Zap alert - Missing Anti-clickjacking Header on https://optimizationguide-pa.googleapis.com/
200 views
Skip to first unread message
sreejit manoharan
Jun 21, 2023, 6:21:07 AM6/21/23
to OWASP ZAP User Group
Hi all,
Zap is flagging what seems to be chrome browser events apis during my scan. Is there any docs I could refer to for why ZAP includes Google events apis in my scan.
Could this be classified as a false positive ?
Zap is flagging what seems to be chrome browser events apis during my scan. Is there any docs I could refer to for why ZAP includes Google events apis in my scan.
Could this be classified as a false positive ?
Cheers,
Sreejit M
Sreejit M
psiinon
Jun 21, 2023, 6:26:15 AM6/21/23
to zaprox...@googlegroups.com
ZAP passively scans all of the requests proxied through it.
If ZAP launches a browser, or you proxy a browser through ZAP, then ZAP will see any request that browser makes to back end services.
Personally I would not consider that as a false positive, rather as being out of scope.
If you are generating reports via ZAP then you can specify which sites you are interested in so that you dont see alerts like this.
Cheers,
Simon
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/3da7c6c2-a374-485b-a196-0f55c9c26a31n%40googlegroups.com.
--
OWASP ZAP Project leader
Reply all
Reply to author
Forward
0 new messages