From 2b76e850a51af2ebb9b02f55b92c9a96aa7c634d Mon Sep 17 00:00:00 2001 From: jelly Date: Thu, 28 May 2026 13:02:16 -0400 Subject: [PATCH] Testes Realizados sem Firewall --- .../APi&test/2026-05-28-ZAP-Report-.html | 2588 +++++++++++++++ .../APi&test/normalize/LICENSE.md | 21 + .../APi&test/normalize/normalize.css | 349 ++ .../APi&test/themes/original/colors.css | 139 + .../APi&test/themes/original/main.css | 417 +++ TestesRealizados1/APi&test/zap32x32.png | Bin 0 -> 1933 bytes TestesRealizados1/DEVCICD-/DEVCICD-.html | 1913 +++++++++++ .../DEVCICD-/normalize/LICENSE.md | 21 + .../DEVCICD-/normalize/normalize.css | 349 ++ .../DEVCICD-/themes/original/colors.css | 139 + .../DEVCICD-/themes/original/main.css | 417 +++ TestesRealizados1/DEVCICD-/zap32x32.png | Bin 0 -> 1933 bytes .../Default^Policy/Default^Policy.html | 2919 +++++++++++++++++ .../Default^Policy/normalize/LICENSE.md | 21 + .../Default^Policy/normalize/normalize.css | 349 ++ .../Default^Policy/themes/original/colors.css | 139 + .../Default^Policy/themes/original/main.css | 417 +++ TestesRealizados1/Default^Policy/zap32x32.png | Bin 0 -> 1933 bytes TestesRealizados1/Dev&Full/Dev&Full.html | 1896 +++++++++++ .../Dev&Full/normalize/LICENSE.md | 21 + .../Dev&Full/normalize/normalize.css | 349 ++ .../Dev&Full/themes/original/colors.css | 139 + .../Dev&Full/themes/original/main.css | 417 +++ TestesRealizados1/Dev&Full/zap32x32.png | Bin 0 -> 1933 bytes .../Dev&Standard/Dev&Standard.html | 2645 +++++++++++++++ .../Dev&Standard/normalize/LICENSE.md | 21 + .../Dev&Standard/normalize/normalize.css | 349 ++ .../Dev&Standard/themes/original/colors.css | 139 + .../Dev&Standard/themes/original/main.css | 417 +++ TestesRealizados1/Dev&Standard/zap32x32.png | Bin 0 -> 1933 bytes TestesRealizados1/Pen&Test/Pen&Test.html | 2794 ++++++++++++++++ .../Pen&Test/normalize/LICENSE.md | 21 + .../Pen&Test/normalize/normalize.css | 349 ++ .../Pen&Test/themes/original/colors.css | 139 + .../Pen&Test/themes/original/main.css | 417 +++ TestesRealizados1/Pen&Test/zap32x32.png | Bin 0 -> 1933 bytes TestesRealizados1/QA&CICD/QA&CICD.html | 1896 +++++++++++ .../QA&CICD/normalize/LICENSE.md | 21 + .../QA&CICD/normalize/normalize.css | 349 ++ .../QA&CICD/themes/original/colors.css | 139 + .../QA&CICD/themes/original/main.css | 417 +++ TestesRealizados1/QA&CICD/zap32x32.png | Bin 0 -> 1933 bytes TestesRealizados1/QA&Full/QA&Full.html | 2609 +++++++++++++++ .../QA&Full/normalize/LICENSE.md | 21 + .../QA&Full/normalize/normalize.css | 349 ++ .../QA&Full/themes/original/colors.css | 139 + .../QA&Full/themes/original/main.css | 417 +++ TestesRealizados1/QA&Full/zap32x32.png | Bin 0 -> 1933 bytes .../QA&Standard/QA&Standard.html | 2768 ++++++++++++++++ .../QA&Standard/normalize/LICENSE.md | 21 + .../QA&Standard/normalize/normalize.css | 349 ++ .../QA&Standard/themes/original/colors.css | 139 + .../QA&Standard/themes/original/main.css | 417 +++ TestesRealizados1/QA&Standard/zap32x32.png | Bin 0 -> 1933 bytes TestesRealizados1/Squeence/Squeence.html | 2624 +++++++++++++++ .../Squeence/normalize/LICENSE.md | 21 + .../Squeence/normalize/normalize.css | 349 ++ .../Squeence/themes/original/colors.css | 139 + .../Squeence/themes/original/main.css | 417 +++ TestesRealizados1/Squeence/zap32x32.png | Bin 0 -> 1933 bytes 60 files changed, 33912 insertions(+) create mode 100644 TestesRealizados1/APi&test/2026-05-28-ZAP-Report-.html create mode 100644 TestesRealizados1/APi&test/normalize/LICENSE.md create mode 100644 TestesRealizados1/APi&test/normalize/normalize.css create mode 100644 TestesRealizados1/APi&test/themes/original/colors.css create mode 100644 TestesRealizados1/APi&test/themes/original/main.css create mode 100644 TestesRealizados1/APi&test/zap32x32.png create mode 100644 TestesRealizados1/DEVCICD-/DEVCICD-.html create mode 100644 TestesRealizados1/DEVCICD-/normalize/LICENSE.md create mode 100644 TestesRealizados1/DEVCICD-/normalize/normalize.css create mode 100644 TestesRealizados1/DEVCICD-/themes/original/colors.css create mode 100644 TestesRealizados1/DEVCICD-/themes/original/main.css create mode 100644 TestesRealizados1/DEVCICD-/zap32x32.png create mode 100644 TestesRealizados1/Default^Policy/Default^Policy.html create mode 100644 TestesRealizados1/Default^Policy/normalize/LICENSE.md create mode 100644 TestesRealizados1/Default^Policy/normalize/normalize.css create mode 100644 TestesRealizados1/Default^Policy/themes/original/colors.css create mode 100644 TestesRealizados1/Default^Policy/themes/original/main.css create mode 100644 TestesRealizados1/Default^Policy/zap32x32.png create mode 100644 TestesRealizados1/Dev&Full/Dev&Full.html create mode 100644 TestesRealizados1/Dev&Full/normalize/LICENSE.md create mode 100644 TestesRealizados1/Dev&Full/normalize/normalize.css create mode 100644 TestesRealizados1/Dev&Full/themes/original/colors.css create mode 100644 TestesRealizados1/Dev&Full/themes/original/main.css create mode 100644 TestesRealizados1/Dev&Full/zap32x32.png create mode 100644 TestesRealizados1/Dev&Standard/Dev&Standard.html create mode 100644 TestesRealizados1/Dev&Standard/normalize/LICENSE.md create mode 100644 TestesRealizados1/Dev&Standard/normalize/normalize.css create mode 100644 TestesRealizados1/Dev&Standard/themes/original/colors.css create mode 100644 TestesRealizados1/Dev&Standard/themes/original/main.css create mode 100644 TestesRealizados1/Dev&Standard/zap32x32.png create mode 100644 TestesRealizados1/Pen&Test/Pen&Test.html create mode 100644 TestesRealizados1/Pen&Test/normalize/LICENSE.md create mode 100644 TestesRealizados1/Pen&Test/normalize/normalize.css create mode 100644 TestesRealizados1/Pen&Test/themes/original/colors.css create mode 100644 TestesRealizados1/Pen&Test/themes/original/main.css create mode 100644 TestesRealizados1/Pen&Test/zap32x32.png create mode 100644 TestesRealizados1/QA&CICD/QA&CICD.html create mode 100644 TestesRealizados1/QA&CICD/normalize/LICENSE.md create mode 100644 TestesRealizados1/QA&CICD/normalize/normalize.css create mode 100644 TestesRealizados1/QA&CICD/themes/original/colors.css create mode 100644 TestesRealizados1/QA&CICD/themes/original/main.css create mode 100644 TestesRealizados1/QA&CICD/zap32x32.png create mode 100644 TestesRealizados1/QA&Full/QA&Full.html create mode 100644 TestesRealizados1/QA&Full/normalize/LICENSE.md create mode 100644 TestesRealizados1/QA&Full/normalize/normalize.css create mode 100644 TestesRealizados1/QA&Full/themes/original/colors.css create mode 100644 TestesRealizados1/QA&Full/themes/original/main.css create mode 100644 TestesRealizados1/QA&Full/zap32x32.png create mode 100644 TestesRealizados1/QA&Standard/QA&Standard.html create mode 100644 TestesRealizados1/QA&Standard/normalize/LICENSE.md create mode 100644 TestesRealizados1/QA&Standard/normalize/normalize.css create mode 100644 TestesRealizados1/QA&Standard/themes/original/colors.css create mode 100644 TestesRealizados1/QA&Standard/themes/original/main.css create mode 100644 TestesRealizados1/QA&Standard/zap32x32.png create mode 100644 TestesRealizados1/Squeence/Squeence.html create mode 100644 TestesRealizados1/Squeence/normalize/LICENSE.md create mode 100644 TestesRealizados1/Squeence/normalize/normalize.css create mode 100644 TestesRealizados1/Squeence/themes/original/colors.css create mode 100644 TestesRealizados1/Squeence/themes/original/main.css create mode 100644 TestesRealizados1/Squeence/zap32x32.png diff --git a/TestesRealizados1/APi&test/2026-05-28-ZAP-Report-.html b/TestesRealizados1/APi&test/2026-05-28-ZAP-Report-.html new file mode 100644 index 0000000..4d5e8a5 --- /dev/null +++ b/TestesRealizados1/APi&test/2026-05-28-ZAP-Report-.html @@ -0,0 +1,2588 @@ + + + + + +ZAP by Checkmarx Scanning Report + + + + + +
+

ZAP by Checkmarx Scanning Report

+

+ Generated with ZAP + on Thu 28 May 2026, at 05:57:47 +

+

ZAP Version: 2.17.0

+

+ ZAP by Checkmarx +

+
+ +
+ +
+

Contents

+ +
+ +
+

About This Report

+ + + +
+

Report Parameters

+
+

Contexts

+ + +

No contexts were selected, so all contexts were included by default.

+ + +

Sites

+ +

The following sites were included:

+
    +
  • http://20.60.0.1:3000
    • +
+ +

(If no sites were selected, all sites were included by default.)

+

An included site must also be within one of the included contexts for its data to be included in the report.

+ +

Risk levels

+

+ Included: + + High, Medium, Low, Informational +

+

+ Excluded: + None + +

+ +

Confidence levels

+

+ Included: + + + User Confirmed, High, Medium, Low +

+

+ Excluded: + + + User Confirmed, High, Medium, Low, False Positive +

+
+
+
+ + +
+ +
+ +
+

Summaries

+ +
+

Alert Counts by Risk and Confidence

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts for each level of risk and confidence included in the report.

+

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)

+
Confidence
User ConfirmedHighMediumLowTotal
RiskHigh0
(0.0%)		0
(0.0%)		0
(0.0%)		1
(11.1%)		1
(11.1%)
Medium0
(0.0%)		2
(22.2%)		2
(22.2%)		0
(0.0%)		4
(44.4%)
Low0
(0.0%)		0
(0.0%)		2
(22.2%)		1
(11.1%)		3
(33.3%)
Informational0
(0.0%)		0
(0.0%)		1
(11.1%)		0
(0.0%)		1
(11.1%)
Total0
(0.0%)		2
(22.2%)		5
(55.6%)		2
(22.2%)		9
(100%)
+
+ +
+

Alert Counts by Site and Risk

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

+

Alerts with a confidence level of "False Positive" have been excluded from these counts.

+

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)

+
Risk
+ High
(= High) + 		+ Medium
(>= Medium) + 		+ Low
(>= Low) + 		+ Informational
(>= Informational) +
Sitehttp://20.60.0.1:30001
(1)		4
(5)		3
(8)		1
(9)
+
+ +
+

Alert Counts by Alert Type

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts of each alert type, together with the alert type's risk level.

+

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)

+
Alert typeRiskCount
SQL InjectionHigh1
(11.1%)
Content Security Policy (CSP) Header Not SetMedium5
(55.6%)
Cross-Domain MisconfigurationMedium5
(55.6%)
Missing Anti-clickjacking HeaderMedium1
(11.1%)
Session ID in URL RewriteMedium3
(33.3%)
Private IP DisclosureLow1
(11.1%)
Timestamp Disclosure - UnixLow5
(55.6%)
X-Content-Type-Options Header MissingLow3
(33.3%)
Modern Web ApplicationInformational5
(55.6%)
Total9
+
+ +
+

Insights

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows information that is likely to be very relevant to you, but which is not related to vulnerabilities, or potentially even related to the application in question.

+
LevelReasonSiteDescriptionStatistic
+
Medium
+ 		+
Exceeded Low
+ 		+
+ 		+
Percentage of memory used
+ 		+
87
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP errors logged - see the zap.log file for details
+ 		+
143
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP warnings logged - see the zap.log file for details
+ 		+
68
+
+
Info
+ 		+
Informational
+ 		+
+ 		+
Percentage of network failures
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 2xx
+ 		+
94 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 3xx
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 4xx
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/javascript
+ 		+
9 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/json
+ 		+
5 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/octet-stream
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/jpeg
+ 		+
6 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/png
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/x-icon
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/css
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/html
+ 		+
65 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/markdown
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/plain
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method GET
+ 		+
97 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method POST
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Count of total endpoints
+ 		+
172
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of slow responses
+ 		+
86 %
+
+
+
+ +
+

Alerts

+
    + + + + + + + + +
  1. +

    + Risk=High, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + SQL Injection (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/products/search?q=%27%28 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          SQL injection may be possible.

          +
          Request
          + Request line and header section (307 bytes) + + 
          GET http://20.60.0.1:3000/rest/products/search?q=%27%28 HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (362 bytes) + + 
          HTTP/1.1 500 Internal Server Error
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 09:48:57 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+content-length: 309
+
+
          + + +
          + Response body (309 bytes) + + 
          {
+  "error": {
+    "message": "SQLITE_ERROR: near \"(\": syntax error",
+    "stack": "Error: SQLITE_ERROR: near \"(\": syntax error",
+    "errno": 1,
+    "code": "SQLITE_ERROR",
+    "sql": "SELECT * FROM Products WHERE ((name LIKE '%'(%' OR description LIKE '%'(%') AND deletedAt IS NULL) ORDER BY name"
+  }
+}
          + + +
          Parameter
          q
          Attack
          '(
          Evidence
          HTTP/1.1 500 Internal Server Error
          Solution +

          Do not trust client side input, even if there is client side validation in place.

          + +

          In general, type check all data on the server side.

          + +

          If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

          + +

          If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

          + +

          If database Stored Procedures can be used, use them.

          + +

          Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

          + +

          Do not create dynamic SQL queries using simple string concatenation.

          + +

          Escape all data received from the client.

          + +

          Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.

          + +

          Apply the principle of least privilege by using the least privileged database user possible.

