n var Console = {};\n\n Console.log = (function() {\n var consoleContainer =\n document.getElementById(\"console-container\");\n var console = document.createElement(\"div\");\n console.setAttribute(\"id\", \"console\");\n consoleContainer.appendChild(console);\n\n return function(message) {\n var p = document.createElement('p');\n p.style.wordWrap = \"break-word\";\n p.appendChild(document.createTextNode(message));\n console.appendChild(p);\n while (console.childNodes.length > 25) {\n console.removeChild(console.firstChild);\n }\n console.scrollTop = console.scrollHeight;\n }\n })();\n\n\n function Room(drawContainer) {\n\n /* A pausable event forwarder that can be used to pause and\n * resume handling of events (e.g. when we need to wait\n * for a Image's load event before we can process further\n * WebSocket messages).\n * The object's callFunction(func) should be called from an\n * event handler and give the function to handle the event as\n * argument.\n * Call pauseProcessing() to suspend event forwarding and\n * resumeProcessing() to resume it.\n */\n function PausableEventForwarder() {\n\n var pauseProcessing = false;\n // Queue for buffering functions to be called.\n var functionQueue = [];\n\n this.callFunction = function(func) {\n // If message processing is paused, we push it\n // into the queue - otherwise we process it directly.\n if (pauseProcessing) {\n functionQueue.push(func);\n } else {\n func();\n }\n };\n\n this.pauseProcessing = function() {\n pauseProcessing = true;\n };\n\n this.resumeProcessing = function() {\n pauseProcessing = false;\n\n // Process all queued functions until some handler calls\n // pauseProcessing() again.\n while (functionQueue.length > 0 && !pauseProcessing) {\n var func = functionQueue.pop();\n func();\n }\n };\n }\n\n // The WebSocket object.\n var socket;\n // ID of the timer which sends ping messages.\n var pingTimerId;\n\n var isStarted = false;\n var playerCount = 0;\n\n // An array of PathIdContainer objects that the server\n // did not yet handle.\n // They are ordered by id (ascending).\n var pathsNotHandled = [];\n\n var nextMsgId = 1;\n\n var canvasDisplay = document.createElement(\"canvas\");\n var canvasBackground = document.createElement(\"canvas\");\n var canvasServerImage = document.createElement(\"canvas\");\n var canvasArray = [canvasDisplay, canvasBackground,\n canvasServerImage];\n canvasDisplay.addEventListener(\"mousedown\", function(e) {\n // Prevent default mouse event to prevent browsers from marking text\n // (and Chrome from displaying the \"text\" cursor).\n e.preventDefault();\n }, false);\n\n var labelPlayerCount = document.createTextNode(\"0\");\n var optionContainer = document.createElement(\"div\");\n\n\n var canvasDisplayCtx = canvasDisplay.getContext(\"2d\");\n var canvasBackgroundCtx = canvasBackground.getContext(\"2d\");\n var canvasServerImageCtx = canvasServerImage.getContext(\"2d\");\n var canvasMouseMoveHandler;\n var canvasMouseDownHandler;\n\n var isActive = false;\n var mouseInWindow = false;\n var mouseDown = false;\n var currentMouseX = 0, currentMouseY = 0;\n var currentPreviewPath = null;\n\n var availableColors = [];\n var currentColorIndex;\n var colorContainers;\n var previewTransparency = 0.65;\n\n var availableThicknesses = [2, 3, 6, 10, 16, 28, 50];\n var currentThicknessIndex;\n var thicknessContainers;\n\n var availableDrawTypes = [\n { name: \"Brush\", id: 1, continuous: true },\n { name: \"Line\", id: 2, continuous: false },\n { name: \"Rectangle\", id: 3, continuous: false },\n { name: \"Ellipse\", id: 4, continuous: false }\n ];\n var currentDrawTypeIndex;\n var drawTypeContainers;\n\n\n var labelContainer = document.getElementById(\"labelContainer\");\n var placeholder = document.createElement(\"div\");\n placeholder.appendChild(document.createTextNode(\"Loading... \"));\n var progressElem = document.createElement(\"progress\");\n placeholder.appendChild(progressElem);\n\n labelContainer.appendChild(placeholder);\n\n function rgb(color) {\n return \"rgba(\" + color[0] + \",\" + color[1] + \",\"\n + color[2] + \",\" + color[3] + \")\";\n }\n\n function PathIdContainer(path, id) {\n this.path = path;\n this.id = id;\n }\n\n function Path(type, color, thickness, x1, y1, x2, y2, lastInChain) {\n this.type = type;\n this.color = color;\n this.thickness = thickness;\n this.x1 = x1;\n this.y1 = y1;\n this.x2 = x2;\n this.y2 = y2;\n this.lastInChain = lastInChain;\n\n function ellipse(ctx, x, y, w, h) {\n /* Drawing a ellipse cannot be done directly in a\n * CanvasRenderingContext2D - we need to use drawArc()\n * in conjunction with scaling the context so that we\n * get the needed proportion.