Infosec - HackMD

# :stadium: Application Security Testing ###### tags: `customer` ## DevSecOps - Application Security Tools | Type | Tool | Url | | ----------- | ----------- |----------- | | Vulnerability (against NVD) checks for maven dependencies | Dependency Check | https://jeremylong.github.io/DependencyCheck/ | | Vulnerability (against NVD) checks for docker Images | Trivy | https://github.com/aquasecurity/trivy | | Vulnerability scan for kubernetes cluster | kubesec | https://github.com/controlplaneio/kubesec | | Vulnerability checks for docker files and kubernetes configuration files | Opa Conftest | https://github.com/open-policy-agent/conftest | | Opa Conftest DAST (Dymanic Application Security Testing) | OWASP ZAP (Zed Attack Proxy) | https://www.zaproxy.org/ | | SAST (Static Application Security Testing) | SonarQube | https://www.sonarsource.com/products/sonarqube/ | | Code Coverage | JaCoCo + Junit | https://www.eclemma.org/jacoco/ | | Code Scans for ssh keys, authorization tokens, private keys etc. | Talisman | https://thoughtworks.github.io/talisman/ | ## Jenkin File ```groovy pipeline { agent any environment { deploymentName = "whilter-public-api" containerName = "whilter-public-api-container" serviceName = "whilter-public-api" imageName = "docker-registry:5000/whilter-public-api:latest" applicationURL = "http://controlplane" applicationURI = "/video/" } stages { stage('Build Artifact - Maven') { steps { sh "mvn clean package -DskipTests=true" archive 'target/*.jar' } } stage('Unit Tests - JUnit and Jacoco') { steps { sh "mvn test" } post { always { junit 'target/surefire-reports/*.xml' jacoco execPattern: 'target/jacoco.exec' } } } stage('SonarQube - SAST') { steps { withSonarQubeEnv('sonarqube') { sh "mvn sonar:sonar \ -Dsonar.projectKey=whilter-public-api \ -Dsonar.host.url=##MASKED##" } timeout(time: 2, unit: 'MINUTES') { script { waitForQualityGate abortPipeline: true } } } } // stage('SonarQube - SAST') { // steps { // sh "mvn sonar:sonar -Dsonar.projectKey=whilter-public-api -Dsonar.host.url=http://controlplane -Dsonar.login=sqp_641afbef13623bfffd3766c5b646bcf3db5a6982" // } // } stage('Mutation Tests - PIT') { steps { sh "mvn org.pitest:pitest-maven:mutationCoverage" } post { always { pitmutation mutationStatsFile: '**/target/pit-reports/**/mutations.xml' } } } stage('Vulnerability Scan - Docker') { steps { parallel( "Dependency Scan": { sh "mvn dependency-check:check" }, "Trivy Scan": { sh "bash trivy-docker-image-scan.sh" }, "OPA Conftest": { sh "/usr/local/bin/conftest test --policy opa-docker-security.rego Dockerfile" } ) } post { always { dependencyCheckPublisher pattern: 'target/dependency-check-report.xml' } } } stage('Docker Build and Push') { steps { sh 'sudo docker build -t docker-registry:5000/whilter-public-api:latest .' sh 'docker push docker-registry:5000/whilter-public-api:latest' } } stage('Vulnerability Scan - Kubernetes') { steps { parallel( "OPA Scan": { sh '/usr/local/bin/conftest test --policy opa-k8s-security.rego k8s_deployment_service.yaml' }, "Kubesec Scan": { sh "bash kubesec-scan.sh" } ) } } stage('K8S Deployment - DEV') { steps { parallel( "Deployment": { sh "bash k8s-deployment.sh" }, "Rollout Status": { sh "bash k8s-deployment-rollout-status.sh" } ) } } stage('Integration Tests - DEV') { steps { script { try { sh "bash integration-test.sh" } catch (e) { sh "kubectl -n default rollout undo deploy ${deploymentName}" throw e } } } } stage('OWASP ZAP - DAST') { steps { sh 'bash zap.sh' } } } post { always { publishHTML([allowMissing: false, alwaysLinkToLastBuild: true, keepAll: true, reportDir: 'owasp-zap-report', reportFiles: 