CSP API Rest Scan
84 views
Skip to first unread message
Jacobo Adolfo Rodríguez Rodríguez
May 16, 2023, 11:08:50 AM5/16/23
to OWASP ZAP User Group
Hi
CSP: Wildcard Directive
I'm getting the html result of a docker api scan:
docker run --rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -l PASS -t https://xxxxxxx/public/vives.json -f openapi -g api-scan.conf -x OWASP-ZAP-Report.xml -r api-scan-report.html
I've added the CSP directives:
default-src 'none'; font-src 'self'; img-src 'self'; script-src 'none'; style-src 'self'; frame-src 'self'; object-src 'none'
Validated against csp-validator.withgoogle.com.
But in the api-scan-report.html I always get a list of URLs with the "medium" issue of
CSP: Wildcard Directive
How can I fix this please?
In the same way, how can I get in the HTML the list of passed tests?
Thanks!!!
kingthorin+owaspzap
May 16, 2023, 12:59:37 PM5/16/23
to OWASP ZAP User Group
You'd need to provide the full alert details. There are a number of directives that don't fallback, so if you haven't defined them they're wide open.
Jacobo Adolfo Rodríguez Rodríguez
May 16, 2023, 3:22:23 PM5/16/23
to OWASP ZAP User Group
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Sorry, I forgot to add the full details:
CSP: Wildcard Directive
Description
URL
https://xxxxxx.com/v1/offers/id
Method
DELETE
Parameter
Content-Security-Policy
Attack
Evidence
default-src 'none'; font-src 'self'; img-src 'self'; script-src 'none'; style-src 'self'; frame-src 'self'; object-src 'none'
URL
https://xxxxxx.com/v1/city/1.2
Method
GET
Parameter
Content-Security-Policy
Attack
Evidence
default-src 'none'; font-src 'self'; img-src 'self'; script-src 'none'; style-src 'self'; frame-src 'self'; object-src 'none'
Medium
CSP: Wildcard Directive
Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
URL
https://xxxxxx.com/v1/offers/id
Method
DELETE
Parameter
Content-Security-Policy
Attack
Evidence
default-src 'none'; font-src 'self'; img-src 'self'; script-src 'none'; style-src 'self'; frame-src 'self'; object-src 'none'
URL
https://xxxxxx.com/v1/city/1.2
Method
GET
Parameter
Content-Security-Policy
Attack
Evidence
default-src 'none'; font-src 'self'; img-src 'self'; script-src 'none'; style-src 'self'; frame-src 'self'; object-src 'none'
And the same with another 8 URLs
Thanks for your response.
kingthorin+owaspzap
May 17, 2023, 2:31:37 PM5/17/23
to OWASP ZAP User Group
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
That's still not the full details. I'll see if I can mock something and get back to you.
Jacobo Adolfo Rodríguez Rodríguez
May 18, 2023, 8:14:12 AM5/18/23
to OWASP ZAP User Group
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Sorry, but this html is what I get when running
docker run --rm -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-weekly zap-api-scan.py -l PASS -t https://xxxxxxx/public/vives.json -f openapi -g api-scan.conf -x OWASP-ZAP-Report.xml -r api-scan-report.html
If it is needed to add an extra parameter when running the docker to get these details, I can add it and run again the scan.
Thanks!
Reply all
Reply to author
Forward
0 new messages