\n */\n ctx.save();\n\n // Translate and scale the context so that we can draw\n // an arc at (0, 0) with a radius of 1.\n ctx.translate(x + w / 2, y + h / 2);\n ctx.scale(w / 2, h / 2);\n\n ctx.beginPath();\n ctx.arc(0, 0, 1, 0, Math.PI * 2, false);\n\n ctx.restore();\n }\n\n this.draw = function(ctx) {\n ctx.beginPath();\n ctx.lineCap = \"round\";\n ctx.lineWidth = thickness;\n var style = rgb(color);\n ctx.strokeStyle = style;\n\n if (x1 == x2 && y1 == y2) {\n // Always draw as arc to meet the behavior\n // in Java2D.\n ctx.fillStyle = style;\n ctx.arc(x1, y1, thickness / 2.0, 0,\n Math.PI * 2.0, false);\n ctx.fill();\n } else {\n if (type == 1 || type == 2) {\n // Draw a line.\n ctx.moveTo(x1, y1);\n ctx.lineTo(x2, y2);\n ctx.stroke();\n } else if (type == 3) {\n // Draw a rectangle.\n if (x1 == x2 || y1 == y2) {\n // Draw as line\n ctx.moveTo(x1, y1);\n ctx.lineTo(x2, y2);\n ctx.stroke();\n } else {\n ctx.strokeRect(x1, y1, x2 - x1, y2 - y1);\n }\n } else if (type == 4) {\n // Draw a ellipse.\n ellipse(ctx, x1, y1, x2 - x1, y2 - y1);\n ctx.closePath();\n ctx.stroke();\n }\n }\n };\n }\n\n\n function connect() {\n var host = (window.location.protocol == \"https:\"\n ? \"wss://\" : \"ws://\") + window.location.host\n + \"/examples/websocket/drawboard\";\n socket = new WebSocket(host);\n\n /* Use a pausable event forwarder.\n * This is needed when we load an Image object with data\n * from a previous message, because we must wait until the\n * Image's load event it raised before we can use it (and\n * in the meantime the socket.message event could be\n * raised).\n * Therefore we need this pausable event handler to handle\n * e.g. socket.onmessage and socket.onclose.\n */\n var eventForwarder = new PausableEventForwarder();\n\n socket.onopen = function () {\n // Socket has opened. Now wait for the server to\n // send us the initial packet.\n Console.log(\"WebSocket connection opened.\");\n\n // Set up a timer for pong messages.\n pingTimerId = window.setInterval(function() {\n socket.send(\"0\");\n }, 30000);\n };\n\n socket.onclose = function () {\n eventForwarder.callFunction(function() {\n Console.log(\"WebSocket connection closed.\");\n disableControls();\n\n // Disable pong timer.\n window.clearInterval(pingTimerId);\n });\n };\n\n // Handles an incoming Websocket message.\n var handleOnMessage = function(message) {\n\n // Split joined message and process them\n // invidividually.\n var messages = message.data.split(\";\");\n for (var msgArrIdx = 0; msgArrIdx < messages.length;\n msgArrIdx++) {\n var msg = messages[msgArrIdx];\n var type = msg.substring(0, 1);\n\n if (type == \"0\") {\n // Error message.\n var error = msg.substring(1);\n // Log it to the console and show an alert.\n Console.log(\"Error: \" + error);\n alert(error);\n\n } else {\n if (!isStarted) {\n if (type == \"2\") {\n // Initial message. It contains the\n // number of players.\n // After this message we will receive\n // a binary message containing the current\n // room image as PNG.\n playerCount = parseInt(msg.substring(1));\n\n refreshPlayerCount();\n\n // The next message will be a binary\n // message containing the room images\n // as PNG. Therefore we temporarily swap\n // the message handler.\n var originalHandler = handleOnMessage;\n handleOnMessage = function(message) {\n // First, we restore the original handler.\n handleOnMessage = originalHandler;\n\n // Read the image.\n var blob = message.data;\n // Create new blob with correct MIME type.\n blob = new Blob([blob], {type : \"image/png\"});\n\n var url = URL.createObjectURL(blob);\n\n var img = new Image();\n\n // We must wait until the onload event is\n // raised until we can draw the image onto\n // the canvas.\n // Therefore we need to pause the event\n // forwarder until the image is loaded.\n eventForwarder.pauseProcessing();\n\n img.onload = function() {\n\n // Release the object URL.\n URL.revokeObjectURL(url);\n\n // Set the canvases to the correct size.\n for (var i = 0; i < canvasArray.length; i++) {\n canvasArray[i].width = img.width;\n canvasArray[i].height = img.height;\n }\n\n // Now draw the image on the last canvas.