          + +

          In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

          + +

          Grant the minimum database access that is necessary for the application.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    2. + + + + +
  2. +

    + Risk=Medium, Confidence=High (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Content Security Policy (CSP) Header Not Set (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 09:18:51 GMT
+ETag: W/"26af-19e6de122e4"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 09:42:12 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Solution +

          Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + Session ID in URL Rewrite (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvj-0KR&sid=8rzOcX52vIafWzc-AAAA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

          +
          Request
          + Request line and header section (317 bytes) + + 
          GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvj-0KR&sid=8rzOcX52vIafWzc-AAAA HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (231 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/plain; charset=UTF-8
+Content-Length: 612
+Date: Thu, 28 May 2026 09:43:56 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (612 bytes) + + 
          40{"sid":"aGJN2cCfVJBb4F-hAAAB"}42["server started"]42["challenge solved",{"key":"directoryListingChallenge","name":"Confidential Document","challenge":"Confidential Document (Access a confidential document.)","flag":"8d2072c6b0a455608ca1a293dc0c9579883fc6a5","hidden":false,"isRestore":false,"codingChallenge":true}]42["challenge solved",{"key":"errorHandlingChallenge","name":"Error Handling","challenge":"Error Handling (Provoke an error that is neither very gracefully nor consistently handled.)","flag":"9c297196ecf8890bc1e900fcf3aebae8c9f9880a","hidden":false,"isRestore":false,"codingChallenge":false}]
          + + +
          Parameter
          sid
          Evidence
          8rzOcX52vIafWzc-AAAA
          Solution +

          For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    3. + +
  3. +

    + Risk=Medium, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Cross-Domain Misconfiguration (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/robots.txt + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

          +
          Other info +

          The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

          +
          Request
          + Request line and header section (239 bytes) + + 
          GET http://20.60.0.1:3000/robots.txt HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (378 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: text/plain; charset=utf-8
+Content-Length: 28
+ETag: W/"1c-8HgF6mNyhsSFK0pascC9uB0wjX0"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 09:42:12 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (28 bytes) + + 
          User-agent: *
+Disallow: /ftp
          + + +
          Evidence
          Access-Control-Allow-Origin: *
          Solution +

          Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).

          + +

          Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + Missing Anti-clickjacking Header (1) +
        +
          +
        1. + + POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvj-0KI&sid=8rzOcX52vIafWzc-AAAA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The response does not protect against 'ClickJacking' attacks. It should include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options.

          +
          Request
          + Request line and header section (408 bytes) + + 
          POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvj-0KI&sid=8rzOcX52vIafWzc-AAAA HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Content-type: text/plain;charset=UTF-8
+Content-Length: 2
+Origin: http://20.60.0.1:3000
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (2 bytes) + + 
          40
          + + +
          Response
          + Status line and header section (213 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/html
+Content-Length: 2
+Date: Thu, 28 May 2026 09:43:56 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (2 bytes) + + 
          ok
          + + +
          Parameter
          x-frame-options
          Solution +

          Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.

          + +

          If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    4. + + + + + + + + +
  4. +

    + Risk=Low, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Private IP Disclosure (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/admin/application-configuration + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

