In jsonreport, each risk has two types of risk level mentioned, one outside the bracket and one inside.
25 views
Skip to first unread message
Muhammad Zubair
Mar 20, 2023, 5:30:59 AM3/20/23
to OWASP ZAP User Group
Hello Zap team, I noticed that in the jsonreport, each risk has two types of risk level mentioned, one outside the bracket and one inside. Can you please explain why this is the case? Here are some examples from the report:
Content Security Policy (CSP) Header Not Set - risk level is mentioned as Medium (High)
Missing Anti-clickjacking Header - risk level is mentioned as Medium (Medium)
Server Leaks Version Information via "Server" HTTP Response Header Field - risk level is mentioned as Low (High)
Strict-Transport-Security Header Not Set - risk level is mentioned as Low (High)
X-Content-Type-Options Header Missing - risk level is mentioned as Low (Medium)
Re-examine Cache-control Directives - risk level is mentioned as Informational (Low)
Retrieved from Cache - risk level is mentioned as Informational (Medium)
I would appreciate it if you could provide some clarification on this matter. Thank you.
Content Security Policy (CSP) Header Not Set - risk level is mentioned as Medium (High)
Missing Anti-clickjacking Header - risk level is mentioned as Medium (Medium)
Server Leaks Version Information via "Server" HTTP Response Header Field - risk level is mentioned as Low (High)
Strict-Transport-Security Header Not Set - risk level is mentioned as Low (High)
X-Content-Type-Options Header Missing - risk level is mentioned as Low (Medium)
Re-examine Cache-control Directives - risk level is mentioned as Informational (Low)
Retrieved from Cache - risk level is mentioned as Informational (Medium)
I would appreciate it if you could provide some clarification on this matter. Thank you.
thc...@gmail.com
Mar 20, 2023, 5:43:19 AM3/20/23
to zaprox...@googlegroups.com
Hi.
That's documented in the help:
https://www.zaproxy.org/docs/desktop/addons/report-generation/report-traditional-json/#about-riskdesc
"riskdesc - Is a combination identifier, showing Risk followed by
Confidence (in brackets)."
Best regards.
On 20/03/2023 09:30, Muhammad Zubair wrote:
> Hello Zap team, I noticed that in the jsonreport, each risk has two types
> of risk level mentioned, one outside the bracket and one inside. Can you
> please explain why this is the case? Here are some examples from the report:
>
> Content Security Policy (CSP) Header Not Set - risk level is mentioned as *Medium
> (High)*
> (High)*
> X-Content-Type-Options Header Missing - risk level is mentioned as* Low
> (Medium)*
That's documented in the help:
https://www.zaproxy.org/docs/desktop/addons/report-generation/report-traditional-json/#about-riskdesc
"riskdesc - Is a combination identifier, showing Risk followed by
Confidence (in brackets)."
Best regards.
On 20/03/2023 09:30, Muhammad Zubair wrote:
> Hello Zap team, I noticed that in the jsonreport, each risk has two types
> of risk level mentioned, one outside the bracket and one inside. Can you
> please explain why this is the case? Here are some examples from the report:
>
> (High)*
> Missing Anti-clickjacking Header - risk level is mentioned as Medium
> (Medium)
> Server Leaks Version Information via "Server" HTTP Response Header Field -
> risk level is mentioned as Low (High)
> Strict-Transport-Security Header Not Set - risk level is mentioned as *Low
> (Medium)
> Server Leaks Version Information via "Server" HTTP Response Header Field -
> risk level is mentioned as Low (High)
> (High)*
> X-Content-Type-Options Header Missing - risk level is mentioned as* Low
> (Medium)*
> Re-examine Cache-control Directives - risk level is mentioned as Informational
> (Low)
> Retrieved from Cache - risk level is mentioned as *Informational (Medium)*
> (Low)
Reply all
Reply to author
Forward
0 new messages