\n canvasServerImageCtx.clearRect(0, 0,\n canvasServerImage.width,\n canvasServerImage.height);\n canvasServerImageCtx.drawImage(img, 0, 0);\n\n // Draw it on the background canvas.\n canvasBackgroundCtx.drawImage(canvasServerImage,\n 0, 0);\n\n isStarted = true;\n startControls();\n\n // Refresh the display canvas.\n refreshDisplayCanvas();\n\n\n // Finally, resume the event forwarder.\n eventForwarder.resumeProcessing();\n };\n\n img.src = url;\n };\n }\n } else {\n if (type == \"3\") {\n // The number of players in this room changed.\n var playerAdded = msg.substring(1) == \"+\";\n playerCount += playerAdded ? 1 : -1;\n refreshPlayerCount();\n\n Console.log(\"Player \" + (playerAdded\n ? \"joined.\" : \"left.\"));\n\n } else if (type == \"1\") {\n // We received a new DrawMessage.\n var maxLastHandledId = -1;\n var drawMessages = msg.substring(1).split(\"|\");\n for (var i = 0; i < drawMessages.length; i++) {\n var elements = drawMessages[i].split(\",\");\n var lastHandledId = parseInt(elements[0]);\n maxLastHandledId = Math.max(maxLastHandledId,\n lastHandledId);\n\n var path = new Path(\n parseInt(elements[1]),\n [parseInt(elements[2]),\n parseInt(elements[3]),\n parseInt(elements[4]),\n parseInt(elements[5]) / 255.0],\n parseFloat(elements[6]),\n parseFloat(elements[7]),\n parseFloat(elements[8]),\n parseFloat(elements[9]),\n parseFloat(elements[10]),\n elements[11] != \"0\");\n\n // Draw the path onto the last canvas.\n path.draw(canvasServerImageCtx);\n }\n\n // Draw the last canvas onto the background one.\n canvasBackgroundCtx.drawImage(canvasServerImage,\n 0, 0);\n\n // Now go through the pathsNotHandled array and\n // remove the paths that were already handled by\n // the server.\n while (pathsNotHandled.length > 0\n && pathsNotHandled[0].id <= maxLastHandledId)\n pathsNotHandled.shift();\n\n // Now me must draw the remaining paths onto\n // the background canvas.\n for (var i = 0; i < pathsNotHandled.length; i++) {\n pathsNotHandled[i].path.draw(canvasBackgroundCtx);\n }\n\n refreshDisplayCanvas();\n }\n }\n }\n }\n };\n\n socket.onmessage = function(message) {\n eventForwarder.callFunction(function() {\n handleOnMessage(message);\n });\n };\n\n }\n\n\n function refreshPlayerCount() {\n labelPlayerCount.nodeValue = String(playerCount);\n }\n\n function refreshDisplayCanvas() {\n if (!isActive) { // Don't draw a curser when not active.\n return;\n }\n\n canvasDisplayCtx.drawImage(canvasBackground, 0, 0);\n if (currentPreviewPath != null) {\n // Draw the preview path.\n currentPreviewPath.draw(canvasDisplayCtx);\n\n } else if (mouseInWindow && !mouseDown) {\n canvasDisplayCtx.beginPath();\n var color = availableColors[currentColorIndex].slice(0);\n color[3] = previewTransparency;\n canvasDisplayCtx.fillStyle = rgb(color);\n\n canvasDisplayCtx.arc(currentMouseX, currentMouseY,\n availableThicknesses[currentThicknessIndex] / 2,\n 0, Math.PI * 2.0, true);\n canvasDisplayCtx.fill();\n }\n\n }\n\n function startControls() {\n isActive = true;\n\n labelContainer.removeChild(placeholder);\n placeholder = undefined;\n\n labelContainer.appendChild(\n document.createTextNode(\"Number of Players: \"));\n labelContainer.appendChild(labelPlayerCount);\n\n\n drawContainer.style.display = \"block\";\n drawContainer.appendChild(canvasDisplay);\n\n drawContainer.appendChild(optionContainer);\n\n canvasMouseDownHandler = function(e) {\n if (e.button == 0) {\n currentMouseX = e.pageX - canvasDisplay.offsetLeft;\n currentMouseY = e.pageY - canvasDisplay.offsetTop;\n\n mouseDown = true;\n canvasMouseMoveHandler(e);\n\n } else if (mouseDown) {\n // Cancel drawing.\n mouseDown = false;\n currentPreviewPath = null;\n\n currentMouseX = e.pageX - canvasDisplay.offsetLeft;\n currentMouseY = e.pageY - canvasDisplay.offsetTop;\n\n refreshDisplayCanvas();\n }\n };\n canvasDisplay.addEventListener(\"mousedown\", canvasMouseDownHandler, false);\n\n canvasMouseMoveHandler = function(e) {\n var mouseX = e.pageX - canvasDisplay.offsetLeft;\n var mouseY = e.pageY - canvasDisplay.offsetTop;\n\n if (mouseDown) {\n var drawType = availableDrawTypes[currentDrawTypeIndex];\n\n if (drawType.continuous) {\n\n var path = new Path(drawType.id,\n availableColors[currentColorIndex],\n availableThicknesses[currentThicknessIndex],\n currentMouseX, currentMouseY, mouseX,\n mouseY, false);\n // Draw it on the background canvas.\n path.draw(canvasBackgroundCtx);\n\n // Send it to the sever.\n pushPath(path);\n\n // Refresh old coordinates\n currentMouseX = mouseX;\n currentMouseY = mouseY;\n\n } else {\n // Create a new preview path.