          +
          Other info +

          192.168.99.100:3000

          + +

          192.168.99.100:4200

          +
          Request
          + Request line and header section (314 bytes) + + 
          GET http://20.60.0.1:3000/rest/admin/application-configuration HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (389 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Content-Length: 23513
+ETag: W/"5bd9-reVonwE2GOcMzw2LpzIkSqyB2OE"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 09:43:49 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (23513 bytes) + + 
          {"config":{"server":{"port":3000,"basePath":"","baseUrl":"http://localhost:3000"},"application":{"domain":"juice-sh.op","name":"OWASP Juice Shop","logo":"JuiceShop_Logo.png","favicon":"favicon_js.ico","theme":"bluegrey-lightgreen","showVersionNumber":true,"showGitHubLinks":true,"localBackupEnabled":true,"numberOfRandomFakeUsers":0,"altcoinName":"Juicycoin","privacyContactEmail":"donotreply@owasp-juice.shop","customMetricsPrefix":"juiceshop","chatBot":{"name":"Juicy the Smart Assistant","avatar":"JuicyChatBot.png","model":"gemma4:e4b","llmMaxRetries":2,"sampleQuestions":["CHATBOT_PROMPT_RECOMMENDATION_SUMMER_PARTY","CHATBOT_PROMPT_RECOMMENDATION_POPULAR","CHATBOT_PROMPT_RECOMMENDATION_SUGAR_FREE","CHATBOT_PROMPT_RECOMMENDATION_START_DAY","CHATBOT_PROMPT_RECOMMENDATION_SEASONAL"]},"social":{"blueSkyUrl":"https://bsky.app/profile/owasp-juice.shop","mastodonUrl":"https://fosstodon.org/@owasp_juiceshop","twitterUrl":"https://twitter.com/owasp_juiceshop","facebookUrl":"https://www.facebook.com/owasp.juiceshop","slackUrl":"https://owasp.org/slack/invite","redditUrl":"https://www.reddit.com/r/owasp_juiceshop","pressKitUrl":"https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop","nftUrl":"https://opensea.io/collection/juice-shop","questionnaireUrl":null},"recyclePage":{"topProductImage":"fruit_press.jpg","bottomProductImage":"apple_pressings.jpg"},"welcomeBanner":{"showOnFirstStart":true,"title":"Welcome to OWASP Juice Shop!","message":"<p>Being a web application with a vast number of intended security vulnerabilities, the <strong>OWASP Juice Shop</strong> is supposed to be the opposite of a best practice or template application for web developers: It is an awareness, training, demonstration and exercise tool for security risks in modern web applications. The <strong>OWASP Juice Shop</strong> is an open-source project hosted by the non-profit <a href='https://owasp.org' target='_blank'>Open Worldwide Application Security Project (OWASP)</a> and is developed and maintained by volunteers. Check out the link below for more information and documentation on the project.</p><h1><a href='https://owasp-juice.shop' target='_blank'>https://owasp-juice.shop</a></h1>"},"cookieConsent":{"message":"This website uses fruit cookies to ensure you get the juiciest tracking experience.","dismissText":"Me want it!","linkText":"But me wait!","linkUrl":"https://www.youtube.com/watch?v=9PnbKL3wuH4"},"securityTxt":{"contact":"mailto:donotreply@owasp-juice.shop","encryption":"https://keybase.io/bkimminich/pgp_keys.asc?fingerprint=19c01cb7157e4645e9e2c863062a85a8cbfbdcda","acknowledgements":"/#/score-board","hiring":"/#/jobs","csaf":"/.well-known/csaf/provider-metadata.json"},"promotion":{"video":"owasp_promo.mp4","subtitles":"owasp_promo.vtt"},"easterEggPlanet":{"name":"Orangeuze","overlayMap":"orangemap2k.avif"},"googleOauth":{"clientId":"1005568560502-6hm16lef8oh46hr2d98vf2ohlnj4nfhq.apps.googleusercontent.com","authorizedRedirects":[{"uri":"https://demo.owasp-juice.shop"},{"uri":"https://juice-shop.herokuapp.com"},{"uri":"https://preview.owasp-juice.shop"},{"uri":"https://juice-shop-staging.herokuapp.com"},{"uri":"https://juice-shop.wtf"},{"uri":"http://localhost:3000","proxy":"https://local3000.owasp-juice.shop"},{"uri":"http://127.0.0.1:3000","proxy":"https://local3000.owasp-juice.shop"},{"uri":"http://localhost:4200","proxy":"https://local4200.owasp-juice.shop"},{"uri":"http://127.0.0.1:4200","proxy":"https://local4200.owasp-juice.shop"},{"uri":"http://192.168.99.100:3000","proxy":"https://localmac.owasp-juice.shop"},{"uri":"http://192.168.99.100:4200","proxy":"https://localmac.owasp-juice.shop"},{"uri":"http://penguin.termina.linux.test:3000","proxy":"https://localchromeos.owasp-juice.shop"},{"uri":"http://penguin.termina.linux.test:4200","proxy":"https://localchromeos.owasp-juice.shop"}]}},"challenges":{"showSolvedNotifications":true,"showHints":true,"showMitigations":true,"codingChallengesEnabled":"solved","restrictToTutorialsFirst":false,"overwriteUrlForProductTamperingChallenge":"https://owasp.slack.com","xssBonusPayload":"<iframe width=\"100%\" height=\"166\" scrolling=\"no\" frameborder=\"no\" allow=\"autoplay\" src=\"https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true\"></iframe>","safetyMode":"auto","csafHashValue":"7e7ce7c65db3bf0625fcea4573d25cff41f2f7e3474f2c74334b14fc65bb4fd26af802ad17a3a03bf0eee6827a00fb8f7905f338c31b5e6ea9cb31620242e843","metricsIgnoredUserAgents":["Prometheus","Alloy","promscrape","otelcol"]},"hackingInstructor":{"isEnabled":true,"avatarImage":"JuicyBot.png","hintPlaybackSpeed":"normal"},"products":[{"name":"Apple Juice (1000ml)","price":1.99,"deluxePrice":0.99,"limitPerUser":5,"description":"The all-time classic.","image":"apple_juice.jpg","reviews":[{"text":"One of my favorites!","author":"admin"},{"text":"Great! We'll have an apple party. Everyone brings an apple and - STUFFS IT DOWN EACH OTHER'S THROAT!","author":"basil"}]},{"name":"Orange Juice (1000ml)","description":"Made from oranges hand-picked by Uncle Dittmeyer.","price":2.99,"deluxePrice":2.49,"image":"orange_juice.jpg","reviews":[{"text":"y0ur f1r3wall needs m0r3 musc13","author":"uvogin"}]},{"name":"Eggfruit Juice (500ml)","description":"Now with even more exotic flavour.","price":8.99,"image":"eggfruit_juice.jpg","reviews":[{"text":"I bought it, would buy again. 5/7","author":"admin"}]},{"name":"Raspberry Juice (1000ml)","description":"Made from blended Raspberry Pi, water and sugar.","price":4.99,"image":"raspberry_juice.jpg"},{"name":"Lemon Juice (500ml)","description":"Sour but full of vitamins.","price":2.99,"deluxePrice":1.99,"limitPerUser":5,"image":"lemon_juice.jpg"},{"name":"Banana Juice (1000ml)","description":"Monkeys love it the most.","price":1.99,"image":"banana_juice.jpg","reviews":[{"text":"Fry liked it too.","author":"bender"}]},{"name":"OWASP Juice Shop T-Shirt","description":"Real fans wear it 24/7!","price":22.49,"limitPerUser":5,"image":"fan_shirt.jpg"},{"name":"OWASP Juice Shop CTF Girlie-Shirt","description":"For serious Capture-the-Flag heroines only!","price":22.49,"image":"fan_girlie.jpg"},{"name":"OWASP SSL Advanced Forensic Tool (O-Saft)","description":"O-Saft is an easy to use tool to show information about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.","price":0.01,"image":"orange_juice.jpg","urlForProductTamperingChallenge":"https://www.owasp.org/index.php/O-Saft"},{"name":"Christmas Super-Surprise-Box (2014 Edition)","description":"Contains a random selection of 10 bottles (each 500ml) of our tastiest juices and an extra fan shirt for an unbeatable price!","price":29.99,"image":"undefined.jpg","useForChristmasSpecialChallenge":true},{"name":"Rippertuer Special Juice","description":"Contains a magical collection of the rarest fruits gathered from all around the world, like Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos... and others, at an unbelievable price! <br/><span style=\"color:red;\">This item has been made unavailable because of lack of safety standards.</span>","price":16.99,"image":"undefined.jpg","keywordsForPastebinDataLeakChallenge":["hueteroneel","eurogium edule"]},{"name":"OWASP Juice Shop Sticker (2015/2016 design)","description":"Die-cut sticker with the official 2015/2016 logo. By now this is a rare collectors item. <em>Out of stock!</em>","price":999.99,"image":"sticker.png","deletedDate":"2017-04-28"},{"name":"OWASP Juice Shop Iron-Ons (16pcs)","description":"Upgrade your clothes with washer safe <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">iron-ons</a> of the OWASP Juice Shop or CTF Extension logo!","price":14.99,"image":"iron-on.jpg"},{"name":"OWASP Juice Shop Magnets (16pcs)","description":"Your fridge will be even cooler with these OWASP Juice Shop or CTF Extension logo <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">magnets</a>!","price":15.99,"image":"magnets.jpg"},{"name":"OWASP Juice Shop Sticker Page","description":"Massive decoration opportunities with these OWASP Juice Shop or CTF Extension <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker pages</a>! Each page has 16 stickers on it.","price":9.99,"image":"sticker_page.jpg"},{"name":"OWASP Juice Shop Sticker Single","description":"Super high-quality vinyl <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker single</a> with the OWASP Juice Shop or CTF Extension logo! The ultimate laptop decal!","price":4.99,"image":"sticker_single.jpg"},{"name":"OWASP Juice Shop Temporary Tattoos (16pcs)","description":"Get one of these <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">temporary tattoos</a> to proudly wear the OWASP Juice Shop or CTF Extension logo on your skin! If you tweet a photo of yourself with the tattoo, you get a couple of our stickers for free! Please mention <a href=\"https://twitter.com/owasp_juiceshop\" target=\"_blank\"><code>@owasp_juiceshop</code></a> in your tweet!","price":14.99,"image":"tattoo.jpg","reviews":[{"text":"I straight-up gots nuff props fo'these tattoos!","author":"rapper"}]},{"name":"OWASP Juice Shop Mug","description":"Black mug with regular logo on one side and CTF logo on the other! Your colleagues will envy you!","price":21.99,"image":"fan_mug.jpg"},{"name":"OWASP Juice Shop Hoodie","description":"Mr. Robot-style apparel. But in black. And with logo.","price":49.99,"image":"fan_hoodie.jpg"},{"name":"OWASP Juice Shop-CTF Velcro Patch","description":"4x3.5\" embroidered patch with velcro backside. The ultimate decal for every tactical bag or backpack!","price":2.92,"quantity":5,"limitPerUser":5,"image":"velcro-patch.jpg","reviews":[{"text":"This thang would look phat on Bobby's jacked fur coat!","author":"rapper"},{"text":"Looks so much better on my uniform than the boring Starfleet symbol.","author":"jim"}]},{"name":"Woodruff Syrup \"Forest Master X-Treme\"","description":"Harvested and manufactured in the Black Forest, Germany. Can cause hyperactive behavior in children. Can cause permanent green tongue when consumed undiluted.","price":6.99,"image":"woodruff_syrup.jpg"},{"name":"Green Smoothie","description":"Looks poisonous but is actually very good for your health! Made from green cabbage, spinach, kiwi and grass.","price":1.99,"image":"green_smoothie.jpg","reviews":[{"text":"Fresh out of a replicator.","author":"jim"}]},{"name":"Quince Juice (1000ml)","description":"Juice of the <em>Cydonia oblonga</em> fruit. Not exactly sweet but rich in Vitamin C.","price":4.99,"image":"quince.jpg"},{"name":"Apple Pomace","description":"Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be <a href=\"/#recycle\">sent back to us</a> for recycling.","price":0.89,"limitPerUser":5,"image":"apple_pressings.jpg"},{"name":"Fruit Press","description":"Fruits go in. Juice comes out. Pomace you can send back to us for recycling purposes.","price":89.99,"image":"fruit_press.jpg"},{"name":"OWASP Juice Shop Logo (3D-printed)","description":"This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.","price":99.99,"image":"3d_keychain.jpg","fileForRetrieveBlueprintChallenge":"JuiceShop.stl","exifForBlueprintChallenge":["OpenSCAD"]},{"name":"Juice Shop Artwork","description":"Unique masterpiece painted with different kinds of juice on 90g/m² lined paper.","price":278.74,"quantity":0,"image":"artwork.jpg","deletedDate":"2020-12-24"},{"name":"Global OWASP WASPY Award 2017 Nomination","description":"Your chance to nominate up to three quiet pillars of the OWASP community ends 2017-06-30! <a href=\"https://www.owasp.org/index.php/WASPY_Awards_2017\">Nominate now!</a>","price":0.03,"image":"waspy.png","deletedDate":"2017-07-01"},{"name":"Strawberry Juice (500ml)","description":"Sweet & tasty!","price":3.99,"image":"strawberry_juice.jpeg"},{"name":"Carrot Juice (1000ml)","description":"As the old German saying goes: \"Carrots are good for the eyes. Or has anyone ever seen a rabbit with glasses?\"","price":2.99,"image":"carrot_juice.jpeg","reviews":[{"text":"0 st4rs f0r 7h3 h0rr1bl3 s3cur17y","author":"uvogin"}]},{"name":"OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition)","description":"10 sheets of Sweden-themed stickers with 15 stickers on each.","price":19.1,"image":"stickersheet_se.png","deletedDate":"2017-09-20"},{"name":"Pwning OWASP Juice Shop","description":"<em>The official Companion Guide</em> by Björn Kimminich available <a href=\"https://leanpub.com/juice-shop\">for free on LeanPub</a> and also <a href=\"https://pwning.owasp-juice.shop\">readable online</a>!","price":5.99,"image":"cover_small.jpg","reviews":[{"text":"Even more interesting than watching Interdimensional Cable!","author":"morty"}]},{"name":"Melon Bike (Comeback-Product 2018 Edition)","description":"The wheels of this bicycle are made from real water melons. You might not want to ride it up/down the curb too hard.","price":2999,"quantity":3,"limitPerUser":1,"image":"melon_bike.jpeg"},{"name":"OWASP Juice Shop Coaster (10pcs)","description":"Our 95mm circle coasters are printed in full color and made from thick, premium coaster board.","price":19.99,"quantity":0,"image":"coaster.jpg"},{"name":"OWASP Snakes and Ladders - Web Applications","description":"This amazing web application security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1969196030\">available for Tabletop Simulator on Steam Workshop</a> now!","price":0.01,"quantity":8,"image":"snakes_ladders.jpg","reviews":[{"text":"Wait for a 10$ Steam sale of Tabletop Simulator!","author":"bjoernOwasp"}]},{"name":"OWASP Snakes and Ladders - Mobile Apps","description":"This amazing mobile app security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1970691216\">available for Tabletop Simulator on Steam Workshop</a> now!","price":0.01,"quantity":0,"image":"snakes_ladders_m.jpg","reviews":[{"text":"Here yo' learn how tha fuck ta not show yo' goddamn phone on camera!","author":"rapper"}]},{"name":"OWASP Juice Shop Holographic Sticker","description":"Die-cut holographic sticker. Stand out from those 08/15-sticker-covered laptops with this shiny beacon of 80's coolness!","price":2,"quantity":0,"image":"holo_sticker.png","reviews":[{"text":"Rad, dude!","author":"rapper"},{"text":"Looks spacy on Bones' new tricorder!","author":"jim"},{"text":"Will put one on the Planet Express ship's bumper!","author":"bender"}]},{"name":"OWASP Juice Shop \"King of the Hill\" Facemask","description":"Facemask with compartment for filter from 50% cotton and 50% polyester.","price":13.49,"quantity":0,"limitPerUser":1,"image":"fan_facemask.jpg","reviews":[{"text":"K33p5 y0ur ju1cy 5plu773r 70 y0ur53lf!","author":"uvogin"},{"text":"Puny mask for puny human weaklings!","author":"bender"}]},{"name":"Juice Shop Adversary Trading Card (Common)","description":"Common rarity \"Juice Shop\" card for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.","price":2.99,"deluxePrice":0.99,"deletedDate":"2020-11-30","limitPerUser":5,"image":"ccg_common.png","reviews":[{"text":"Ooooh, puny human playing Mau Mau, now?","author":"bender"}]},{"name":"Juice Shop Adversary Trading Card (Super Rare)","description":"Super rare \"Juice Shop\" card with holographic foil-coating for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.","price":99.99,"deluxePrice":69.99,"deletedDate":"2020-11-30","quantity":2,"limitPerUser":1,"image":"ccg_foil.png","reviews":[{"text":"Mau Mau with bling-bling? Humans are so pathetic!","author":"bender"}]},{"name":"Juice Shop \"Permafrost\" 2020 Edition","description":"Exact version of <a href=\"https://github.com/juice-shop/juice-shop/releases/tag/v9.3.1-PERMAFROST\">OWASP Juice Shop that was archived on 02/02/2020</a> by the GitHub Archive Program and ultimately went into the <a href=\"https://github.blog/2020-07-16-github-archive-program-the-journey-of-the-worlds-open-source-code-to-the-arctic\">Arctic Code Vault</a> on July 8. 2020 where it will be safely stored for at least 1000 years.","price":9999.99,"quantity":1,"limitPerUser":1,"image":"permafrost.jpg","reviews":[{"text":"🧊 Let it go, let it go 🎶 Can't hold it back anymore 🎶 Let it go, let it go 🎶 Turn away and slam the door ❄️","author":"rapper"}]},{"name":"Best Juice Shop Salesman Artwork","description":"Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before <em>finally</em> adding his expertise to the Juice Shop marketing team.","price":5000,"quantity":1,"image":"artwork2.jpg","reviews":[{"text":"I'd stand on my head to make you a deal for this piece of art.","author":"stan"},{"text":"Just when my opinion of humans couldn't get any lower, along comes Stan...","author":"bender"}]},{"name":"OWASP Juice Shop Card (non-foil)","description":"Mythic rare <small><em>(obviously...)</em></small> card \"OWASP Juice Shop\" with three distinctly useful abilities. Alpha printing, mint condition. A true collectors piece to own!","price":1000,"quantity":3,"limitPerUser":1,"image":"card_alpha.jpg","reviews":[{"text":"DO NOT PLAY WITH THIS! Double-sleeve, then put it in the GitHub Arctic Vault for perfect preservation and boost of secondary market value!","author":"accountant"}]},{"name":"20th Anniversary Celebration Ticket","description":"Get your <a href=\"https://20thanniversary.owasp.org/\" target=\"_blank\">free 🎫 for OWASP 20th Anniversary Celebration</a> online conference! Hear from world renowned keynotes and special speakers, network with your peers and interact with our event sponsors. With an anticipated 10k+ attendees from around the world, you will not want to miss this live on-line event!","price":1e-20,"deletedDate":"2021-09-25","limitPerUser":1,"image":"20th.jpeg","reviews":[{"text":"I'll be there! Will you, too?","author":"bjoernOwasp"}]},{"name":"OWASP Juice Shop LEGO™ Tower","description":"Want to host a Juice Shop CTF in style? Build <a href=\"https://github.com/OWASP/owasp-swag/blob/master/projects/juice-shop/lego/OWASP%20JuiceShop%20Pi-server%201.2.pdf\" target=\"_blank\">your own LEGO™ tower</a> which holds four Raspberry Pi 4 models with PoE HAT modules <a href=\"https://github.com/juice-shop/multi-juicer/blob/main/guides/raspberry-pi/raspberry-pi.md\" target=\"_blank\">running a MultiJuicer Kubernetes cluster</a>! Wire to a switch and connect to your network to have an out-of-the-box ready CTF up in no time!","price":799,"quantity":3,"limitPerUser":1,"image":"lego_case.jpg","reviews":[{"text":"Check out the /#/photo-wall for some impressions of the assembly process!","author":"bjoernOwasp"}]},{"name":"DSOMM & Juice Shop User Day Ticket","description":"You are going to the OWASP Global AppSec San Francisco 2024? <a href=\"https://www.eventbrite.com/e/owasp-global-appsec-san-francisco-2024-tickets-723699172707\" target=\"_blank\">Get a ticket<sup>*</sup></a> for this amazing side event as well! Check the juice-packed agenda <a href=\"https://owasp.org/www-project-juice-shop/#div-userday2024\" target=\"_blank\">here</a> for all the details!<br><br><small><small><sup>*</sup>=scroll down to <strong>Elevate: DSOMM and Juice Shop User Day (Sept. 25)</strong> after clicking <em>Get Tickets</em> on Eventbrite. Ticket price set to only covers fees for room, AV, and catering throughout the day.</small></small>","price":55.2,"deletedDate":"2024-09-26","limitPerUser":1,"image":"user_day_ticket.png","reviews":[{"text":"The DSOMM Live Assessment session will even use Juice Shop as its \"real-world\" example!","author":"timo"},{"text":"We will showcase the amazing MultiJuicer Lego Tower at this event!","author":"jannik"}]},{"name":"Pineapple Juice (1000ml)","description":"Tropical refreshment from the finest sun-ripened pineapples.","price":2.99,"image":"pineapple_juice.png"},{"name":"Melon Juice (1000ml)","description":"Refreshing and sweet juice made from ripe melons.","price":2.49,"image":"melon_juice.png"},{"name":"Grape Juice (1000ml)","description":"Deep purple and full of antioxidants from selected grapes.","price":2.99,"image":"grape_juice.png"},{"name":"Dragonfruit Juice (500ml)","description":"Exotic and vibrant juice made from dragonfruit.","price":3.99,"image":"dragonfruit_juice.png"},{"name":"Berry Juice (1000ml)","description":"A delicious blend of fresh forest berries.","price":3.49,"image":"berry_juice.png"},{"name":"Basil Smoothie","description":"A unique blend of fresh basil and ginger for a healthy kick.","price":2.99,"image":"basil_smoothie.png","reviews":[{"text":"(ง'̀-'́)ง","author":"basil"}]},{"name":"Bragă (500ml)","description":"Traditional Balkan drink made from fermented millet. Lightly sweet-sour, refreshing, and naturally energizing.","price":2.49,"image":"braga.jpg"},{"name":"Elderflower Cordial (500ml)","description":"Floral and fragrant soft drink made from elderflowers. Traditionally enjoyed chilled.","price":3.29,"image":"elderflower_cordial.jpg"},{"name":"Sea Buckthorn Juice (500ml)","description":"Tangy and slightly sour juice, extremely rich in Vitamin C and antioxidants.","price":3.99,"image":"sea_buckthorn_juice.jpg"},{"name":"Pomegranate Drink (500ml)","description":"A sweet and tart refreshment inspired by classic grenadine flavors.","price":4.49,"image":"pomegranate_drink.jpg"}],"memories":[{"image":"magn(et)ificent!-1571814229653.jpg","caption":"Magn(et)ificent!","user":"bjoernGoogle"},{"image":"my-rare-collectors-item!-[̲̅$̲̅(̲̅-͡°-͜ʖ-͡°̲̅)̲̅$̲̅]-1572603645543.jpg","caption":"My rare collectors item! [̲̅$̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅$̲̅]","user":"bjoernGoogle"},{"image":"favorite-hiking-place.png","caption":"I love going hiking here...","geoStalkingMetaSecurityQuestion":14,"geoStalkingMetaSecurityAnswer":"Daniel Boone National Forest"},{"image":"IMG_4253.jpg","caption":"My old workplace...","geoStalkingVisualSecurityQuestion":10,"geoStalkingVisualSecurityAnswer":"ITsec"},{"image":"BeeHaven.png","caption":"Welcome to the Bee Haven (/#/bee-haven)🐝","user":"evm"},{"image":"sorted-the-pieces,-starting-assembly-process-1721152307290.jpg","caption":"Sorted the pieces, starting assembly process...","user":"bjoernOwasp"},{"image":"building-something-literally-bottom-up-1721152342603.jpg","caption":"Building something literally bottom up...","user":"bjoernOwasp"},{"image":"putting-in-the-hardware-1721152366854.jpg","caption":"Putting in the hardware...","user":"bjoernOwasp"},{"image":"everything-up-and-running!-1721152385146.jpg","caption":"Everything up and running!","user":"bjoernOwasp"}],"ctf":{"showFlagsInNotifications":false,"showCountryDetailsInNotifications":"none","countryMapping":null,"systemWideNotifications":{"url":null,"pollFrequencySeconds":null}}}}
          + + +
          Evidence
          192.168.99.100:3000
          Solution +

          Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + X-Content-Type-Options Header Missing (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvjzzFj + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

          +
          Other info +

          This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

          + +

          At "High" threshold this scan rule will not alert on client or server error responses.

          +
          Request
          + Request line and header section (292 bytes) + + 
          GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvjzzFj HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (230 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/plain; charset=UTF-8
+Content-Length: 96
+Date: Thu, 28 May 2026 09:43:44 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (96 bytes) + + 
          0{"sid":"8rzOcX52vIafWzc-AAAA","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000}
          + + +
          Parameter
          x-content-type-options
          Solution +

          Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

          + +

          If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    5. + +
  5. +

    + Risk=Low, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Timestamp Disclosure - Unix (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A timestamp was disclosed by the application/web server. - Unix

          +
          Other info +

          1666666667, which evaluates to: 2022-10-24 22:57:47.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 09:18:51 GMT
+ETag: W/"26af-19e6de122e4"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 09:42:12 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          1666666667
          Solution +

          Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    6. + + + + + + +
  6. +

    + Risk=Informational, Confidence=Medium (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Modern Web Application (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

          +
          Other info +

          No links have been found while there are scripts, which is an indication that this is a modern web application.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 09:18:51 GMT
+ETag: W/"26af-19e6de122e4"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 09:42:12 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
          Solution +

          This is an informational alert and so no changes are required.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    7. + + + +
+
+ +
+

Appendix

+ +
+

Alert Types

+

This section contains additional information on the types of alerts in the report.