'zap_report.html', reportName: 'OWASP ZAP HTML Reports', reportTitles: 'OWASP ZAP HTML Reports', useWrapperFileDirectly: true]) } } } ``` ## Result for whilter-public-api microservice ### Build Result ![Screenshot 2023-11-07 at 9.36.03 AM.png](https://hackmd.io/_uploads/rknoKVw7p.png) ### ZAP DAST (Dymanic Application Security Testing) ![Screenshot 2023-11-07 at 9.37.33 AM.png](https://hackmd.io/_uploads/SyQM5EDX6.png) #### Jenkin Logs ``` Digest: sha256:43f75f8817b8d8d26479f6471ed8b247e23bb63a567e884fd4662e7e6f6bd4c1 Status: Downloaded newer image for owasp/zap2docker-weekly:latest 2023-11-07 04:41:46,318 Number of Imported URLs: 8 Total of 103 URLs PASS: Directory Browsing [0] PASS: Vulnerable JS Library (Powered by Retire.js) [10003] PASS: In Page Banner Information Leak [10009] PASS: Cookie No HttpOnly Flag [10010] PASS: Cookie Without Secure Flag [10011] PASS: Re-examine Cache-control Directives [10015] PASS: Cross-Domain JavaScript Source File Inclusion [10017] PASS: Content-Type Header Missing [10019] PASS: Anti-clickjacking Header [10020] PASS: X-Content-Type-Options Header Missing [10021] PASS: Information Disclosure - Debug Error Messages [10023] PASS: Information Disclosure - Sensitive Information in URL [10024] PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025] PASS: HTTP Parameter Override [10026] PASS: Information Disclosure - Suspicious Comments [10027] PASS: Open Redirect [10028] PASS: Cookie Poisoning [10029] PASS: User Controllable Charset [10030] PASS: User Controllable HTML Element Attribute (Potential XSS) [10031] PASS: Viewstate [10032] PASS: Directory Browsing [10033] PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034] PASS: Strict-Transport-Security Header [10035] PASS: HTTP Server Response Header [10036] PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] PASS: Content Security Policy (CSP) Header Not Set [10038] PASS: X-Backend-Server Header Information Leak [10039] PASS: Secure Pages Include Mixed Content [10040] PASS: HTTP to HTTPS Insecure Transition in Form Post [10041] PASS: HTTPS to HTTP Insecure Transition in Form Post [10042] PASS: User Controllable JavaScript Event (XSS) [10043] PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044] PASS: Source Code Disclosure - /WEB-INF folder [10045] PASS: HTTPS Content Available via HTTP [10047] PASS: Remote Code Execution - Shell Shock [10048] PASS: Content Cacheability [10049] PASS: Retrieved from Cache [10050] PASS: Relative Path Confusion [10051] PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052] PASS: Cookie without SameSite Attribute [10054] PASS: CSP [10055] PASS: X-Debug-Token Information Leak [10056] PASS: Username Hash Found [10057] PASS: GET for POST [10058] PASS: X-AspNet-Version Response Header [10061] PASS: PII Disclosure [10062] PASS: Permissions Policy Header Not Set [10063] PASS: Backup File Disclosure [10095] PASS: Timestamp Disclosure [10096] PASS: Hash Disclosure [10097] PASS: Cross-Domain Misconfiguration [10098] PASS: Source Code Disclosure [10099] PASS: User Agent Fuzzer [10104] PASS: Weak Authentication Method [10105] PASS: HTTP Only Site [10106] PASS: Httpoxy - Proxy Header Misuse [10107] PASS: Reverse Tabnabbing [10108] PASS: Modern Web Application [10109] PASS: Dangerous JS Functions [10110] PASS: Authentication Request Identified [10111] PASS: Session Management Response Identified [10112] PASS: Verification Request Identified [10113] PASS: Absence of Anti-CSRF Tokens [10202] PASS: Private IP Disclosure [2] PASS: Anti-CSRF Tokens Check [20012] PASS: HTTP Parameter Pollution [20014] PASS: Heartbleed OpenSSL Vulnerability [20015] PASS: Cross-Domain Misconfiguration [20016] PASS: Source Code Disclosure - CVE-2012-1823 [20017] PASS: Remote Code Execution - CVE-2012-1823 [20018] PASS: External Redirect [20019] PASS: Session ID in URL Rewrite [3] PASS: Buffer Overflow [30001] PASS: Format String Error [30002] PASS: Integer Overflow Error [30003] PASS: CRLF Injection [40003] PASS: Parameter Tampering [40008] PASS: Server Side Include [40009] PASS: Cross Site Scripting (Reflected) [40012] PASS: Session Fixation [40013] PASS: Cross Site Scripting (Persistent) [40014] PASS: Cross Site Scripting (Persistent) - Prime [40016] PASS: Cross Site Scripting (Persistent) - Spider [40017] PASS: SQL Injection [40018] PASS: SQL Injection - MySQL [40019] PASS: SQL Injection - Hypersonic SQL [40020] PASS: SQL Injection - Oracle [40021] PASS: SQL Injection - PostgreSQL [40022] PASS: Possible Username Enumeration [40023] PASS: SQL Injection - SQLite [40024] PASS: Proxy Disclosure [40025] PASS: Cross Site Scripting (DOM Based) [40026] PASS: SQL Injection - MsSQL [40027] PASS: ELMAH Information Leak [40028] PASS: Trace.axd Information Leak [40029] PASS: Out of Band XSS [40031] PASS: .htaccess Information Leak [40032] PASS: .env Information Leak [40034] PASS: Hidden File Finder [40035] PASS: Bypassing 403 [40038] PASS: CORS Header [40040] PASS: Spring Actuator Information Leak [40042] PASS: Log4Shell [40043] PASS: Exponential Entity Expansion (Billion Laughs Attack) [40044] PASS: Spring4Shell [40045] PASS: Server Side Request Forgery [40046] PASS: Text4shell (CVE-2022-42889) [40047] PASS: Source Code Disclosure - Git [41] PASS: Source Code Disclosure - SVN [42] PASS: Source Code Disclosure - File Inclusion [43] PASS: Script Active Scan Rules [50000] PASS: Script Passive Scan Rules [50001] PASS: Path Traversal [6] PASS: Remote File Inclusion [7] PASS: Insecure JSF ViewState [90001] PASS: Java Serialization Object [90002] PASS: Sub Resource Integrity Attribute Missing [90003] PASS: Insufficient Site Isolation Against Spectre Vulnerability [90004] PASS: Charset Mismatch [90011] PASS: XSLT Injection [90017] PASS: Server Side Code Injection [90019] PASS: Remote OS Command Injection [90020] PASS: XPath Injection [90021] PASS: Application Error Disclosure [90022] PASS: XML External Entity Attack [90023] PASS: Generic Padding Oracle [90024] PASS: Expression Language Injection [90025] PASS: SOAP Action Spoofing [90026] PASS: Cookie Slack Detector [90027] PASS: Insecure HTTP Method [90028] PASS: SOAP XML Injection [90029] PASS: WSDL File Detection [90030] PASS: Loosely Scoped Cookie [90033] PASS: Cloud Metadata Potentially Exposed [90034] PASS: Server Side Template Injection [90035] PASS: Server Side Template Injection (Blind) [90036] FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 0 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 136 Exit Code : 0 OWASP ZAP did not report any Risk ``` ### Image vulnerability against NVD ### Jenkin Logs ``` adoptopenjdk/openjdk8:alpine-slim (alpine 3.14.10) ================================================== Total: 0 (HIGH: 0) adoptopenjdk/openjdk8:alpine-slim (alpine 3.14.10) ================================================== Total: 0 (CRITICAL: 0) Exit Code : 0 Image scanning passed. No CRITICAL vulnerabilities found [Pipeline] } ``` ### Dependency vulnerability against NVD ![Screenshot 2023-11-07 at 11.30.29 AM.png](https://hackmd.io/_uploads/ry55rUvQ6.png) ### PIT Mutation ![Screenshot 2023-11-07 at 9.36.44 AM.png](https://hackmd.io/_uploads/B1qI9VvQp.png) #### Jenkin Logs ``` Started by an SCM change Obtained Jenkinsfile from git http://git-server:3000/bob/kubernetes-devops-security.git [Pipeline] Start of Pipeline [Pipeline] node Running on Jenkins