\n var color = availableColors[currentColorIndex].slice(0);\n color[3] = previewTransparency;\n currentPreviewPath = new Path(drawType.id,\n color,\n availableThicknesses[currentThicknessIndex],\n currentMouseX, currentMouseY, mouseX,\n mouseY, false);\n }\n\n refreshDisplayCanvas();\n } else {\n currentMouseX = mouseX;\n currentMouseY = mouseY;\n\n if (mouseInWindow) {\n refreshDisplayCanvas();\n }\n }\n\n };\n document.addEventListener(\"mousemove\", canvasMouseMoveHandler, false);\n\n document.addEventListener(\"mouseup\", function(e) {\n if (e.button == 0) {\n if (mouseDown) {\n mouseDown = false;\n currentPreviewPath = null;\n\n var mouseX = e.pageX - canvasDisplay.offsetLeft;\n var mouseY = e.pageY - canvasDisplay.offsetTop;\n var drawType = availableDrawTypes[currentDrawTypeIndex];\n\n var path = new Path(drawType.id, availableColors[currentColorIndex],\n availableThicknesses[currentThicknessIndex],\n currentMouseX, currentMouseY, mouseX,\n mouseY, true);\n // Draw it on the background canvas.\n path.draw(canvasBackgroundCtx);\n\n // Send it to the sever.\n pushPath(path);\n\n // Refresh old coordinates\n currentMouseX = mouseX;\n currentMouseY = mouseY;\n\n refreshDisplayCanvas();\n }\n }\n }, false);\n\n canvasDisplay.addEventListener(\"mouseout\", function(e) {\n mouseInWindow = false;\n refreshDisplayCanvas();\n }, false);\n\n canvasDisplay.addEventListener(\"mousemove\", function(e) {\n if (!mouseInWindow) {\n mouseInWindow = true;\n refreshDisplayCanvas();\n }\n }, false);\n\n\n // Create color and thickness controls.\n var colorContainersBox = document.createElement(\"div\");\n colorContainersBox.setAttribute(\"style\",\n \"margin: 4px; border: 1px solid #bbb; border-radius: 3px;\");\n optionContainer.appendChild(colorContainersBox);\n\n colorContainers = new Array(3 * 3 * 3);\n for (var i = 0; i < colorContainers.length; i++) {\n var colorContainer = colorContainers[i] =\n document.createElement(\"div\");\n var color = availableColors[i] =\n [\n Math.floor((i % 3) * 255 / 2),\n Math.floor((Math.floor(i / 3) % 3) * 255 / 2),\n Math.floor((Math.floor(i / (3 * 3)) % 3) * 255 / 2),\n 1.0\n ];\n colorContainer.setAttribute(\"style\",\n \"margin: 3px; width: 18px; height: 18px; \"\n + \"float: left; background-color: \" + rgb(color));\n colorContainer.style.border = '2px solid #000';\n colorContainer.addEventListener(\"mousedown\", (function(ix) {\n return function() {\n setColor(ix);\n };\n })(i), false);\n\n colorContainersBox.appendChild(colorContainer);\n }\n\n var divClearLeft = document.createElement(\"div\");\n divClearLeft.setAttribute(\"style\", \"clear: left;\");\n colorContainersBox.appendChild(divClearLeft);\n\n\n var drawTypeContainersBox = document.createElement(\"div\");\n drawTypeContainersBox.setAttribute(\"style\",\n \"float: right; margin-right: 3px; margin-top: 1px;\");\n optionContainer.appendChild(drawTypeContainersBox);\n\n drawTypeContainers = new Array(availableDrawTypes.length);\n for (var i = 0; i < drawTypeContainers.length; i++) {\n var drawTypeContainer = drawTypeContainers[i] =\n document.createElement(\"div\");\n drawTypeContainer.setAttribute(\"style\",\n \"text-align: center; margin: 3px; padding: 0 3px;\"\n + \"height: 18px; float: left;\");\n drawTypeContainer.style.border = \"2px solid #000\";\n drawTypeContainer.appendChild(document.createTextNode(\n String(availableDrawTypes[i].name)));\n drawTypeContainer.addEventListener(\"mousedown\", (function(ix) {\n return function() {\n setDrawType(ix);\n };\n })(i), false);\n\n drawTypeContainersBox.appendChild(drawTypeContainer);\n }\n\n\n var thicknessContainersBox = document.createElement(\"div\");\n thicknessContainersBox.setAttribute(\"style\",\n \"margin: 3px; border: 1px solid #bbb; border-radius: 3px;\");\n optionContainer.appendChild(thicknessContainersBox);\n\n thicknessContainers = new Array(availableThicknesses.length);\n for (var i = 0; i < thicknessContainers.length; i++) {\n var thicknessContainer = thicknessContainers[i] =\n document.createElement(\"div\");\n thicknessContainer.setAttribute(\"style\",\n \"text-align: center; margin: 3px; width: 18px; \"\n + \"height: 18px; float: left;\");\n thicknessContainer.style.border = \"2px solid #000\";\n thicknessContainer.appendChild(document.createTextNode(\n String(availableThicknesses[i])));\n thicknessContainer.addEventListener(\"mousedown\", (function(ix) {\n return function() {\n setThickness(ix);\n };\n })(i), false);\n\n thicknessContainersBox.appendChild(thicknessContainer);\n }\n\n\n divClearLeft = document.createElement(\"div\");\n divClearLeft.setAttribute(\"style\", \"clear: left;\");\n thicknessContainersBox.appendChild(divClearLeft);\n\n\n setColor(0);\n setThickness(0);\n setDrawType(0);\n\n }\n\n function disableControls() {\n document.removeEventListener(\"mousedown\", canvasMouseDownHandler);\n document.removeEventListener(\"mousemove\", canvasMouseMoveHandler);\n mouseInWindow = false;\n refreshDisplayCanvas();\n\n isActive = false;\n }\n\n function pushPath(path) {\n\n // Push it into the pathsNotHandled array.