Having Problems Fixing Non-Storable Content

[Josh Monreal]

Hi, 

I built a .NET 6.0 project and have OWASP ZAP scan in my build pipeline. I have added the code below and after the OWASP ZAP scan, I received the Non-storable content vulnerability.

If I remove the Cache-Control entirely, then I get the Storable and Cacheable Content vulnerability. If I set Cache-Control to no-cache, then I get the Storable but Non-Cacheable Content. Can you help me determine what is the correct value that I need to put to remove the vulnerability? 

Thanks a lot for the help!

[psiinon]

https://www.zaproxy.org/docs/alerts/10049-1/ is an Informational alert and not a vulnerability.

"The response contents are not storable by caching components such as proxy servers. If the response does not contain sensitive, personal or user-specific information, it may benefit from being stored and cached, to improve performance."

Dont assume that everything ZAP tells you is a vulnerability.

Read the details :)

Cheers,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/4f059a68-57da-4c2e-bc6a-30e43f898bd4n%40googlegroups.com.

--

OWASP ZAP Project leader

[Josh Monreal]

Hi psiinon,

Is there a documentation that I can check which shows how to ignore informational alerts in the scan result? 

[psiinon]

How are you running ZAP?

That will affect which options are open to you.

Cheers,

Simon

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/07c5e598-cc78-4f03-846d-1cf865b38061n%40googlegroups.com.

[Josh Monreal]

I am using Azure DevOps pipelines (yaml). You can see below for the task.

- bash: |

                  chmod -R 777 ./

                  docker run --rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t https://x.azurewebsites.net -g gen.conf -x zap-report.xml -r zap-report.html -J zap-report.json

                  true

                displayName: 'Run OWASP Zap'

[psiinon]

The docs are here: https://www.zaproxy.org/docs/docker/baseline-scan/

The easiest option is to use the option:

-l level          minimum level to show: PASS, IGNORE, INFO, WARN or FAIL, use with -s to hide example URLs

The baseline scan also supports a config file which allows you to ignore specific alerts.

Cheers,

Simon

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/6e2010df-5202-4990-bddc-ab57851fce12n%40googlegroups.com.

[Josh Monreal]

I tried to add -l WARN to the docker command, but for some reason alert Id 10049-2 was still returned despite it only being Informational. Am I missing something?

- bash: |

                  chmod -R 777 ./

                  docker run --rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t https://x.azurewebsites.net -l WARN -g gen.conf -x zap-report.xml -r zap-report.html -J zap-report-be.json

                  true

                displayName: 'Run OWASP Zap'

[psiinon]

Try removing "-g gen.conf" - you probably dont want to generate a config file in this case and it may be confusing things.

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/7fd14175-4f20-4c94-bf79-2270626ce613n%40googlegroups.com.

[Josh Monreal]

Thank you!