in /var/lib/jenkins/workspace/devsecops-numeric-application [Pipeline] { [Pipeline] stage [Pipeline] { (Declarative: Checkout SCM) [Pipeline] checkout The recommended git tool is: NONE using credential 2c390b82-e49d-4a72-ab7f-2a03e8a4b607 > git rev-parse --resolve-git-dir /var/lib/jenkins/workspace/devsecops-numeric-application/.git # timeout=10 Fetching changes from the remote Git repository > git config remote.origin.url http://git-server:3000/bob/kubernetes-devops-security.git # timeout=10 Fetching upstream changes from http://git-server:3000/bob/kubernetes-devops-security.git > git --version # timeout=10 > git --version # 'git version 2.25.1' using GIT_ASKPASS to set credentials > git fetch --tags --force --progress -- http://git-server:3000/bob/kubernetes-devops-security.git +refs/heads/*:refs/remotes/origin/* # timeout=10 > git rev-parse refs/remotes/origin/master^{commit} # timeout=10 Checking out Revision 0fb2b5480206cabe256398a174dc2ccc41a37a76 (refs/remotes/origin/master) > git config core.sparsecheckout # timeout=10 > git checkout -f 0fb2b5480206cabe256398a174dc2ccc41a37a76 # timeout=10 Commit message: "two" > git rev-list --no-walk 3b4f008fc87424b6a70f7336ba0c290e6f558e3c # timeout=10 [Pipeline] } [Pipeline] // stage [Pipeline] withEnv [Pipeline] { [Pipeline] withEnv [Pipeline] { [Pipeline] stage [Pipeline] { (Build Artifact - Maven) [Pipeline] sh + mvn clean package -DskipTests=true WARNING: An illegal reflective access operation has occurred WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$1 (file:/usr/share/maven/lib/guice.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain) WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$1 WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations WARNING: All illegal access operations will be denied in a future release [[1;34mINFO[m] Scanning for projects... [[1;34mINFO[m] [[1;34mINFO[m] [1m-----------------------< [0;36mcom.devsecops:numeric[0;1m >------------------------[m [[1;34mINFO[m] [1mBuilding numeric 0.0.1[m [[1;34mINFO[m] [1m--------------------------------[ jar ]---------------------------------[m [[1;34mINFO[m] [[1;34mINFO[m] [1m--- [0;32mmaven-clean-plugin:3.1.0:clean[m [1m(default-clean)[m @ [36mnumeric[0;1m ---[m [[1;34mINFO[m] Deleting /var/lib/jenkins/workspace/devsecops-numeric-application/target [[1;34mINFO[m] [[1;34mINFO[m] [1m--- [0;32mjacoco-maven-plugin:0.8.5:prepare-agent[m [1m(default)[m @ [36mnumeric[0;1m ---[m [[1;34mINFO[m] argLine set to -javaagent:/var/lib/jenkins/.m2/repository/org/jacoco/org.jacoco.agent/0.8.5/org.jacoco.agent-0.8.5-runtime.jar=destfile=/var/lib/jenkins/workspace/devsecops-numeric-application/target/jacoco.exec [[1;34mINFO[m] [[1;34mINFO[m] [1m--- [0;32mmaven-resources-plugin:3.1.0:resources[m [1m(default-resources)[m @ [36mnumeric[0;1m ---[m [[1;34mINFO[m] Using 'UTF-8' encoding to copy filtered resources. [[1;34mINFO[m] Copying 1 resource [[1;34mINFO[m] Copying 0 resource [[1;34mINFO[m] [[1;34mINFO[m] [1m--- [0;32mmaven-compiler-plugin:3.8.1:compile[m [1m(default-compile)[m @ [36mnumeric[0;1m ---[m [[1;34mINFO[m] Changes detected - recompiling the module! [[1;34mINFO[m] Compiling 3 source files to /var/lib/jenkins/workspace/devsecops-numeric-application/target/classes [[1;34mINFO[m] [[1;34mINFO[m] [1m--- [0;32mmaven-resources-plugin:3.1.0:testResources[m [1m(default-testResources)[m @ [36mnumeric[0;1m ---[m [[1;34mINFO[m] Using 'UTF-8' encoding to copy filtered resources. [[1;34mINFO[m] skip non existing resourceDirectory /var/lib/jenkins/workspace/devsecops-numeric-application/src/test/resources [[1;34mINFO[m] [[1;34mINFO[m] [1m--- [0;32mmaven-compiler-plugin:3.8.1:testCompile[m [1m(default-testCompile)[m @ [36mnumeric[0;1m ---[m [[1;34mINFO[m] Changes detected - recompiling the module! [[1;34mINFO[m] Compiling 1 source file to /var/lib/jenkins/workspace/devsecops-numeric-application/target/test-classes [[1;34mINFO[m] [[1;34mINFO[m] [1m--- [0;32mmaven-surefire-plugin:2.22.2:test[m [1m(default-test)[m @ [36mnumeric[0;1m ---[m [[1;34mINFO[m] Tests are skipped. [[1;34mINFO[m] [[1;34mINFO[m] [1m--- [0;32mjacoco-maven-plugin:0.8.5:report[m [1m(report)[m @ [36mnumeric[0;1m ---[m [[1;34mINFO[m] Skipping JaCoCo execution due to missing execution data file. [[1;34mINFO[m] [[1;34mINFO[m] [1m--- [0;32mmaven-jar-plugin:3.2.0:jar[m [1m(default-jar)[m @ [36mnumeric[0;1m ---[m [[1;34mINFO[m] Building jar: /var/lib/jenkins/workspace/devsecops-numeric-application/target/numeric-0.0.1.jar [[1;34mINFO[m] [[1;34mINFO[m] [1m--- [0;32mspring-boot-maven-plugin:2.3.12.RELEASE:repackage[m [1m(repackage)[m @ [36mnumeric[0;1m ---[m [[1;34mINFO[m] Replacing main artifact with repackaged archive [[1;34mINFO[m] [1m------------------------------------------------------------------------[m [[1;34mINFO[m] [1;32mBUILD SUCCESS[m [[1;34mINFO[m] [1m------------------------------------------------------------------------[m [[1;34mINFO[m] Total time: 8.790 s [[1;34mINFO[m] Finished at: 2023-11-07T04:55:24Z [[1;34mINFO[m] [1m------------------------------------------------------------------------[m [Pipeline] archive The archive step is deprecated, please use archiveArtifacts instead. [Pipeline] } [Pipeline] // stage [Pipeline] stage [Pipeline] { (Docker Build and Push) [Pipeline] sh + sudo docker build -t docker-registry:5000/java-app:latest . Sending build context to Docker daemon 25.54MB Step 1/7 : FROM adoptopenjdk/openjdk8:alpine-slim ---> 3efa72525ca6 Step 2/7 : EXPOSE 8080 ---> Using cache ---> 2895d67b47b4 Step 3/7 : ARG JAR_FILE=target/*.jar ---> Using cache ---> 6904c0f77062 Step 4/7 : RUN addgroup -S devops-security && adduser -S devsecops -G devops-security ---> Using cache ---> d09354653dbc Step 5/7 : COPY ${JAR_FILE} /home/devsecops/app.jar ---> 319a9c4b26f6 Step 6/7 : USER devsecops ---> Running in 884e37c85f36 Removing intermediate container 884e37c85f36 ---> 06a719ce56e3 Step 7/7 : ENTRYPOINT ["java","-jar","/home/devsecops/app.jar"] ---> Running in b735dc7fec4e Removing intermediate container b735dc7fec4e ---> b617860dc5a1 Successfully built b617860dc5a1 Successfully tagged docker-registry:5000/java-app:latest [Pipeline] sh + docker push docker-registry:5000/java-app:latest The push refers to repository [docker-registry:5000/java-app] 90c2da6b19f5: Preparing 4d87d2430844: Preparing 7036593b3170: Preparing 8f290ac22ea1: Preparing 115d40e81d30: Preparing 9733ccc39513: Preparing 9733ccc39513: Waiting 115d40e81d30: Layer already exists 7036593b3170: Layer already exists 4d87d2430844: Layer already exists 8f290ac22ea1: Layer already exists 9733ccc39513: Layer already exists 90c2da6b19f5: Pushed latest: digest: sha256:3a51189cb16b1c87c1eed85d2b961b488a30ecf8810e083c361ef5043907e402 size: 1579 [Pipeline] } [Pipeline] // stage [Pipeline] stage [Pipeline] { (Vulnerability Scan - Kubernetes) [Pipeline] sh + /usr/local/bin/conftest test --policy opa-k8s-security.rego k8s_deployment_service.yaml [32m4 tests, 4 passed, 0 warnings, 0 failures, 0 exceptions[0m [Pipeline] } [Pipeline] // stage [Pipeline] stage [Pipeline] { (K8S Deployment - DEV) [Pipeline] parallel [Pipeline] { (Branch: Deployment) [Pipeline] { (Branch: Rollout Status) [Pipeline] sh [Pipeline] sh + bash k8s-deployment.sh + bash k8s-deployment-rollout-status.sh deployment devsecops exist image name - docker-registry:5000/java-app:latest