\n var container = new PathIdContainer(path, nextMsgId++);\n pathsNotHandled.push(container);\n\n // Send the path to the server.\n var message = container.id + \"|\" + path.type + \",\"\n + path.color[0] + \",\" + path.color[1] + \",\"\n + path.color[2] + \",\"\n + Math.round(path.color[3] * 255.0) + \",\"\n + path.thickness + \",\" + path.x1 + \",\"\n + path.y1 + \",\" + path.x2 + \",\" + path.y2 + \",\"\n + (path.lastInChain ? \"1\" : \"0\");\n\n socket.send(\"1\" + message);\n }\n\n function setThickness(thicknessIndex) {\n if (typeof currentThicknessIndex !== \"undefined\")\n thicknessContainers[currentThicknessIndex]\n .style.borderColor = \"#000\";\n currentThicknessIndex = thicknessIndex;\n thicknessContainers[currentThicknessIndex]\n .style.borderColor = \"#d08\";\n }\n\n function setColor(colorIndex) {\n if (typeof currentColorIndex !== \"undefined\")\n colorContainers[currentColorIndex]\n .style.borderColor = \"#000\";\n currentColorIndex = colorIndex;\n colorContainers[currentColorIndex]\n .style.borderColor = \"#d08\";\n }\n\n function setDrawType(drawTypeIndex) {\n if (typeof currentDrawTypeIndex !== \"undefined\")\n drawTypeContainers[currentDrawTypeIndex]\n .style.borderColor = \"#000\";\n currentDrawTypeIndex = drawTypeIndex;\n drawTypeContainers[currentDrawTypeIndex]\n .style.borderColor = \"#d08\";\n }\n\n\n connect();\n\n }\n\n\n // Initialize the room\n var room = new Room(document.getElementById(\"drawContainer\"));\n\n\n }, false);\n\n })();\n ]]><\/script>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/snake.xhtml",
"method": "GET",
"evidence": "<script type=\"application/javascript\"><![CDATA[\n \"use strict\";\n\n var Game = {};\n\n Game.fps = 30;\n Game.socket = null;\n Game.nextFrame = null;\n Game.interval = null;\n Game.direction = 'none';\n Game.gridSize = 10;\n\n function Snake() {\n this.snakeBody = [];\n this.color = null;\n }\n\n Snake.prototype.draw = function(context) {\n for (var id in this.snakeBody) {\n context.fillStyle = this.color;\n context.fillRect(this.snakeBody[id].x, this.snakeBody[id].y, Game.gridSize, Game.gridSize);\n }\n };\n\n Game.initialize = function() {\n this.entities = [];\n var canvas = document.getElementById('playground');\n if (!canvas.getContext) {\n Console.log('Error: 2d canvas not supported by this browser.');\n return;\n }\n this.context = canvas.getContext('2d');\n window.addEventListener('keydown', function (e) {\n var code = e.keyCode;\n if (code > 36 && code < 41) {\n switch (code) {\n case 37:\n if (Game.direction != 'east') Game.setDirection('west');\n break;\n case 38:\n if (Game.direction != 'south') Game.setDirection('north');\n break;\n case 39:\n if (Game.direction != 'west') Game.setDirection('east');\n break;\n case 40:\n if (Game.direction != 'north') Game.setDirection('south');\n break;\n }\n }\n }, false);\n if (window.location.protocol == 'http:') {\n Game.connect('ws://' + window.location.host + '/examples/websocket/snake');\n } else {\n Game.connect('wss://' + window.location.host + '/examples/websocket/snake');\n }\n };\n\n Game.setDirection = function(direction) {\n Game.direction = direction;\n Game.socket.send(direction);\n Console.log('Sent: Direction ' + direction);\n };\n\n Game.startGameLoop = function() {\n if (window.webkitRequestAnimationFrame) {\n Game.nextFrame = function () {\n webkitRequestAnimationFrame(Game.run);\n };\n } else if (window.mozRequestAnimationFrame) {\n Game.nextFrame = function () {\n mozRequestAnimationFrame(Game.run);\n };\n } else {\n Game.interval = setInterval(Game.run, 1000 / Game.fps);\n }\n if (Game.nextFrame != null) {\n Game.nextFrame();\n }\n };\n\n Game.stopGameLoop = function () {\n Game.nextFrame = null;\n if (Game.interval != null) {\n clearInterval(Game.interval);\n }\n };\n\n Game.draw = function() {\n this.context.clearRect(0, 0, 640, 480);\n for (var id in this.entities) {\n this.entities[id].draw(this.context);\n }\n };\n\n Game.addSnake = function(id, color) {\n Game.entities[id] = new Snake();\n Game.entities[id].color = color;\n };\n\n Game.updateSnake = function(id, snakeBody) {\n if (typeof Game.entities[id] != \"undefined\") {\n Game.entities[id].snakeBody = snakeBody;\n }\n };\n\n Game.removeSnake = function(id) {\n Game.entities[id] = null;\n // Force GC.