+
    +
  1. +

    SQL Injection

    + + + + + + + + + + + + + + + + + +
    Source + + raised by an active scanner (SQL Injection) + +
    CWE ID89
    WASC ID19
    Reference +
      +
    1. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
      2. +
    +
    +
    2. +
  2. +

    Content Security Policy (CSP) Header Not Set

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Content Security Policy (CSP) Header Not Set) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
      2. +
    2. https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
      3. +
    3. https://www.w3.org/TR/CSP/
      4. +
    4. https://w3c.github.io/webappsec-csp/
      5. +
    5. https://web.dev/articles/csp
      6. +
    6. https://caniuse.com/#feat=contentsecuritypolicy
      7. +
    7. https://content-security-policy.com/
      8. +
    +
    +
    3. +
  3. +

    Cross-Domain Misconfiguration

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Cross-Domain Misconfiguration) + +
    CWE ID264
    WASC ID14
    Reference +
      +
    1. https://vulncat.fortify.com/en/detail?category=HTML5&subcategory=Overly%20Permissive%20CORS%20Policy
      2. +
    +
    +
    4. +
  4. +

    Missing Anti-clickjacking Header

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Anti-clickjacking Header) + +
    CWE ID1021
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
      2. +
    +
    +
    5. +
  5. +

    Session ID in URL Rewrite

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Session ID in URL Rewrite) + +
    CWE ID598
    WASC ID13
    Reference +
      +
    1. https://seclists.org/webappsec/2002/q4/111
      2. +
    +
    +
    6. +
  6. +

    Private IP Disclosure

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Private IP Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://datatracker.ietf.org/doc/html/rfc1918
      2. +
    +
    +
    7. +
  7. +

    Timestamp Disclosure - Unix

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Timestamp Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://cwe.mitre.org/data/definitions/200.html
      2. +
    +
    +
    8. +
  8. +

    X-Content-Type-Options Header Missing

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (X-Content-Type-Options Header Missing) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
      2. +
    2. https://owasp.org/www-community/Security_Headers
      3. +
    +
    +
    9. +
  9. +

    Modern Web Application

    + + + + + + + + +
    Source + + raised by a passive scanner (Modern Web Application) + +
    +
    10. +
+
+
+ +
+ + + + + diff --git a/TestesRealizados1/APi&test/normalize/LICENSE.md b/TestesRealizados1/APi&test/normalize/LICENSE.md new file mode 100644 index 0000000..43b5ddc --- /dev/null +++ b/TestesRealizados1/APi&test/normalize/LICENSE.md @@ -0,0 +1,21 @@ +# The MIT License (MIT) + +Copyright © Nicolas Gallagher and Jonathan Neal + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/TestesRealizados1/APi&test/normalize/normalize.css b/TestesRealizados1/APi&test/normalize/normalize.css new file mode 100644 index 0000000..192eb9c --- /dev/null +++ b/TestesRealizados1/APi&test/normalize/normalize.css @@ -0,0 +1,349 @@ +/*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */ + +/* Document + ========================================================================== */ + +/** + * 1. Correct the line height in all browsers. + * 2. Prevent adjustments of font size after orientation changes in iOS. + */ + +html { + line-height: 1.15; /* 1 */ + -webkit-text-size-adjust: 100%; /* 2 */ +} + +/* Sections + ========================================================================== */ + +/** + * Remove the margin in all browsers. + */ + +body { + margin: 0; +} + +/** + * Render the `main` element consistently in IE. + */ + +main { + display: block; +} + +/** + * Correct the font size and margin on `h1` elements within `section` and + * `article` contexts in Chrome, Firefox, and Safari. + */ + +h1 { + font-size: 2em; + margin: 0.67em 0; +} + +/* Grouping content + ========================================================================== */ + +/** + * 1. Add the correct box sizing in Firefox. + * 2. Show the overflow in Edge and IE. + */ + +hr { + box-sizing: content-box; /* 1 */ + height: 0; /* 1 */ + overflow: visible; /* 2 */ +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +pre { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/* Text-level semantics + ========================================================================== */ + +/** + * Remove the gray background on active links in IE 10. + */ + +a { + background-color: transparent; +} + +/** + * 1. Remove the bottom border in Chrome 57- + * 2. Add the correct text decoration in Chrome, Edge, IE, Opera, and Safari. + */ + +abbr[title] { + border-bottom: none; /* 1 */ + text-decoration: underline; /* 2 */ + text-decoration: underline dotted; /* 2 */ +} + +/** + * Add the correct font weight in Chrome, Edge, and Safari. + */ + +b, +strong { + font-weight: bolder; +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +code, +kbd, +samp { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/** + * Add the correct font size in all browsers. + */ + +small { + font-size: 80%; +} + +/** + * Prevent `sub` and `sup` elements from affecting the line height in + * all browsers. + */ + +sub, +sup { + font-size: 75%; + line-height: 0; + position: relative; + vertical-align: baseline; +} + +sub { + bottom: -0.25em; +} + +sup { + top: -0.5em; +} + +/* Embedded content + ========================================================================== */ + +/** + * Remove the border on images inside links in IE 10. + */ + +img { + border-style: none; +} + +/* Forms + ========================================================================== */ + +/** + * 1. Change the font styles in all browsers. + * 2. Remove the margin in Firefox and Safari. + */ + +button, +input, +optgroup, +select, +textarea { + font-family: inherit; /* 1 */ + font-size: 100%; /* 1 */ + line-height: 1.15; /* 1 */ + margin: 0; /* 2 */ +} + +/** + * Show the overflow in IE. + * 1. Show the overflow in Edge. + */ + +button, +input { /* 1 */ + overflow: visible; +} + +/** + * Remove the inheritance of text transform in Edge, Firefox, and IE. + * 1. Remove the inheritance of text transform in Firefox. + */ + +button, +select { /* 1 */ + text-transform: none; +} + +/** + * Correct the inability to style clickable types in iOS and Safari. + */ + +button, +[type="button"], +[type="reset"], +[type="submit"] { + -webkit-appearance: button; +} + +/** + * Remove the inner border and padding in Firefox. + */ + +button::-moz-focus-inner, +[type="button"]::-moz-focus-inner, +[type="reset"]::-moz-focus-inner, +[type="submit"]::-moz-focus-inner { + border-style: none; + padding: 0; +} + +/** + * Restore the focus styles unset by the previous rule. + */ + +button:-moz-focusring, +[type="button"]:-moz-focusring, +[type="reset"]:-moz-focusring, +[type="submit"]:-moz-focusring { + outline: 1px dotted ButtonText; +} + +/** + * Correct the padding in Firefox. + */ + +fieldset { + padding: 0.35em 0.75em 0.625em; +} + +/** + * 1. Correct the text wrapping in Edge and IE. + * 2. Correct the color inheritance from `fieldset` elements in IE. + * 3. Remove the padding so developers are not caught out when they zero out + * `fieldset` elements in all browsers. + */ + +legend { + box-sizing: border-box; /* 1 */ + color: inherit; /* 2 */ + display: table; /* 1 */ + max-width: 100%; /* 1 */ + padding: 0; /* 3 */ + white-space: normal; /* 1 */ +} + +/** + * Add the correct vertical alignment in Chrome, Firefox, and Opera. + */ + +progress { + vertical-align: baseline; +} + +/** + * Remove the default vertical scrollbar in IE 10+. + */ + +textarea { + overflow: auto; +} + +/** + * 1. Add the correct box sizing in IE 10. + * 2. Remove the padding in IE 10. + */ + +[type="checkbox"], +[type="radio"] { + box-sizing: border-box; /* 1 */ + padding: 0; /* 2 */ +} + +/** + * Correct the cursor style of increment and decrement buttons in Chrome. + */ + +[type="number"]::-webkit-inner-spin-button, +[type="number"]::-webkit-outer-spin-button { + height: auto; +} + +/** + * 1. Correct the odd appearance in Chrome and Safari. + * 2. Correct the outline style in Safari. + */ + +[type="search"] { + -webkit-appearance: textfield; /* 1 */ + outline-offset: -2px; /* 2 */ +} + +/** + * Remove the inner padding in Chrome and Safari on macOS. + */ + +[type="search"]::-webkit-search-decoration { + -webkit-appearance: none; +} + +/** + * 1. Correct the inability to style clickable types in iOS and Safari. + * 2. Change font properties to `inherit` in Safari. + */ + +::-webkit-file-upload-button { + -webkit-appearance: button; /* 1 */ + font: inherit; /* 2 */ +} + +/* Interactive + ========================================================================== */ + +/* + * Add the correct display in Edge, IE 10+, and Firefox. + */ + +details { + display: block; +} + +/* + * Add the correct display in all browsers. + */ + +summary { + display: list-item; +} + +/* Misc + ========================================================================== */ + +/** + * Add the correct display in IE 10+. + */ + +template { + display: none; +} + +/** + * Add the correct display in IE 10. + */ + +[hidden] { + display: none; +} diff --git a/TestesRealizados1/APi&test/themes/original/colors.css b/TestesRealizados1/APi&test/themes/original/colors.css new file mode 100644 index 0000000..fd3b963 --- /dev/null +++ b/TestesRealizados1/APi&test/themes/original/colors.css @@ -0,0 +1,139 @@ +body { + background-color: #306aa0; + background-image: radial-gradient(circle at top left, #fff 0%, #8ce1d6 15em, #306aa0 100em, #386095 100%); +} + +main, footer { + background-color: #fff; +} + +header { + background-color: #00549e; + color: #fff; +} + +a:link { + color: #004380; +} + +a:visited { + color: #770d67; +} + +a:focus { + background-color: #ffd54d; +} + +a:hover { + background-color: #ffd54d; +} + +a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +header a:link { + color: #f2f7fd; +} + +header a:visited { + color: #f2b5e9; +} + +header a:focus { + background-color: #ffd54d; + color: #004380; +} + +header a:hover { + background-color: #ffd54d; + color: #004380; +} + +header a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #fff6db; +} + +summary:focus { + background-color: #ffd54d; +} + +summary:hover { + background-color: #ffd54d; +} + +summary:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +h2, h3, h4, h5, h6 { + color: #00549e; +} + +.risk-level, .confidence-level { + color: #00549e; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + color: #00549e; +} + +.risk-confidence-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + color: #00549e; +} + +.site-risk-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.alert-type-counts-table > tbody > tr { + border-bottom-color: #00549e; +} + +.alert-type-counts-table th[scope="col"] { + background-color: #00549e; + color: #fff; +} + +.alert-type-counts-table th[scope="col"] { + border-left-color: #fff; +} + +.alerts-table th, .alert-types-table th { + background-color: #306aa0; + color: #fff; +} + +.additional-info-percentages { + color: #00549e; +} + +.insights-table > tbody > tr { + border-bottom-color: #00549e; +} + +.insights-table th[scope="col"] { + background-color: #00549e; + border-left-color: #fff; + color: #fff; +} diff --git a/TestesRealizados1/APi&test/themes/original/main.css b/TestesRealizados1/APi&test/themes/original/main.css new file mode 100644 index 0000000..050bd3f --- /dev/null +++ b/TestesRealizados1/APi&test/themes/original/main.css @@ -0,0 +1,417 @@ +*, *::after, *::before { + box-sizing: border-box; +} + +h1, h2, h3, h4, h5, h6 { + margin: 0; + padding: 0; +} + +pre, ul { + margin: 0; +} + +ol { + list-style-type: none; +} + +h1 { + font-size: 3em; +} + +h2 { + font-size: 2em; +} + +h3, h4, h5, h6 { + font-size: 1em; +} + +html { + box-sizing: border-box; + font-family: Verdana, sans-serif; + line-height: 1.5; +} + +body { + margin: 1.5em 0; +} + +@media screen and (min-width: 50em) { + body { + margin: 1.5em 2ch; + padding: 1.5em 2ch; + } +} + +a:active, header a:active { + outline-style: solid; +} + +header, main { + margin: 0 auto; + max-width: 90ch; + padding: 1.5em 4ch; +} + +header { + border-radius: .25em .25em 0 0; +} + +main { + border-radius: 0 0 .25em .25em; +} + +summary { + cursor: pointer; +} + +.contents { + margin-top: 1.5em; +} + +main > section { + margin-bottom: 4.5em; +} + +.about-this-report > section { + margin-bottom: 3em; +} + +.summaries section { + margin-bottom: 3em; +} + +h2 { + margin-bottom: .75em; +} + +h3 { + margin-bottom: 1.5em; +} + +h4 { + margin-bottom: 1.5em; +} + +.report-parameters--container h4 { + margin-top: 1.5em; +} + +p { + margin: 1.5em 0; +} + +p:first-of-type { + margin-top: 0; +} + +p:last-of-type { + margin-bottom: 0; +} + +.contents li, .alerts li, .alert-types > ol > li { + margin-top: 1.5em; +} + +.alert-types h4 { + margin-bottom: 0; +} + +a { + border-radius: .125em; +} + +caption { + margin-bottom: 1.5em; + text-align: left; +} + +code, .request-method-n-url { + overflow-wrap: anywhere; + white-space: break-spaces; +} + +table { + border-collapse: collapse; +} + +.report-description--container, .report-parameters--container { + margin-left: 2ch; + padding: 0 2ch; +} + +.about-this-report h3, .summaries h3, .appendix h3 { + border-bottom: .05em solid; +} + +.alerts h4 { + text-align: center; +} + +.alerts ol { + padding-left: 0; +} + +.alerts--site-li { + border: .05em solid; + border-radius: .25em; + margin-left: 2ch; + padding: 1.5em 3ch; +} + +.contents ol { + list-style-position: inside; + list-style-type: square; + padding-left: 4ch; +} + +.contexts-list, .sites-list { + list-style-type: square; +} + +.risk-confidence-counts-table { + width: 100%; +} + +.risk-confidence-counts-table tr { + height: 4.5em; +} + +.risk-confidence-counts-table thead > tr { + height: 3em; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table th[scope="rowgroup"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.risk-confidence-counts-table th[scope="row"] { + padding-right: 5%; +} + +@media screen and (max-width: 50em) { + .risk-confidence-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.risk-confidence-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.risk-confidence-counts-table > tbody > tr { + border-top: .05em solid; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table td { + vertical-align: top; +} + +.risk-confidence-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.risk-confidence-counts-table td, .risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + text-align: right; +} + +.site-risk-counts-table { + width: 100%; +} + +.site-risk-counts-table tr { + height: 4.5em; +} + +.site-risk-counts-table thead > tr:first-of-type { + height: 3em; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table th[scope="col"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.site-risk-counts-table th[scope="row"] { + padding-right: 1%; +} + +@media screen and (max-width: 50em) { + .site-risk-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.site-risk-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.site-risk-counts-table > tbody > tr { + border-top: .05em solid; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table td { + vertical-align: top; +} + +.site-risk-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.site-risk-counts-table td, .site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + text-align: right; +} + +.alert-type-counts-table { + width: 100%; +} + +.alert-type-counts-table th, .alert-type-counts-table td { + padding: 0 1rem; + text-align: left; + vertical-align: top; +} + +.alert-type-counts-table td:nth-last-of-type(2) { + padding-left: 1.5rem; +} + +.alert-type-counts-table > tbody > tr { + border-bottom: 0.05em dotted; +} + +.alert-type-counts-table th[scope="col"] { + border-left: 1rem solid; +} + +.alert-type-counts-table th[scope="col"]:first-of-type { + border-left: 0; +} + +.alert-type-counts-table th[scope="col"]:last-of-type, .alert-type-counts-table td:last-of-type { + text-align: right; +} + +.alert-type-counts-table th[scope="col"], .alert-type-counts-table th[scope="row"] { + font-weight: normal; +} + +.alert-type-counts-table th[scope="row"], .alert-type-counts-table td { + padding-bottom: 1.5em; +} + +.alert-type-counts-table thead > th:first-of-type { + width: 45%; +} + +.alerts-table, .alert-types-table, .insights-table { + border-collapse: separate; + border-spacing: 2ch 1.5em; + width: 100%; +} + +.alerts-table th, .alerts-table td, .alert-types-table th, .alert-types-table td, .insights-table td, .insights-table th { + vertical-align: top; +} + +.alerts-table td, .alert-types-table td, .insights-table td { + overflow-wrap: anywhere; +} + +.alerts-table th, .alert-types-table th, .insights-table th { + padding: 0 1ch; +} + +.alerts-table td, .alert-types-table td { + padding: 0 2ch; +} + +.insights-table td { + padding: 0 1ch; +} + +.alerts-table summary { + margin-bottom: 1.5em; +} + +.alert-tags-list { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-tags-list > li { + margin-top: 0; +} + +.request-body, .response-body { + margin-top: 1.5em; +} + +.request-method-n-url { + margin-bottom: 0; +} + +.alert-types-table { + padding-top: 0; +} + +.alert-types-table th { + width: 20%; +} + +.alert-types-table ol { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-types-table li:not(:first-of-type) { + margin-top: 1.5em; +} + +p.alert-types-intro { + margin-bottom: 3em; +} + +.zap-logo { + height: 1em; + margin-right: .25ch; + width: 1em; +} + +h1, h2 { + font-family: Georgia, serif; +} + +.risk-level, .confidence-level, .included-risk-codes, .included-confidence-codes, .additional-info-percentages { + font-family: monospace, monospace; +} + +.context, .site, .request-method-n-url { + font-family: monospace, monospace; +} diff --git a/TestesRealizados1/APi&test/zap32x32.png b/TestesRealizados1/APi&test/zap32x32.png new file mode 100644 index 0000000000000000000000000000000000000000..9c1019ffb2ad500434d78f20f5a624bd660e6735 GIT binary patch literal 1933 zcmV;82Xgp{P)LZ&X_*%IgUcU=kqE(b z4NRzXHHacGqA;V7EOd-rLRUsK6M0)>lNA+QA(1s>0WooNopVsi`f~3%&(A;3?F-PB zvOj!oo}80&pL3q?@9q2jJ@8;-E^rih7x)VQ$FTzF0Ce^0)w*%xMg@9CT^);$`@`-S z|D^%X0-G{2GScem>Zq-)#c><}&YnG+{?@;fz2@5u5&VQI{0HC&b5Eb8v=CMzq8Xh{uDUJ;6-8cvHPPw(V1AXlBMlio^B!;`1mR7lQz6stN1n` zVSRiJ3Jh}IHmwUh{p952jC=DbQ>IW{T+Bm{EyTg%86hH)s*G@RBZ6ZD zR~$s-xgh|tIK<*bMohZnrPKSTebm&{(An8JZUCD%Zw|w-XamM3aZ{E@QkJ_Sh=4&b zVlZMR6MN-LA+KI)MxOZY4_$EN7gpcl|GBy+*}SFI&@zE+1c5&ojb?% zH-610omUXmkc0pc4MCuY3JRI#ep;zPz!%CkF{7fMRjXD}R#rwLkr?x}`Sa(qYu7G1 z4zIhf6b}b*b0|Z?2bxNbAlb*&-!+hzmq$fKMaqhiM-T+Gw6t*h_U({ddb?6-2&w|A zpn{45bPqNps$5aDKvhCrw+1VURUz5a1;EaoJE^Lw8q=z_wl+#jOPTPwnarrD$C>b1 zeBZ~~fqr423P90ogC0=PH?8Vm*#v}(0|k?r!xzizShj2#GiT1Ey}f-@07XSb?AWn` zo)51w@$*j*Sf2pBs|*LhoR?u5{SD7JEun@R9Ak(IM2sO~gs2fb$L0Oj{d{ntiOR}K z4jw#6R#w)CK$a|7Ld#z-Gd=bqy@><~t0b(&SH%x3{Wghj{ro$E>8w7|8!?eI&lp@s zaK#WcLS%r`jo>*Bw)ZCgII)AS>wjbG)~z%&G>ix$H+M2U56vZe;WP9n69iWA)shSX z`fak)9$cP#M-^Drp9UIWRk0R)RT8QshN)UI2q2optfzJ|r}}xe?|y;IjENjOcI+Mi z7cX9-`|VS7cbpDGkWxfn15~wP#HQ4&KGGL8Zqzd_CM6=?Fb}vQxI!o{fa9gn`BpRU zy|It{{Ct|4nwT|f*5LO}o;*oeSs7W&e}iV^hCM-${BO{>Jm(%YOnIR)X)V55tW|8v z^2ET^D*YDvtkSPaPoj^^$IF?s{&lVgQFL zf4TNCRPNcLzb)TB`ne$0!%HlF+%?X3TygP?!H8f?C?W&GVvG#277}_4P&Z27wKi^_ z`UMY9O6QgM5f&|4M0R!--M6}buJEI=4km*jh{gB1;;i$G!4U@|f*8RtASQ%eXNt)N z2*#qQRjl#oYmeiff0@FG0rvrUs1Grl_V)4yJq|S&*HyA`hPcY4iwPqM T`!Z{P00000NkvXXu0mjf{kVU6 literal 0 HcmV?d00001 diff --git a/TestesRealizados1/DEVCICD-/DEVCICD-.html b/TestesRealizados1/DEVCICD-/DEVCICD-.html new file mode 100644 index 0000000..4ff8dcd --- /dev/null +++ b/TestesRealizados1/DEVCICD-/DEVCICD-.html @@ -0,0 +1,1913 @@ + + + + + +ZAP by Checkmarx Scanning Report + + + + + +
+