Flag --record has been deprecated, --record will be removed in the future [Pipeline] } Deployment devsecops Rollout is Success [Pipeline] } [Pipeline] // parallel [Pipeline] } [Pipeline] // stage [Pipeline] stage [Pipeline] { (Integration Tests - DEV) [Pipeline] script [Pipeline] { [Pipeline] sh + bash integration-test.sh 30010 http://controlplane:30010/increment/99 Increment Test Passed HTTP Status Code Test Passed [Pipeline] } [Pipeline] // script [Pipeline] } [Pipeline] // stage [Pipeline] stage [Pipeline] { (OWASP ZAP - DAST) [Pipeline] sh + bash zap.sh 103:106 2023-11-07 04:57:17,248 Number of Imported URLs: 8 Total of 103 URLs PASS: Directory Browsing [0] PASS: Vulnerable JS Library (Powered by Retire.js) [10003] PASS: In Page Banner Information Leak [10009] PASS: Cookie No HttpOnly Flag [10010] PASS: Cookie Without Secure Flag [10011] PASS: Re-examine Cache-control Directives [10015] PASS: Cross-Domain JavaScript Source File Inclusion [10017] PASS: Content-Type Header Missing [10019] PASS: Anti-clickjacking Header [10020] PASS: X-Content-Type-Options Header Missing [10021] PASS: Information Disclosure - Debug Error Messages [10023] PASS: Information Disclosure - Sensitive Information in URL [10024] PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025] PASS: HTTP Parameter Override [10026] PASS: Information Disclosure - Suspicious Comments [10027] PASS: Open Redirect [10028] PASS: Cookie Poisoning [10029] PASS: User Controllable Charset [10030] PASS: User Controllable HTML Element Attribute (Potential XSS) [10031] PASS: Viewstate [10032] PASS: Directory Browsing [10033] PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034] PASS: Strict-Transport-Security Header [10035] PASS: HTTP Server Response Header [10036] PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] PASS: Content Security Policy (CSP) Header Not Set [10038] PASS: X-Backend-Server Header Information Leak [10039] PASS: Secure Pages Include Mixed Content [10040] PASS: HTTP to HTTPS Insecure Transition in Form Post [10041] PASS: HTTPS to HTTP Insecure Transition in Form Post [10042] PASS: User Controllable JavaScript Event (XSS) [10043] PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044] PASS: Source Code Disclosure - /WEB-INF folder [10045] PASS: HTTPS Content Available via HTTP [10047] PASS: Remote Code Execution - Shell Shock [10048] PASS: Content Cacheability [10049] PASS: Retrieved from Cache [10050] PASS: Relative Path Confusion [10051] PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052] PASS: Cookie without SameSite Attribute [10054] PASS: CSP [10055] PASS: X-Debug-Token Information Leak [10056] PASS: Username Hash Found [10057] PASS: GET for POST [10058] PASS: X-AspNet-Version Response Header [10061] PASS: PII Disclosure [10062] PASS: Permissions Policy Header Not Set [10063] PASS: Backup File Disclosure [10095] PASS: Timestamp Disclosure [10096] PASS: Hash Disclosure [10097] PASS: Cross-Domain Misconfiguration [10098] PASS: Source Code Disclosure [10099] PASS: User Agent Fuzzer [10104] PASS: Weak Authentication Method [10105] PASS: HTTP Only Site [10106] PASS: Httpoxy - Proxy Header Misuse [10107] PASS: Reverse Tabnabbing [10108] PASS: Modern Web Application [10109] PASS: Dangerous JS Functions [10110] PASS: Authentication Request Identified [10111] PASS: Session Management Response Identified [10112] PASS: Verification Request Identified [10113] PASS: Absence of Anti-CSRF Tokens [10202] PASS: Private IP Disclosure [2] PASS: Anti-CSRF Tokens Check [20012] PASS: HTTP Parameter Pollution [20014] PASS: Heartbleed OpenSSL Vulnerability [20015] PASS: Cross-Domain Misconfiguration [20016] PASS: Source Code Disclosure - CVE-2012-1823 [20017] PASS: Remote Code Execution - CVE-2012-1823 [20018] PASS: External Redirect [20019] PASS: Session ID in URL Rewrite [3] PASS: Buffer Overflow [30001] PASS: Format String Error [30002] PASS: Integer Overflow Error [30003] PASS: CRLF Injection [40003] PASS: Parameter Tampering [40008] PASS: Server Side Include [40009] PASS: Cross Site Scripting (Reflected) [40012] PASS: Session Fixation [40013] PASS: Cross Site Scripting (Persistent) [40014] PASS: Cross Site Scripting (Persistent) - Prime [40016] PASS: Cross Site Scripting (Persistent) - Spider [40017] PASS: SQL Injection [40018] PASS: SQL Injection - MySQL [40019] PASS: SQL Injection - Hypersonic SQL [40020] PASS: SQL Injection - Oracle [40021] PASS: SQL Injection - PostgreSQL [40022] PASS: Possible Username Enumeration [40023] PASS: SQL Injection - SQLite [40024] PASS: Proxy Disclosure [40025] PASS: Cross Site Scripting (DOM Based) [40026] PASS: SQL Injection - MsSQL [40027] PASS: ELMAH Information Leak [40028] PASS: Trace.axd Information Leak [40029] PASS: Out of Band XSS [40031] PASS: .htaccess Information Leak [40032] PASS: .env Information Leak [40034] PASS: Hidden File Finder [40035] PASS: Bypassing 403 [40038] PASS: CORS Header [40040] PASS: Spring Actuator Information Leak [40042] PASS: Log4Shell [40043] PASS: Exponential Entity Expansion (Billion Laughs Attack) [40044] PASS: Spring4Shell [40045] PASS: Server Side Request Forgery [40046] PASS: Text4shell (CVE-2022-42889) [40047] PASS: Source Code Disclosure - Git [41] PASS: Source Code Disclosure - SVN [42] PASS: Source Code Disclosure - File Inclusion [43] PASS: Script Active Scan Rules [50000] PASS: Script Passive Scan Rules [50001] PASS: Path Traversal [6] PASS: Remote File Inclusion [7] PASS: Insecure JSF ViewState [90001] PASS: Java Serialization Object [90002] PASS: Sub Resource Integrity Attribute Missing [90003] PASS: Insufficient Site Isolation Against Spectre Vulnerability [90004] PASS: Charset Mismatch [90011] PASS: XSLT Injection [90017] PASS: Server Side Code Injection [90019] PASS: Remote OS Command Injection [90020] PASS: XPath Injection [90021] PASS: Application Error Disclosure [90022] PASS: XML External Entity Attack [90023] PASS: Generic Padding Oracle [90024] PASS: Expression Language Injection [90025] PASS: SOAP Action Spoofing [90026] PASS: Cookie Slack Detector [90027] PASS: Insecure HTTP Method [90028] PASS: SOAP XML Injection [90029] PASS: WSDL File Detection [90030] PASS: Loosely Scoped Cookie [90033] PASS: Cloud Metadata Potentially Exposed [90034] PASS: Server Side Template Injection [90035] PASS: Server Side Template Injection (Blind) [90036] FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 0 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 136 Exit Code : 0 OWASP ZAP did not report any Risk [Pipeline] } [Pipeline] // stage [Pipeline] stage [Pipeline] { (Declarative: Post Actions) [Pipeline] publishHTML [htmlpublisher] Archiving HTML reports... [htmlpublisher] Archiving at BUILD level /var/lib/jenkins/workspace/devsecops-numeric-application/owasp-zap-report to /var/lib/jenkins/jobs/devsecops-numeric-application/builds/6/htmlreports/OWASP_20ZAP_20HTML_20Reports [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // withEnv [Pipeline] } [Pipeline] // withEnv [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline Finished: SUCCESS ``` ### Sonar Result - SAST (Static Application Security Testing) ![Screenshot 2023-11-07 at 5.20.28 AM.png](https://hackmd.io/_uploads/SJeiz-wQ6.png) ### Code Coverage ![Screenshot 2023-11-07 at 9.34.30 AM.png](https://hackmd.io/_uploads/r1Ek9EvX6.png)