\n delete Game.entities[id];\n };\n\n Game.run = (function() {\n var skipTicks = 1000 / Game.fps, nextGameTick = (new Date).getTime();\n\n return function() {\n while ((new Date).getTime() > nextGameTick) {\n nextGameTick += skipTicks;\n }\n Game.draw();\n if (Game.nextFrame != null) {\n Game.nextFrame();\n }\n };\n })();\n\n Game.connect = (function(host) {\n if ('WebSocket' in window) {\n Game.socket = new WebSocket(host);\n } else if ('MozWebSocket' in window) {\n Game.socket = new MozWebSocket(host);\n } else {\n Console.log('Error: WebSocket is not supported by this browser.');\n return;\n }\n\n Game.socket.onopen = function () {\n // Socket open.. start the game loop.\n Console.log('Info: WebSocket connection opened.');\n Console.log('Info: Press an arrow key to begin.');\n Game.startGameLoop();\n setInterval(function() {\n // Prevent server read timeout.\n Game.socket.send('ping');\n }, 5000);\n };\n\n Game.socket.onclose = function () {\n Console.log('Info: WebSocket closed.');\n Game.stopGameLoop();\n };\n\n Game.socket.onmessage = function (message) {\n var packet = JSON.parse(message.data);\n switch (packet.type) {\n case 'update':\n for (var i = 0; i < packet.data.length; i++) {\n Game.updateSnake(packet.data[i].id, packet.data[i].body);\n }\n break;\n case 'join':\n for (var j = 0; j < packet.data.length; j++) {\n Game.addSnake(packet.data[j].id, packet.data[j].color);\n }\n break;\n case 'leave':\n Game.removeSnake(packet.id);\n break;\n case 'dead':\n Console.log('Info: Your snake is dead, bad luck!');\n Game.direction = 'none';\n break;\n case 'kill':\n Console.log('Info: Head shot!');\n break;\n }\n };\n });\n\n var Console = {};\n\n Console.log = (function(message) {\n var console = document.getElementById('console');\n var p = document.createElement('p');\n p.style.wordWrap = 'break-word';\n p.innerHTML = message;\n console.appendChild(p);\n while (console.childNodes.length > 25) {\n console.removeChild(console.firstChild);\n }\n console.scrollTop = console.scrollHeight;\n });\n\n Game.initialize();\n\n\n document.addEventListener(\"DOMContentLoaded\", function() {\n // Remove elements with \"noscript\" class - <noscript> is not allowed in XHTML\n var noscripts = document.getElementsByClassName(\"noscript\");\n for (var i = 0; i < noscripts.length; i++) {\n noscripts[i].parentNode.removeChild(noscripts[i]);\n }\n }, false);\n\n ]]><\/script>"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/chat.xhtml",
"method": "GET",
"evidence": "<script type=\"application/javascript\"><![CDATA[\n \"use strict\";\n\n var Chat = {};\n\n Chat.socket = null;\n\n Chat.connect = (function(host) {\n if ('WebSocket' in window) {\n Chat.socket = new WebSocket(host);\n } else if ('MozWebSocket' in window) {\n Chat.socket = new MozWebSocket(host);\n } else {\n Console.log('Error: WebSocket is not supported by this browser.');\n return;\n }\n\n Chat.socket.onopen = function () {\n Console.log('Info: WebSocket connection opened.');\n document.getElementById('chat').onkeydown = function(event) {\n if (event.keyCode == 13) {\n Chat.sendMessage();\n }\n };\n };\n\n Chat.socket.onclose = function () {\n document.getElementById('chat').onkeydown = null;\n Console.log('Info: WebSocket closed.');\n };\n\n Chat.socket.onmessage = function (message) {\n Console.log(message.data);\n };\n });\n\n Chat.initialize = function() {\n if (window.location.protocol == 'http:') {\n Chat.connect('ws://' + window.location.host + '/examples/websocket/chat');\n } else {\n Chat.connect('wss://' + window.location.host + '/examples/websocket/chat');\n }\n };\n\n Chat.sendMessage = (function() {\n var message = document.getElementById('chat').value;\n if (message != '') {\n Chat.socket.send(message);\n document.getElementById('chat').value = '';\n }\n });\n\n var Console = {};\n\n Console.log = (function(message) {\n var console = document.getElementById('console');\n var p = document.createElement('p');\n p.style.wordWrap = 'break-word';\n p.innerHTML = message;\n console.appendChild(p);\n while (console.childNodes.length > 25) {\n console.removeChild(console.firstChild);\n }\n console.scrollTop = console.scrollHeight;\n });\n\n Chat.initialize();\n\n\n document.addEventListener(\"DOMContentLoaded\", function() {\n // Remove elements with \"noscript\" class - <noscript> is not allowed in XHTML\n var noscripts = document.getElementsByClassName(\"noscript\");\n for (var i = 0; i < noscripts.length; i++) {\n noscripts[i].parentNode.removeChild(noscripts[i]);\n }\n }, false);\n\n ]]><\/script>"