ZAP by Checkmarx Scanning Report

+

+ Generated with ZAP + on Thu 28 May 2026, at 07:07:20 +

+

ZAP Version: 2.17.0

+

+ ZAP by Checkmarx +

+
+ +
+ +
+

Contents

+ +
+ +
+

About This Report

+ + + +
+

Report Parameters

+
+

Contexts

+ + +

No contexts were selected, so all contexts were included by default.

+ + +

Sites

+ +

The following sites were included:

+
    +
  • http://20.60.0.1:3000
    • +
+ +

(If no sites were selected, all sites were included by default.)

+

An included site must also be within one of the included contexts for its data to be included in the report.

+ +

Risk levels

+

+ Included: + + High, Medium, Low, Informational +

+

+ Excluded: + None + +

+ +

Confidence levels

+

+ Included: + + + User Confirmed, High, Medium, Low +

+

+ Excluded: + + + User Confirmed, High, Medium, Low, False Positive +

+
+
+
+ + +
+ +
+ +
+

Summaries

+ +
+

Alert Counts by Risk and Confidence

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts for each level of risk and confidence included in the report.

+

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)

+
Confidence
User ConfirmedHighMediumLowTotal
RiskHigh0
(0.0%)		0
(0.0%)		0
(0.0%)		1
(20.0%)		1
(20.0%)
Medium0
(0.0%)		1
(20.0%)		1
(20.0%)		0
(0.0%)		2
(40.0%)
Low0
(0.0%)		0
(0.0%)		0
(0.0%)		1
(20.0%)		1
(20.0%)
Informational0
(0.0%)		0
(0.0%)		1
(20.0%)		0
(0.0%)		1
(20.0%)
Total0
(0.0%)		1
(20.0%)		2
(40.0%)		2
(40.0%)		5
(100%)
+
+ +
+

Alert Counts by Site and Risk

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

+

Alerts with a confidence level of "False Positive" have been excluded from these counts.

+

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)

+
Risk
+ High
(= High) + 		+ Medium
(>= Medium) + 		+ Low
(>= Low) + 		+ Informational
(>= Informational) +
Sitehttp://20.60.0.1:30001
(1)		2
(3)		1
(4)		1
(5)
+
+ +
+

Alert Counts by Alert Type

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts of each alert type, together with the alert type's risk level.

+

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)

+
Alert typeRiskCount
SQL InjectionHigh1
(20.0%)
Content Security Policy (CSP) Header Not SetMedium5
(100.0%)
Cross-Domain MisconfigurationMedium5
(100.0%)
Timestamp Disclosure - UnixLow5
(100.0%)
Modern Web ApplicationInformational5
(100.0%)
Total5
+
+ +
+

Insights

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows information that is likely to be very relevant to you, but which is not related to vulnerabilities, or potentially even related to the application in question.

+
LevelReasonSiteDescriptionStatistic
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP errors logged - see the zap.log file for details
+ 		+
68
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP warnings logged - see the zap.log file for details
+ 		+
27
+
+
Info
+ 		+
Informational
+ 		+
+ 		+
Percentage of network failures
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 2xx
+ 		+
93 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 4xx
+ 		+
6 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/javascript
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/json
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/octet-stream
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/jpeg
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/png
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/x-icon
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/css
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/html
+ 		+
92 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/markdown
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/plain
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method GET
+ 		+
99 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method POST
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Count of total endpoints
+ 		+
811
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of slow responses
+ 		+
36 %
+
+
+
+ +
+

Alerts

+
    + + + + + + + + +
  1. +

    + Risk=High, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + SQL Injection (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/products/search?q=%27%28 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          SQL injection may be possible.

          +
          Request
          + Request line and header section (307 bytes) + + 
          GET http://20.60.0.1:3000/rest/products/search?q=%27%28 HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (362 bytes) + + 
          HTTP/1.1 500 Internal Server Error
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 11:05:06 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+content-length: 309
+
+
          + + +
          + Response body (309 bytes) + + 
          {
+  "error": {
+    "message": "SQLITE_ERROR: near \"(\": syntax error",
+    "stack": "Error: SQLITE_ERROR: near \"(\": syntax error",
+    "errno": 1,
+    "code": "SQLITE_ERROR",
+    "sql": "SELECT * FROM Products WHERE ((name LIKE '%'(%' OR description LIKE '%'(%') AND deletedAt IS NULL) ORDER BY name"
+  }
+}
          + + +
          Parameter
          q
          Attack
          '(
          Evidence
          HTTP/1.1 500 Internal Server Error
          Solution +

          Do not trust client side input, even if there is client side validation in place.

          + +

          In general, type check all data on the server side.

          + +

          If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

          + +

          If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

          + +

          If database Stored Procedures can be used, use them.

          + +

          Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

          + +

          Do not create dynamic SQL queries using simple string concatenation.

          + +

          Escape all data received from the client.

          + +

          Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.

          + +

          Apply the principle of least privilege by using the least privileged database user possible.

          + +

          In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

          + +

          Grant the minimum database access that is necessary for the application.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    2. + + + + +
  2. +

    + Risk=Medium, Confidence=High (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Content Security Policy (CSP) Header Not Set (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 10:59:18 GMT
+ETag: W/"26af-19e6e3d1825"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 11:01:24 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Solution +

          Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    3. + +
  3. +

    + Risk=Medium, Confidence=Medium (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Cross-Domain Misconfiguration (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

          +
          Other info +

          The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 10:59:18 GMT
+ETag: W/"26af-19e6e3d1825"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 11:01:24 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          Access-Control-Allow-Origin: *
          Solution +

          Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).

          + +

          Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    4. + + + + + + + + + + +
  4. +

    + Risk=Low, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Timestamp Disclosure - Unix (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A timestamp was disclosed by the application/web server. - Unix

          +
          Other info +

          1666666667, which evaluates to: 2022-10-24 22:57:47.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 10:59:18 GMT
+ETag: W/"26af-19e6e3d1825"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 11:01:24 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          1666666667
          Solution +

          Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    5. + + + + + + +
  5. +

    + Risk=Informational, Confidence=Medium (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Modern Web Application (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

          +
          Other info +

          No links have been found while there are scripts, which is an indication that this is a modern web application.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 10:59:18 GMT
+ETag: W/"26af-19e6e3d1825"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 11:01:24 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
          Solution +

          This is an informational alert and so no changes are required.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    6. + + + +
+
+ +
+

Appendix

+ +
+

Alert Types

+

This section contains additional information on the types of alerts in the report.

+
    +
  1. +

    SQL Injection

    + + + + + + + + + + + + + + + + + +
    Source + + raised by an active scanner (SQL Injection) + +
    CWE ID89
    WASC ID19
    Reference +
      +
    1. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
      2. +
    +
    +
    2. +
  2. +

    Content Security Policy (CSP) Header Not Set

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Content Security Policy (CSP) Header Not Set) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
      2. +
    2. https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
      3. +
    3. https://www.w3.org/TR/CSP/
      4. +
    4. https://w3c.github.io/webappsec-csp/
      5. +
    5. https://web.dev/articles/csp
      6. +
    6. https://caniuse.com/#feat=contentsecuritypolicy
      7. +
    7. https://content-security-policy.com/
      8. +
    +
    +
    3. +
  3. +

    Cross-Domain Misconfiguration

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Cross-Domain Misconfiguration) + +
    CWE ID264
    WASC ID14
    Reference +
      +
    1. https://vulncat.fortify.com/en/detail?category=HTML5&subcategory=Overly%20Permissive%20CORS%20Policy
      2. +
    +
    +
    4. +
  4. +

    Timestamp Disclosure - Unix

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Timestamp Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://cwe.mitre.org/data/definitions/200.html
      2. +
    +
    +
    5. +
  5. +

