Inconsistent reporting of alert 10015 & 10021

49 views
Skip to first unread message

Mihai Cindea

unread,
Nov 19, 2021, 9:50:12 AM11/19/21
to OWASP ZAP User Group
Hello everyone,

I have a question regarding reporting these 2 alerts, maybe I'm doing something wrong or simply my expectations are not correct.
10015: Incomplete or No Cache-control Header Set
10021: X-Content-Type-Options Header Missing

Scan type: OpenAPI swagger import
Docker Zaproxy version: 2.11.0

I noticed a weird behavior where <instances> is empty, and at this point I think it could be due to alert filters & global exclude I set:
```
globalexcludeurl.url_list.url(0).regex=^https?://.*/swagger/.*$
globalexcludeurl.url_list.url(0).enabled=true
globalalertfilter.filters.filter(0).ruleid=10015
globalalertfilter.filters.filter(0).newrisk=-1
globalalertfilter.filters.filter(0).url=https?://.*/swagger/.*
globalalertfilter.filters.filter(0).urlregex=true
globalalertfilter.filters.filter(0).param=.*
globalalertfilter.filters.filter(0).paramregex=true
globalalertfilter.filters.filter(0).enabled=true

globalalertfilter.filters.filter(1).ruleid=10021
globalalertfilter.filters.filter(1).newrisk=-1
globalalertfilter.filters.filter(1).url=https?://.*/swagger/.*
globalalertfilter.filters.filter(1).urlregex=true
globalalertfilter.filters.filter(1).param=.*
globalalertfilter.filters.filter(1).paramregex=true
globalalertfilter.filters.filter(1).enabled=true
```

In report_empty_instances.log you can see that the <instances> are simply empty for both 10015 and 10021. 
However, in report_2.log which is related to a whole new URL, so different app, it seems the URL is added for 10015, not once but twice: once as false positive and another as regular alert.
Basically my questions:
  * Why aren't other URLs addded as instances since on this host the Cache-control header is not present for all URLs, not just one.
  * Why is it marked as False positive since it doesn't match the alert filter?
  * For empty instances could the cause be the OpenAPI url(swagger which is also excluded with alert filters) is loaded first and because it's also globally excluded it's not appearing anywhere?

Thank you
report_2.log
report_empty_instances.log
Reply all
Reply to author
Forward
0 new messages