}
],
"count": "4",
"solution": "<p>This is an informational alert and so no changes are required.<\/p>",
"otherinfo": "<p>No links have been found while there are scripts, which is an indication that this is a modern web application.<\/p>",
"reference": "<p><\/p>",
"sourceid": "3"
},
{
"pluginid": "40029",
"alert": "Trace.axd Information Leak",
"name": "Trace.axd Information Leak",
"riskcode": "2",
"confidence": "3",
"riskdesc": "Medium (High)",
"desc": "<p>The ASP.NET Trace Viewer (trace.axd) was found to be available. This component can leak a significant amount of valuable information.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/security/protected/trace.axd",
"method": "GET",
"evidence": "HTTP/1.1 200 OK"
}
],
"count": "1",
"solution": "<p>Consider whether or not Trace Viewer is actually required in production, if it isn't then disable it. If it is then ensure access to it requires authentication and authorization.<\/p>",
"reference": "<p>https://msdn.microsoft.com/en-us/library/bb386420.aspx<\/p><p>https://msdn.microsoft.com/en-us/library/wwh16c6c.aspx<\/p><p>https://www.dotnetperls.com/trace<\/p>",
"cweid": "215",
"wascid": "13",
"sourceid": "1"
},
{
"pluginid": "10010",
"alert": "Cookie No HttpOnly Flag",
"name": "Cookie No HttpOnly Flag",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST",
"param": "ZAP",
"evidence": "Set-Cookie: ZAP"
}
],
"count": "1",
"solution": "<p>Ensure that the HttpOnly flag is set for all cookies.<\/p>",
"reference": "<p>https://owasp.org/www-community/HttpOnly<\/p>",
"cweid": "16",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "3",
"alert": "Session ID in URL Rewrite",
"name": "Session ID in URL Rewrite",
"riskcode": "2",
"confidence": "3",
"riskdesc": "Medium (High)",
"desc": "<p>URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=ZAP&datavalue=ZAP",
"method": "GET",
"evidence": "jsessionid=6E125575EE927DEA79BD6D83AF048EC5"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5",
"method": "POST",
"evidence": "jsessionid=6E125575EE927DEA79BD6D83AF048EC5"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/SessionExample;jsessionid=6E125575EE927DEA79BD6D83AF048EC5?dataname=foo&datavalue=bar",
"method": "GET",
"evidence": "jsessionid=6E125575EE927DEA79BD6D83AF048EC5"
}
],
"count": "3",
"solution": "<p>For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.<\/p>",
"reference": "<p>http://seclists.org/lists/webappsec/2002/Oct-Dec/0111.html<\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10024",
"alert": "Information Disclosure - Sensitive Information in URL",
"name": "Information Disclosure - Sensitive Information in URL",
"riskcode": "0",
"confidence": "2",
"riskdesc": "Informational (Medium)",
"desc": "<p>The request appeared to contain sensitive information leaked in the URL. This can violate PCI and most organizational compliance policies. You can configure the list of strings for this check to add or remove values specific to your environment.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/cal/cal1.jsp?action=Submit&email=foo-bar%40example.com&name=ZAP",
"method": "GET",
"param": "email",
"evidence": "foo-bar@example.com"
}
],
"count": "1",
"solution": "<p>Do not pass sensitive information in URIs.<\/p>",
"otherinfo": "<p>The URL contains email address(es).<\/p>",
"reference": "<p><\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "90017",
"alert": "XSLT Injection",
"name": "XSLT Injection",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>Injection using XSL transformations may be possible, and may allow an attacker to read system information, read and write files, and/or execute arbitrary code.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST",
"param": "cookiename",
"attack": "<xsl:value-of select=\"system-property('xsl:vendor')\"/>",
"evidence": "Apache"
}
],
"count": "1",