    Modern Web Application

    + + + + + + + + +
    Source + + raised by a passive scanner (Modern Web Application) + +
    +
    6. +
+
+
+ +
+ + + + + diff --git a/TestesRealizados1/DEVCICD-/normalize/LICENSE.md b/TestesRealizados1/DEVCICD-/normalize/LICENSE.md new file mode 100644 index 0000000..43b5ddc --- /dev/null +++ b/TestesRealizados1/DEVCICD-/normalize/LICENSE.md @@ -0,0 +1,21 @@ +# The MIT License (MIT) + +Copyright © Nicolas Gallagher and Jonathan Neal + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/TestesRealizados1/DEVCICD-/normalize/normalize.css b/TestesRealizados1/DEVCICD-/normalize/normalize.css new file mode 100644 index 0000000..192eb9c --- /dev/null +++ b/TestesRealizados1/DEVCICD-/normalize/normalize.css @@ -0,0 +1,349 @@ +/*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */ + +/* Document + ========================================================================== */ + +/** + * 1. Correct the line height in all browsers. + * 2. Prevent adjustments of font size after orientation changes in iOS. + */ + +html { + line-height: 1.15; /* 1 */ + -webkit-text-size-adjust: 100%; /* 2 */ +} + +/* Sections + ========================================================================== */ + +/** + * Remove the margin in all browsers. + */ + +body { + margin: 0; +} + +/** + * Render the `main` element consistently in IE. + */ + +main { + display: block; +} + +/** + * Correct the font size and margin on `h1` elements within `section` and + * `article` contexts in Chrome, Firefox, and Safari. + */ + +h1 { + font-size: 2em; + margin: 0.67em 0; +} + +/* Grouping content + ========================================================================== */ + +/** + * 1. Add the correct box sizing in Firefox. + * 2. Show the overflow in Edge and IE. + */ + +hr { + box-sizing: content-box; /* 1 */ + height: 0; /* 1 */ + overflow: visible; /* 2 */ +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +pre { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/* Text-level semantics + ========================================================================== */ + +/** + * Remove the gray background on active links in IE 10. + */ + +a { + background-color: transparent; +} + +/** + * 1. Remove the bottom border in Chrome 57- + * 2. Add the correct text decoration in Chrome, Edge, IE, Opera, and Safari. + */ + +abbr[title] { + border-bottom: none; /* 1 */ + text-decoration: underline; /* 2 */ + text-decoration: underline dotted; /* 2 */ +} + +/** + * Add the correct font weight in Chrome, Edge, and Safari. + */ + +b, +strong { + font-weight: bolder; +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +code, +kbd, +samp { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/** + * Add the correct font size in all browsers. + */ + +small { + font-size: 80%; +} + +/** + * Prevent `sub` and `sup` elements from affecting the line height in + * all browsers. + */ + +sub, +sup { + font-size: 75%; + line-height: 0; + position: relative; + vertical-align: baseline; +} + +sub { + bottom: -0.25em; +} + +sup { + top: -0.5em; +} + +/* Embedded content + ========================================================================== */ + +/** + * Remove the border on images inside links in IE 10. + */ + +img { + border-style: none; +} + +/* Forms + ========================================================================== */ + +/** + * 1. Change the font styles in all browsers. + * 2. Remove the margin in Firefox and Safari. + */ + +button, +input, +optgroup, +select, +textarea { + font-family: inherit; /* 1 */ + font-size: 100%; /* 1 */ + line-height: 1.15; /* 1 */ + margin: 0; /* 2 */ +} + +/** + * Show the overflow in IE. + * 1. Show the overflow in Edge. + */ + +button, +input { /* 1 */ + overflow: visible; +} + +/** + * Remove the inheritance of text transform in Edge, Firefox, and IE. + * 1. Remove the inheritance of text transform in Firefox. + */ + +button, +select { /* 1 */ + text-transform: none; +} + +/** + * Correct the inability to style clickable types in iOS and Safari. + */ + +button, +[type="button"], +[type="reset"], +[type="submit"] { + -webkit-appearance: button; +} + +/** + * Remove the inner border and padding in Firefox. + */ + +button::-moz-focus-inner, +[type="button"]::-moz-focus-inner, +[type="reset"]::-moz-focus-inner, +[type="submit"]::-moz-focus-inner { + border-style: none; + padding: 0; +} + +/** + * Restore the focus styles unset by the previous rule. + */ + +button:-moz-focusring, +[type="button"]:-moz-focusring, +[type="reset"]:-moz-focusring, +[type="submit"]:-moz-focusring { + outline: 1px dotted ButtonText; +} + +/** + * Correct the padding in Firefox. + */ + +fieldset { + padding: 0.35em 0.75em 0.625em; +} + +/** + * 1. Correct the text wrapping in Edge and IE. + * 2. Correct the color inheritance from `fieldset` elements in IE. + * 3. Remove the padding so developers are not caught out when they zero out + * `fieldset` elements in all browsers. + */ + +legend { + box-sizing: border-box; /* 1 */ + color: inherit; /* 2 */ + display: table; /* 1 */ + max-width: 100%; /* 1 */ + padding: 0; /* 3 */ + white-space: normal; /* 1 */ +} + +/** + * Add the correct vertical alignment in Chrome, Firefox, and Opera. + */ + +progress { + vertical-align: baseline; +} + +/** + * Remove the default vertical scrollbar in IE 10+. + */ + +textarea { + overflow: auto; +} + +/** + * 1. Add the correct box sizing in IE 10. + * 2. Remove the padding in IE 10. + */ + +[type="checkbox"], +[type="radio"] { + box-sizing: border-box; /* 1 */ + padding: 0; /* 2 */ +} + +/** + * Correct the cursor style of increment and decrement buttons in Chrome. + */ + +[type="number"]::-webkit-inner-spin-button, +[type="number"]::-webkit-outer-spin-button { + height: auto; +} + +/** + * 1. Correct the odd appearance in Chrome and Safari. + * 2. Correct the outline style in Safari. + */ + +[type="search"] { + -webkit-appearance: textfield; /* 1 */ + outline-offset: -2px; /* 2 */ +} + +/** + * Remove the inner padding in Chrome and Safari on macOS. + */ + +[type="search"]::-webkit-search-decoration { + -webkit-appearance: none; +} + +/** + * 1. Correct the inability to style clickable types in iOS and Safari. + * 2. Change font properties to `inherit` in Safari. + */ + +::-webkit-file-upload-button { + -webkit-appearance: button; /* 1 */ + font: inherit; /* 2 */ +} + +/* Interactive + ========================================================================== */ + +/* + * Add the correct display in Edge, IE 10+, and Firefox. + */ + +details { + display: block; +} + +/* + * Add the correct display in all browsers. + */ + +summary { + display: list-item; +} + +/* Misc + ========================================================================== */ + +/** + * Add the correct display in IE 10+. + */ + +template { + display: none; +} + +/** + * Add the correct display in IE 10. + */ + +[hidden] { + display: none; +} diff --git a/TestesRealizados1/DEVCICD-/themes/original/colors.css b/TestesRealizados1/DEVCICD-/themes/original/colors.css new file mode 100644 index 0000000..fd3b963 --- /dev/null +++ b/TestesRealizados1/DEVCICD-/themes/original/colors.css @@ -0,0 +1,139 @@ +body { + background-color: #306aa0; + background-image: radial-gradient(circle at top left, #fff 0%, #8ce1d6 15em, #306aa0 100em, #386095 100%); +} + +main, footer { + background-color: #fff; +} + +header { + background-color: #00549e; + color: #fff; +} + +a:link { + color: #004380; +} + +a:visited { + color: #770d67; +} + +a:focus { + background-color: #ffd54d; +} + +a:hover { + background-color: #ffd54d; +} + +a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +header a:link { + color: #f2f7fd; +} + +header a:visited { + color: #f2b5e9; +} + +header a:focus { + background-color: #ffd54d; + color: #004380; +} + +header a:hover { + background-color: #ffd54d; + color: #004380; +} + +header a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #fff6db; +} + +summary:focus { + background-color: #ffd54d; +} + +summary:hover { + background-color: #ffd54d; +} + +summary:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +h2, h3, h4, h5, h6 { + color: #00549e; +} + +.risk-level, .confidence-level { + color: #00549e; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + color: #00549e; +} + +.risk-confidence-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + color: #00549e; +} + +.site-risk-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.alert-type-counts-table > tbody > tr { + border-bottom-color: #00549e; +} + +.alert-type-counts-table th[scope="col"] { + background-color: #00549e; + color: #fff; +} + +.alert-type-counts-table th[scope="col"] { + border-left-color: #fff; +} + +.alerts-table th, .alert-types-table th { + background-color: #306aa0; + color: #fff; +} + +.additional-info-percentages { + color: #00549e; +} + +.insights-table > tbody > tr { + border-bottom-color: #00549e; +} + +.insights-table th[scope="col"] { + background-color: #00549e; + border-left-color: #fff; + color: #fff; +} diff --git a/TestesRealizados1/DEVCICD-/themes/original/main.css b/TestesRealizados1/DEVCICD-/themes/original/main.css new file mode 100644 index 0000000..050bd3f --- /dev/null +++ b/TestesRealizados1/DEVCICD-/themes/original/main.css @@ -0,0 +1,417 @@ +*, *::after, *::before { + box-sizing: border-box; +} + +h1, h2, h3, h4, h5, h6 { + margin: 0; + padding: 0; +} + +pre, ul { + margin: 0; +} + +ol { + list-style-type: none; +} + +h1 { + font-size: 3em; +} + +h2 { + font-size: 2em; +} + +h3, h4, h5, h6 { + font-size: 1em; +} + +html { + box-sizing: border-box; + font-family: Verdana, sans-serif; + line-height: 1.5; +} + +body { + margin: 1.5em 0; +} + +@media screen and (min-width: 50em) { + body { + margin: 1.5em 2ch; + padding: 1.5em 2ch; + } +} + +a:active, header a:active { + outline-style: solid; +} + +header, main { + margin: 0 auto; + max-width: 90ch; + padding: 1.5em 4ch; +} + +header { + border-radius: .25em .25em 0 0; +} + +main { + border-radius: 0 0 .25em .25em; +} + +summary { + cursor: pointer; +} + +.contents { + margin-top: 1.5em; +} + +main > section { + margin-bottom: 4.5em; +} + +.about-this-report > section { + margin-bottom: 3em; +} + +.summaries section { + margin-bottom: 3em; +} + +h2 { + margin-bottom: .75em; +} + +h3 { + margin-bottom: 1.5em; +} + +h4 { + margin-bottom: 1.5em; +} + +.report-parameters--container h4 { + margin-top: 1.5em; +} + +p { + margin: 1.5em 0; +} + +p:first-of-type { + margin-top: 0; +} + +p:last-of-type { + margin-bottom: 0; +} + +.contents li, .alerts li, .alert-types > ol > li { + margin-top: 1.5em; +} + +.alert-types h4 { + margin-bottom: 0; +} + +a { + border-radius: .125em; +} + +caption { + margin-bottom: 1.5em; + text-align: left; +} + +code, .request-method-n-url { + overflow-wrap: anywhere; + white-space: break-spaces; +} + +table { + border-collapse: collapse; +} + +.report-description--container, .report-parameters--container { + margin-left: 2ch; + padding: 0 2ch; +} + +.about-this-report h3, .summaries h3, .appendix h3 { + border-bottom: .05em solid; +} + +.alerts h4 { + text-align: center; +} + +.alerts ol { + padding-left: 0; +} + +.alerts--site-li { + border: .05em solid; + border-radius: .25em; + margin-left: 2ch; + padding: 1.5em 3ch; +} + +.contents ol { + list-style-position: inside; + list-style-type: square; + padding-left: 4ch; +} + +.contexts-list, .sites-list { + list-style-type: square; +} + +.risk-confidence-counts-table { + width: 100%; +} + +.risk-confidence-counts-table tr { + height: 4.5em; +} + +.risk-confidence-counts-table thead > tr { + height: 3em; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table th[scope="rowgroup"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.risk-confidence-counts-table th[scope="row"] { + padding-right: 5%; +} + +@media screen and (max-width: 50em) { + .risk-confidence-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.risk-confidence-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.risk-confidence-counts-table > tbody > tr { + border-top: .05em solid; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table td { + vertical-align: top; +} + +.risk-confidence-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.risk-confidence-counts-table td, .risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + text-align: right; +} + +.site-risk-counts-table { + width: 100%; +} + +.site-risk-counts-table tr { + height: 4.5em; +} + +.site-risk-counts-table thead > tr:first-of-type { + height: 3em; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table th[scope="col"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.site-risk-counts-table th[scope="row"] { + padding-right: 1%; +} + +@media screen and (max-width: 50em) { + .site-risk-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.site-risk-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.site-risk-counts-table > tbody > tr { + border-top: .05em solid; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table td { + vertical-align: top; +} + +.site-risk-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.site-risk-counts-table td, .site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + text-align: right; +} + +.alert-type-counts-table { + width: 100%; +} + +.alert-type-counts-table th, .alert-type-counts-table td { + padding: 0 1rem; + text-align: left; + vertical-align: top; +} + +.alert-type-counts-table td:nth-last-of-type(2) { + padding-left: 1.5rem; +} + +.alert-type-counts-table > tbody > tr { + border-bottom: 0.05em dotted; +} + +.alert-type-counts-table th[scope="col"] { + border-left: 1rem solid; +} + +.alert-type-counts-table th[scope="col"]:first-of-type { + border-left: 0; +} + +.alert-type-counts-table th[scope="col"]:last-of-type, .alert-type-counts-table td:last-of-type { + text-align: right; +} + +.alert-type-counts-table th[scope="col"], .alert-type-counts-table th[scope="row"] { + font-weight: normal; +} + +.alert-type-counts-table th[scope="row"], .alert-type-counts-table td { + padding-bottom: 1.5em; +} + +.alert-type-counts-table thead > th:first-of-type { + width: 45%; +} + +.alerts-table, .alert-types-table, .insights-table { + border-collapse: separate; + border-spacing: 2ch 1.5em; + width: 100%; +} + +.alerts-table th, .alerts-table td, .alert-types-table th, .alert-types-table td, .insights-table td, .insights-table th { + vertical-align: top; +} + +.alerts-table td, .alert-types-table td, .insights-table td { + overflow-wrap: anywhere; +} + +.alerts-table th, .alert-types-table th, .insights-table th { + padding: 0 1ch; +} + +.alerts-table td, .alert-types-table td { + padding: 0 2ch; +} + +.insights-table td { + padding: 0 1ch; +} + +.alerts-table summary { + margin-bottom: 1.5em; +} + +.alert-tags-list { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-tags-list > li { + margin-top: 0; +} + +.request-body, .response-body { + margin-top: 1.5em; +} + +.request-method-n-url { + margin-bottom: 0; +} + +.alert-types-table { + padding-top: 0; +} + +.alert-types-table th { + width: 20%; +} + +.alert-types-table ol { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-types-table li:not(:first-of-type) { + margin-top: 1.5em; +} + +p.alert-types-intro { + margin-bottom: 3em; +} + +.zap-logo { + height: 1em; + margin-right: .25ch; + width: 1em; +} + +h1, h2 { + font-family: Georgia, serif; +} + +.risk-level, .confidence-level, .included-risk-codes, .included-confidence-codes, .additional-info-percentages { + font-family: monospace, monospace; +} + +.context, .site, .request-method-n-url { + font-family: monospace, monospace; +} diff --git a/TestesRealizados1/DEVCICD-/zap32x32.png b/TestesRealizados1/DEVCICD-/zap32x32.png new file mode 100644 index 0000000000000000000000000000000000000000..9c1019ffb2ad500434d78f20f5a624bd660e6735 GIT binary patch literal 1933 zcmV;82Xgp{P)LZ&X_*%IgUcU=kqE(b z4NRzXHHacGqA;V7EOd-rLRUsK6M0)>lNA+QA(1s>0WooNopVsi`f~3%&(A;3?F-PB zvOj!oo}80&pL3q?@9q2jJ@8;-E^rih7x)VQ$FTzF0Ce^0)w*%xMg@9CT^);$`@`-S z|D^%X0-G{2GScem>Zq-)#c><}&YnG+{?@;fz2@5u5&VQI{0HC&b5Eb8v=CMzq8Xh{uDUJ;6-8cvHPPw(V1AXlBMlio^B!;`1mR7lQz6stN1n` zVSRiJ3Jh}IHmwUh{p952jC=DbQ>IW{T+Bm{EyTg%86hH)s*G@RBZ6ZD zR~$s-xgh|tIK<*bMohZnrPKSTebm&{(An8JZUCD%Zw|w-XamM3aZ{E@QkJ_Sh=4&b zVlZMR6MN-LA+KI)MxOZY4_$EN7gpcl|GBy+*}SFI&@zE+1c5&ojb?% zH-610omUXmkc0pc4MCuY3JRI#ep;zPz!%CkF{7fMRjXD}R#rwLkr?x}`Sa(qYu7G1 z4zIhf6b}b*b0|Z?2bxNbAlb*&-!+hzmq$fKMaqhiM-T+Gw6t*h_U({ddb?6-2&w|A zpn{45bPqNps$5aDKvhCrw+1VURUz5a1;EaoJE^Lw8q=z_wl+#jOPTPwnarrD$C>b1 zeBZ~~fqr423P90ogC0=PH?8Vm*#v}(0|k?r!xzizShj2#GiT1Ey}f-@07XSb?AWn` zo)51w@$*j*Sf2pBs|*LhoR?u5{SD7JEun@R9Ak(IM2sO~gs2fb$L0Oj{d{ntiOR}K z4jw#6R#w)CK$a|7Ld#z-Gd=bqy@><~t0b(&SH%x3{Wghj{ro$E>8w7|8!?eI&lp@s zaK#WcLS%r`jo>*Bw)ZCgII)AS>wjbG)~z%&G>ix$H+M2U56vZe;WP9n69iWA)shSX z`fak)9$cP#M-^Drp9UIWRk0R)RT8QshN)UI2q2optfzJ|r}}xe?|y;IjENjOcI+Mi z7cX9-`|VS7cbpDGkWxfn15~wP#HQ4&KGGL8Zqzd_CM6=?Fb}vQxI!o{fa9gn`BpRU zy|It{{Ct|4nwT|f*5LO}o;*oeSs7W&e}iV^hCM-${BO{>Jm(%YOnIR)X)V55tW|8v z^2ET^D*YDvtkSPaPoj^^$IF?s{&lVgQFL zf4TNCRPNcLzb)TB`ne$0!%HlF+%?X3TygP?!H8f?C?W&GVvG#277}_4P&Z27wKi^_ z`UMY9O6QgM5f&|4M0R!--M6}buJEI=4km*jh{gB1;;i$G!4U@|f*8RtASQ%eXNt)N z2*#qQRjl#oYmeiff0@FG0rvrUs1Grl_V)4yJq|S&*HyA`hPcY4iwPqM T`!Z{P00000NkvXXu0mjf{kVU6 literal 0 HcmV?d00001 diff --git a/TestesRealizados1/Default^Policy/Default^Policy.html b/TestesRealizados1/Default^Policy/Default^Policy.html new file mode 100644 index 0000000..79fac06 --- /dev/null +++ b/TestesRealizados1/Default^Policy/Default^Policy.html @@ -0,0 +1,2919 @@ + + + + + +ZAP by Checkmarx Scanning Report + + + + + +
+

ZAP by Checkmarx Scanning Report

+

+ Generated with ZAP + on Thu 28 May 2026, at 06:58:33 +

+

ZAP Version: 2.17.0

+

+ ZAP by Checkmarx +

+
+ +
+ +
+

Contents

+ +
+ +
+

About This Report

+ + + +
+

Report Parameters

+
+

Contexts

+ + +

No contexts were selected, so all contexts were included by default.

+ + +

Sites

+ +

The following sites were included:

+
    +
  • http://20.60.0.1:3000
    • +
+ +

(If no sites were selected, all sites were included by default.)

+

An included site must also be within one of the included contexts for its data to be included in the report.

+ +

Risk levels

+

+ Included: + + High, Medium, Low, Informational +

+

+ Excluded: + None + +

+ +

Confidence levels

+

+ Included: + + + User Confirmed, High, Medium, Low +

+

+ Excluded: + + + User Confirmed, High, Medium, Low, False Positive +

+
+
+
+ + +
+ +
+ +
+

Summaries

+ +
+

Alert Counts by Risk and Confidence

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts for each level of risk and confidence included in the report.

+

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)

+
Confidence
User ConfirmedHighMediumLowTotal
RiskHigh0
(0.0%)		0
(0.0%)		0
(0.0%)		1
(9.1%)		1
(9.1%)
Medium0
(0.0%)		2
(18.2%)		2
(18.2%)		0
(0.0%)		4
(36.4%)
Low0
(0.0%)		0
(0.0%)		2
(18.2%)		1
(9.1%)		3
(27.3%)
Informational0
(0.0%)		1
(9.1%)		2
(18.2%)		0
(0.0%)		3
(27.3%)
Total0
(0.0%)		3
(27.3%)		6
(54.5%)		2
(18.2%)		11
(100%)
+
+ +
+

Alert Counts by Site and Risk

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

+

Alerts with a confidence level of "False Positive" have been excluded from these counts.

+

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)

+
Risk
+ High
(= High) + 		+ Medium
(>= Medium) + 		+ Low
(>= Low) + 		+ Informational
(>= Informational) +
Sitehttp://20.60.0.1:30001
(1)		4
(5)		3
(8)		3
(11)
+
+ +
+

Alert Counts by Alert Type

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts of each alert type, together with the alert type's risk level.

+

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)

+
Alert typeRiskCount
SQL InjectionHigh1
(9.1%)
Content Security Policy (CSP) Header Not SetMedium5
(45.5%)
Cross-Domain MisconfigurationMedium5
(45.5%)
Missing Anti-clickjacking HeaderMedium3
(27.3%)
Session ID in URL RewriteMedium5
(45.5%)
Private IP DisclosureLow1
(9.1%)
Timestamp Disclosure - UnixLow5
(45.5%)
X-Content-Type-Options Header MissingLow5
(45.5%)
Modern Web ApplicationInformational5
(45.5%)
Session Management Response IdentifiedInformational1
(9.1%)
User Agent FuzzerInformational5
(45.5%)
Total11
+
+ +
+

Insights

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows information that is likely to be very relevant to you, but which is not related to vulnerabilities, or potentially even related to the application in question.

+
LevelReasonSiteDescriptionStatistic
+
Medium
+ 		+
Exceeded Low
+ 		+
+ 		+
Percentage of memory used
+ 		+
80
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP errors logged - see the zap.log file for details
+ 		+
380
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP warnings logged - see the zap.log file for details
+ 		+
122
+
+
Low
+ 		+
Exceeded Low
+ 		+
+ 		+
Percentage of network failures
+ 		+
5 %
+
+
Low
+ 		+
Exceeded High
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 4xx
+ 		+
50 %
+
+
Low
+ 		+
Exceeded High
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of slow responses
+ 		+
51 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 1xx
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 2xx
+ 		+
46 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 3xx
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 5xx
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/javascript
+ 		+
9 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/json
+ 		+
5 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/octet-stream
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/jpeg
+ 		+
6 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/png
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/x-icon
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/css
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/html
+ 		+
65 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/markdown
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/plain
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method GET
+ 		+
97 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method POST
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Count of total endpoints
+ 		+
173
+
+
+
+ +
+

Alerts

+
    + + + + + + + + +
  1. +

    + Risk=High, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + SQL Injection (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/products/search?q=%27%28 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          SQL injection may be possible.

          +
          Request
          + Request line and header section (307 bytes) + + 
          GET http://20.60.0.1:3000/rest/products/search?q=%27%28 HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (362 bytes) + + 
          HTTP/1.1 500 Internal Server Error
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 10:31:15 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+content-length: 309
+
+
          + + +
          + Response body (309 bytes) + + 
          {
+  "error": {
+    "message": "SQLITE_ERROR: near \"(\": syntax error",
+    "stack": "Error: SQLITE_ERROR: near \"(\": syntax error",
+    "errno": 1,
+    "code": "SQLITE_ERROR",
+    "sql": "SELECT * FROM Products WHERE ((name LIKE '%'(%' OR description LIKE '%'(%') AND deletedAt IS NULL) ORDER BY name"
+  }
+}
          + + +
          Parameter
          q
          Attack
          '(
          Evidence
          HTTP/1.1 500 Internal Server Error
          Solution +

          Do not trust client side input, even if there is client side validation in place.

          + +

          In general, type check all data on the server side.

          + +

          If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

          + +

          If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

          + +

          If database Stored Procedures can be used, use them.

          + +

          Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

          + +

          Do not create dynamic SQL queries using simple string concatenation.

          + +

          Escape all data received from the client.

          + +

          Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.

          + +

          Apply the principle of least privilege by using the least privileged database user possible.

          + +

          In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

          + +

          Grant the minimum database access that is necessary for the application.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    2. + + + + +
  2. +

    + Risk=Medium, Confidence=High (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Content Security Policy (CSP) Header Not Set (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 10:18:52 GMT
+ETag: W/"26af-19e6e1813ac"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 10:21:09 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Solution +

          Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + Session ID in URL Rewrite (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvk6yvM&sid=pd0V5LZ93y-FQn8oAAAA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

          +
          Request
          + Request line and header section (317 bytes) + + 
          GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvk6yvM&sid=pd0V5LZ93y-FQn8oAAAA HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (231 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/plain; charset=UTF-8
+Content-Length: 612
+Date: Thu, 28 May 2026 10:23:03 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (612 bytes) + + 
          40{"sid":"03u5dabLobU2g8TXAAAB"}42["server started"]42["challenge solved",{"key":"directoryListingChallenge","name":"Confidential Document","challenge":"Confidential Document (Access a confidential document.)","flag":"8d2072c6b0a455608ca1a293dc0c9579883fc6a5","hidden":false,"isRestore":false,"codingChallenge":true}]42["challenge solved",{"key":"errorHandlingChallenge","name":"Error Handling","challenge":"Error Handling (Provoke an error that is neither very gracefully nor consistently handled.)","flag":"9c297196ecf8890bc1e900fcf3aebae8c9f9880a","hidden":false,"isRestore":false,"codingChallenge":false}]
          + + +
          Parameter
          sid
          Evidence
          pd0V5LZ93y-FQn8oAAAA
          Solution +

          For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    3. + +
  3. +

    + Risk=Medium, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Cross-Domain Misconfiguration (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/robots.txt + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

          +
          Other info +

          The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

          +
          Request
          + Request line and header section (239 bytes) + + 
          GET http://20.60.0.1:3000/robots.txt HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (378 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: text/plain; charset=utf-8
+Content-Length: 28
+ETag: W/"1c-8HgF6mNyhsSFK0pascC9uB0wjX0"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 10:21:09 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (28 bytes) + + 
          User-agent: *
+Disallow: /ftp
          + + +
          Evidence
          Access-Control-Allow-Origin: *
          Solution +

          Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).

          + +

          Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + Missing Anti-clickjacking Header (1) +
        +
          +
        1. + + POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvk6yux&sid=pd0V5LZ93y-FQn8oAAAA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The response does not protect against 'ClickJacking' attacks. It should include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options.

          +
          Request
          + Request line and header section (408 bytes) + + 
          POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvk6yux&sid=pd0V5LZ93y-FQn8oAAAA HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Content-type: text/plain;charset=UTF-8
+Content-Length: 2
+Origin: http://20.60.0.1:3000
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (2 bytes) + + 
          40
          + + +
          Response
          + Status line and header section (213 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/html
+Content-Length: 2
+Date: Thu, 28 May 2026 10:23:03 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (2 bytes) + + 
          ok
          + + +
          Parameter
          x-frame-options
          Solution +

          Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.

          + +

          If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    4. + + + + + + + + +
  4. +

    + Risk=Low, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Private IP Disclosure (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/admin/application-configuration + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