"solution": "<p>Sanitize and analyze every user input coming from any client-side.<\/p>",
"otherinfo": "<p>The XSLT processor vendor name \"Apache\" was returned after an injection request.<\/p>",
"reference": "<p>https://www.contextis.com/blog/xslt-server-side-injection-attacks<\/p>",
"cweid": "91",
"wascid": "23",
"sourceid": "1"
},
{
"pluginid": "2",
"alert": "Private IP Disclosure",
"name": "Private IP Disclosure",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/monitoring.html",
"method": "GET",
"evidence": "192.168.1.75"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/jsp/snp/snoop.jsp",
"method": "GET",
"evidence": "10.1.20.40"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/RequestInfoExample",
"method": "GET",
"evidence": "10.1.20.40"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/config/filter.html",
"method": "GET",
"evidence": "192.168.0.10"
}
],
"count": "4",
"solution": "<p>Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.<\/p>",
"otherinfo": "<p>192.168.1.75<\/p><p>192.168.111.1<\/p><p>192.168.111.1<\/p><p><\/p>",
"reference": "<p>https://tools.ietf.org/html/rfc1918<\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "30002",
"alert": "Format String Error",
"name": "Format String Error",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>A Format String error occurs when the submitted data of an input string is evaluated as a command by the application. <\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST",
"param": "cookievalue",
"attack": "ZAP%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s\n"
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/servlets/servlet/CookieExample",
"method": "POST",
"param": "cookiename",
"attack": "ZAP%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s\n"
}
],
"count": "2",
"solution": "<p>Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable.<\/p>",
"otherinfo": "<p>Potential Format String Error. The script closed the connection on a /%s<\/p>",
"reference": "<p>https://owasp.org/www-community/attacks/Format_string_attack<\/p>",
"cweid": "134",
"wascid": "6",
"sourceid": "1"
},
{
"pluginid": "10023",
"alert": "Information Disclosure - Debug Error Messages",
"name": "Information Disclosure - Debug Error Messages",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>The response appeared to contain common error messages returned by platforms such as ASP.NET, and Web-servers such as IIS and Apache. You can configure the list of common debug messages.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/docs/changelog.html",
"method": "GET",
"evidence": "internal server error"
}
],
"count": "1",
"solution": "<p>Disable debugging messages before pushing to production.<\/p>",
"reference": "<p><\/p>",
"cweid": "200",
"wascid": "13",
"sourceid": "3"
},
{
"pluginid": "10105",
"alert": "Weak Authentication Method",
"name": "Weak Authentication Method",
"riskcode": "2",
"confidence": "2",
"riskdesc": "Medium (Medium)",
"desc": "<p>HTTP basic or digest authentication has been used over an unsecured connection. The credentials can be read and then reused by someone with access to the network.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/manager/status",
"method": "GET",
"evidence": "WWW-Authenticate: Basic realm=\"Tomcat Manager Application\""
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/manager/html",
"method": "GET",
"evidence": "WWW-Authenticate: Basic realm=\"Tomcat Manager Application\""
},
{
"uri": "http://bodgeit.demo-targets.svc:8080/host-manager/html",
"method": "GET",
"evidence": "WWW-Authenticate: Basic realm=\"Tomcat Host Manager Application\""
}
],
"count": "3",
"solution": "<p>Protect the connection using HTTPS or use a stronger authentication mechanism<\/p>",
"reference": "<p>https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html<\/p>",
"cweid": "326",
"wascid": "4",
"sourceid": "3"
},
{
"pluginid": "10110",
"alert": "Dangerous JS Functions",
"name": "Dangerous JS Functions",
"riskcode": "1",
"confidence": "1",
"riskdesc": "Low (Low)",
"desc": "<p>A dangerous JS function seems to be in use that would leave the site vulnerable.<\/p>",
"instances": [
{
"uri": "http://bodgeit.demo-targets.svc:8080/examples/websocket/drawboard.xhtml",
"method": "GET",
"evidence": "eVal"
}
],
"count": "1",
"solution": "<p>See the references for security advice on the use of these functions.<\/p>",
"reference": "<p>https://angular.io/guide/security<\/p>",
"cweid": "749",
"sourceid": "3"
}
]
}
]
}