          +
          Other info +

          192.168.99.100:3000

          + +

          192.168.99.100:4200

          +
          Request
          + Request line and header section (314 bytes) + + 
          GET http://20.60.0.1:3000/rest/admin/application-configuration HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (389 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Content-Length: 23513
+ETag: W/"5bd9-reVonwE2GOcMzw2LpzIkSqyB2OE"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 10:22:59 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (23513 bytes) + + 
          {"config":{"server":{"port":3000,"basePath":"","baseUrl":"http://localhost:3000"},"application":{"domain":"juice-sh.op","name":"OWASP Juice Shop","logo":"JuiceShop_Logo.png","favicon":"favicon_js.ico","theme":"bluegrey-lightgreen","showVersionNumber":true,"showGitHubLinks":true,"localBackupEnabled":true,"numberOfRandomFakeUsers":0,"altcoinName":"Juicycoin","privacyContactEmail":"donotreply@owasp-juice.shop","customMetricsPrefix":"juiceshop","chatBot":{"name":"Juicy the Smart Assistant","avatar":"JuicyChatBot.png","model":"gemma4:e4b","llmMaxRetries":2,"sampleQuestions":["CHATBOT_PROMPT_RECOMMENDATION_SUMMER_PARTY","CHATBOT_PROMPT_RECOMMENDATION_POPULAR","CHATBOT_PROMPT_RECOMMENDATION_SUGAR_FREE","CHATBOT_PROMPT_RECOMMENDATION_START_DAY","CHATBOT_PROMPT_RECOMMENDATION_SEASONAL"]},"social":{"blueSkyUrl":"https://bsky.app/profile/owasp-juice.shop","mastodonUrl":"https://fosstodon.org/@owasp_juiceshop","twitterUrl":"https://twitter.com/owasp_juiceshop","facebookUrl":"https://www.facebook.com/owasp.juiceshop","slackUrl":"https://owasp.org/slack/invite","redditUrl":"https://www.reddit.com/r/owasp_juiceshop","pressKitUrl":"https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop","nftUrl":"https://opensea.io/collection/juice-shop","questionnaireUrl":null},"recyclePage":{"topProductImage":"fruit_press.jpg","bottomProductImage":"apple_pressings.jpg"},"welcomeBanner":{"showOnFirstStart":true,"title":"Welcome to OWASP Juice Shop!","message":"<p>Being a web application with a vast number of intended security vulnerabilities, the <strong>OWASP Juice Shop</strong> is supposed to be the opposite of a best practice or template application for web developers: It is an awareness, training, demonstration and exercise tool for security risks in modern web applications. The <strong>OWASP Juice Shop</strong> is an open-source project hosted by the non-profit <a href='https://owasp.org' target='_blank'>Open Worldwide Application Security Project (OWASP)</a> and is developed and maintained by volunteers. Check out the link below for more information and documentation on the project.</p><h1><a href='https://owasp-juice.shop' target='_blank'>https://owasp-juice.shop</a></h1>"},"cookieConsent":{"message":"This website uses fruit cookies to ensure you get the juiciest tracking experience.","dismissText":"Me want it!","linkText":"But me wait!","linkUrl":"https://www.youtube.com/watch?v=9PnbKL3wuH4"},"securityTxt":{"contact":"mailto:donotreply@owasp-juice.shop","encryption":"https://keybase.io/bkimminich/pgp_keys.asc?fingerprint=19c01cb7157e4645e9e2c863062a85a8cbfbdcda","acknowledgements":"/#/score-board","hiring":"/#/jobs","csaf":"/.well-known/csaf/provider-metadata.json"},"promotion":{"video":"owasp_promo.mp4","subtitles":"owasp_promo.vtt"},"easterEggPlanet":{"name":"Orangeuze","overlayMap":"orangemap2k.avif"},"googleOauth":{"clientId":"1005568560502-6hm16lef8oh46hr2d98vf2ohlnj4nfhq.apps.googleusercontent.com","authorizedRedirects":[{"uri":"https://demo.owasp-juice.shop"},{"uri":"https://juice-shop.herokuapp.com"},{"uri":"https://preview.owasp-juice.shop"},{"uri":"https://juice-shop-staging.herokuapp.com"},{"uri":"https://juice-shop.wtf"},{"uri":"http://localhost:3000","proxy":"https://local3000.owasp-juice.shop"},{"uri":"http://127.0.0.1:3000","proxy":"https://local3000.owasp-juice.shop"},{"uri":"http://localhost:4200","proxy":"https://local4200.owasp-juice.shop"},{"uri":"http://127.0.0.1:4200","proxy":"https://local4200.owasp-juice.shop"},{"uri":"http://192.168.99.100:3000","proxy":"https://localmac.owasp-juice.shop"},{"uri":"http://192.168.99.100:4200","proxy":"https://localmac.owasp-juice.shop"},{"uri":"http://penguin.termina.linux.test:3000","proxy":"https://localchromeos.owasp-juice.shop"},{"uri":"http://penguin.termina.linux.test:4200","proxy":"https://localchromeos.owasp-juice.shop"}]}},"challenges":{"showSolvedNotifications":true,"showHints":true,"showMitigations":true,"codingChallengesEnabled":"solved","restrictToTutorialsFirst":false,"overwriteUrlForProductTamperingChallenge":"https://owasp.slack.com","xssBonusPayload":"<iframe width=\"100%\" height=\"166\" scrolling=\"no\" frameborder=\"no\" allow=\"autoplay\" src=\"https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true\"></iframe>","safetyMode":"auto","csafHashValue":"7e7ce7c65db3bf0625fcea4573d25cff41f2f7e3474f2c74334b14fc65bb4fd26af802ad17a3a03bf0eee6827a00fb8f7905f338c31b5e6ea9cb31620242e843","metricsIgnoredUserAgents":["Prometheus","Alloy","promscrape","otelcol"]},"hackingInstructor":{"isEnabled":true,"avatarImage":"JuicyBot.png","hintPlaybackSpeed":"normal"},"products":[{"name":"Apple Juice (1000ml)","price":1.99,"deluxePrice":0.99,"limitPerUser":5,"description":"The all-time classic.","image":"apple_juice.jpg","reviews":[{"text":"One of my favorites!","author":"admin"},{"text":"Great! We'll have an apple party. Everyone brings an apple and - STUFFS IT DOWN EACH OTHER'S THROAT!","author":"basil"}]},{"name":"Orange Juice (1000ml)","description":"Made from oranges hand-picked by Uncle Dittmeyer.","price":2.99,"deluxePrice":2.49,"image":"orange_juice.jpg","reviews":[{"text":"y0ur f1r3wall needs m0r3 musc13","author":"uvogin"}]},{"name":"Eggfruit Juice (500ml)","description":"Now with even more exotic flavour.","price":8.99,"image":"eggfruit_juice.jpg","reviews":[{"text":"I bought it, would buy again. 5/7","author":"admin"}]},{"name":"Raspberry Juice (1000ml)","description":"Made from blended Raspberry Pi, water and sugar.","price":4.99,"image":"raspberry_juice.jpg"},{"name":"Lemon Juice (500ml)","description":"Sour but full of vitamins.","price":2.99,"deluxePrice":1.99,"limitPerUser":5,"image":"lemon_juice.jpg"},{"name":"Banana Juice (1000ml)","description":"Monkeys love it the most.","price":1.99,"image":"banana_juice.jpg","reviews":[{"text":"Fry liked it too.","author":"bender"}]},{"name":"OWASP Juice Shop T-Shirt","description":"Real fans wear it 24/7!","price":22.49,"limitPerUser":5,"image":"fan_shirt.jpg"},{"name":"OWASP Juice Shop CTF Girlie-Shirt","description":"For serious Capture-the-Flag heroines only!","price":22.49,"image":"fan_girlie.jpg"},{"name":"OWASP SSL Advanced Forensic Tool (O-Saft)","description":"O-Saft is an easy to use tool to show information about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.","price":0.01,"image":"orange_juice.jpg","urlForProductTamperingChallenge":"https://www.owasp.org/index.php/O-Saft"},{"name":"Christmas Super-Surprise-Box (2014 Edition)","description":"Contains a random selection of 10 bottles (each 500ml) of our tastiest juices and an extra fan shirt for an unbeatable price!","price":29.99,"image":"undefined.jpg","useForChristmasSpecialChallenge":true},{"name":"Rippertuer Special Juice","description":"Contains a magical collection of the rarest fruits gathered from all around the world, like Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos... and others, at an unbelievable price! <br/><span style=\"color:red;\">This item has been made unavailable because of lack of safety standards.</span>","price":16.99,"image":"undefined.jpg","keywordsForPastebinDataLeakChallenge":["hueteroneel","eurogium edule"]},{"name":"OWASP Juice Shop Sticker (2015/2016 design)","description":"Die-cut sticker with the official 2015/2016 logo. By now this is a rare collectors item. <em>Out of stock!</em>","price":999.99,"image":"sticker.png","deletedDate":"2017-04-28"},{"name":"OWASP Juice Shop Iron-Ons (16pcs)","description":"Upgrade your clothes with washer safe <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">iron-ons</a> of the OWASP Juice Shop or CTF Extension logo!","price":14.99,"image":"iron-on.jpg"},{"name":"OWASP Juice Shop Magnets (16pcs)","description":"Your fridge will be even cooler with these OWASP Juice Shop or CTF Extension logo <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">magnets</a>!","price":15.99,"image":"magnets.jpg"},{"name":"OWASP Juice Shop Sticker Page","description":"Massive decoration opportunities with these OWASP Juice Shop or CTF Extension <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker pages</a>! Each page has 16 stickers on it.","price":9.99,"image":"sticker_page.jpg"},{"name":"OWASP Juice Shop Sticker Single","description":"Super high-quality vinyl <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker single</a> with the OWASP Juice Shop or CTF Extension logo! The ultimate laptop decal!","price":4.99,"image":"sticker_single.jpg"},{"name":"OWASP Juice Shop Temporary Tattoos (16pcs)","description":"Get one of these <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">temporary tattoos</a> to proudly wear the OWASP Juice Shop or CTF Extension logo on your skin! If you tweet a photo of yourself with the tattoo, you get a couple of our stickers for free! Please mention <a href=\"https://twitter.com/owasp_juiceshop\" target=\"_blank\"><code>@owasp_juiceshop</code></a> in your tweet!","price":14.99,"image":"tattoo.jpg","reviews":[{"text":"I straight-up gots nuff props fo'these tattoos!","author":"rapper"}]},{"name":"OWASP Juice Shop Mug","description":"Black mug with regular logo on one side and CTF logo on the other! Your colleagues will envy you!","price":21.99,"image":"fan_mug.jpg"},{"name":"OWASP Juice Shop Hoodie","description":"Mr. Robot-style apparel. But in black. And with logo.","price":49.99,"image":"fan_hoodie.jpg"},{"name":"OWASP Juice Shop-CTF Velcro Patch","description":"4x3.5\" embroidered patch with velcro backside. The ultimate decal for every tactical bag or backpack!","price":2.92,"quantity":5,"limitPerUser":5,"image":"velcro-patch.jpg","reviews":[{"text":"This thang would look phat on Bobby's jacked fur coat!","author":"rapper"},{"text":"Looks so much better on my uniform than the boring Starfleet symbol.","author":"jim"}]},{"name":"Woodruff Syrup \"Forest Master X-Treme\"","description":"Harvested and manufactured in the Black Forest, Germany. Can cause hyperactive behavior in children. Can cause permanent green tongue when consumed undiluted.","price":6.99,"image":"woodruff_syrup.jpg"},{"name":"Green Smoothie","description":"Looks poisonous but is actually very good for your health! Made from green cabbage, spinach, kiwi and grass.","price":1.99,"image":"green_smoothie.jpg","reviews":[{"text":"Fresh out of a replicator.","author":"jim"}]},{"name":"Quince Juice (1000ml)","description":"Juice of the <em>Cydonia oblonga</em> fruit. Not exactly sweet but rich in Vitamin C.","price":4.99,"image":"quince.jpg"},{"name":"Apple Pomace","description":"Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be <a href=\"/#recycle\">sent back to us</a> for recycling.","price":0.89,"limitPerUser":5,"image":"apple_pressings.jpg"},{"name":"Fruit Press","description":"Fruits go in. Juice comes out. Pomace you can send back to us for recycling purposes.","price":89.99,"image":"fruit_press.jpg"},{"name":"OWASP Juice Shop Logo (3D-printed)","description":"This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.","price":99.99,"image":"3d_keychain.jpg","fileForRetrieveBlueprintChallenge":"JuiceShop.stl","exifForBlueprintChallenge":["OpenSCAD"]},{"name":"Juice Shop Artwork","description":"Unique masterpiece painted with different kinds of juice on 90g/m² lined paper.","price":278.74,"quantity":0,"image":"artwork.jpg","deletedDate":"2020-12-24"},{"name":"Global OWASP WASPY Award 2017 Nomination","description":"Your chance to nominate up to three quiet pillars of the OWASP community ends 2017-06-30! <a href=\"https://www.owasp.org/index.php/WASPY_Awards_2017\">Nominate now!</a>","price":0.03,"image":"waspy.png","deletedDate":"2017-07-01"},{"name":"Strawberry Juice (500ml)","description":"Sweet & tasty!","price":3.99,"image":"strawberry_juice.jpeg"},{"name":"Carrot Juice (1000ml)","description":"As the old German saying goes: \"Carrots are good for the eyes. Or has anyone ever seen a rabbit with glasses?\"","price":2.99,"image":"carrot_juice.jpeg","reviews":[{"text":"0 st4rs f0r 7h3 h0rr1bl3 s3cur17y","author":"uvogin"}]},{"name":"OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition)","description":"10 sheets of Sweden-themed stickers with 15 stickers on each.","price":19.1,"image":"stickersheet_se.png","deletedDate":"2017-09-20"},{"name":"Pwning OWASP Juice Shop","description":"<em>The official Companion Guide</em> by Björn Kimminich available <a href=\"https://leanpub.com/juice-shop\">for free on LeanPub</a> and also <a href=\"https://pwning.owasp-juice.shop\">readable online</a>!","price":5.99,"image":"cover_small.jpg","reviews":[{"text":"Even more interesting than watching Interdimensional Cable!","author":"morty"}]},{"name":"Melon Bike (Comeback-Product 2018 Edition)","description":"The wheels of this bicycle are made from real water melons. You might not want to ride it up/down the curb too hard.","price":2999,"quantity":3,"limitPerUser":1,"image":"melon_bike.jpeg"},{"name":"OWASP Juice Shop Coaster (10pcs)","description":"Our 95mm circle coasters are printed in full color and made from thick, premium coaster board.","price":19.99,"quantity":0,"image":"coaster.jpg"},{"name":"OWASP Snakes and Ladders - Web Applications","description":"This amazing web application security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1969196030\">available for Tabletop Simulator on Steam Workshop</a> now!","price":0.01,"quantity":8,"image":"snakes_ladders.jpg","reviews":[{"text":"Wait for a 10$ Steam sale of Tabletop Simulator!","author":"bjoernOwasp"}]},{"name":"OWASP Snakes and Ladders - Mobile Apps","description":"This amazing mobile app security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1970691216\">available for Tabletop Simulator on Steam Workshop</a> now!","price":0.01,"quantity":0,"image":"snakes_ladders_m.jpg","reviews":[{"text":"Here yo' learn how tha fuck ta not show yo' goddamn phone on camera!","author":"rapper"}]},{"name":"OWASP Juice Shop Holographic Sticker","description":"Die-cut holographic sticker. Stand out from those 08/15-sticker-covered laptops with this shiny beacon of 80's coolness!","price":2,"quantity":0,"image":"holo_sticker.png","reviews":[{"text":"Rad, dude!","author":"rapper"},{"text":"Looks spacy on Bones' new tricorder!","author":"jim"},{"text":"Will put one on the Planet Express ship's bumper!","author":"bender"}]},{"name":"OWASP Juice Shop \"King of the Hill\" Facemask","description":"Facemask with compartment for filter from 50% cotton and 50% polyester.","price":13.49,"quantity":0,"limitPerUser":1,"image":"fan_facemask.jpg","reviews":[{"text":"K33p5 y0ur ju1cy 5plu773r 70 y0ur53lf!","author":"uvogin"},{"text":"Puny mask for puny human weaklings!","author":"bender"}]},{"name":"Juice Shop Adversary Trading Card (Common)","description":"Common rarity \"Juice Shop\" card for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.","price":2.99,"deluxePrice":0.99,"deletedDate":"2020-11-30","limitPerUser":5,"image":"ccg_common.png","reviews":[{"text":"Ooooh, puny human playing Mau Mau, now?","author":"bender"}]},{"name":"Juice Shop Adversary Trading Card (Super Rare)","description":"Super rare \"Juice Shop\" card with holographic foil-coating for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.","price":99.99,"deluxePrice":69.99,"deletedDate":"2020-11-30","quantity":2,"limitPerUser":1,"image":"ccg_foil.png","reviews":[{"text":"Mau Mau with bling-bling? Humans are so pathetic!","author":"bender"}]},{"name":"Juice Shop \"Permafrost\" 2020 Edition","description":"Exact version of <a href=\"https://github.com/juice-shop/juice-shop/releases/tag/v9.3.1-PERMAFROST\">OWASP Juice Shop that was archived on 02/02/2020</a> by the GitHub Archive Program and ultimately went into the <a href=\"https://github.blog/2020-07-16-github-archive-program-the-journey-of-the-worlds-open-source-code-to-the-arctic\">Arctic Code Vault</a> on July 8. 2020 where it will be safely stored for at least 1000 years.","price":9999.99,"quantity":1,"limitPerUser":1,"image":"permafrost.jpg","reviews":[{"text":"🧊 Let it go, let it go 🎶 Can't hold it back anymore 🎶 Let it go, let it go 🎶 Turn away and slam the door ❄️","author":"rapper"}]},{"name":"Best Juice Shop Salesman Artwork","description":"Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before <em>finally</em> adding his expertise to the Juice Shop marketing team.","price":5000,"quantity":1,"image":"artwork2.jpg","reviews":[{"text":"I'd stand on my head to make you a deal for this piece of art.","author":"stan"},{"text":"Just when my opinion of humans couldn't get any lower, along comes Stan...","author":"bender"}]},{"name":"OWASP Juice Shop Card (non-foil)","description":"Mythic rare <small><em>(obviously...)</em></small> card \"OWASP Juice Shop\" with three distinctly useful abilities. Alpha printing, mint condition. A true collectors piece to own!","price":1000,"quantity":3,"limitPerUser":1,"image":"card_alpha.jpg","reviews":[{"text":"DO NOT PLAY WITH THIS! Double-sleeve, then put it in the GitHub Arctic Vault for perfect preservation and boost of secondary market value!","author":"accountant"}]},{"name":"20th Anniversary Celebration Ticket","description":"Get your <a href=\"https://20thanniversary.owasp.org/\" target=\"_blank\">free 🎫 for OWASP 20th Anniversary Celebration</a> online conference! Hear from world renowned keynotes and special speakers, network with your peers and interact with our event sponsors. With an anticipated 10k+ attendees from around the world, you will not want to miss this live on-line event!","price":1e-20,"deletedDate":"2021-09-25","limitPerUser":1,"image":"20th.jpeg","reviews":[{"text":"I'll be there! Will you, too?","author":"bjoernOwasp"}]},{"name":"OWASP Juice Shop LEGO™ Tower","description":"Want to host a Juice Shop CTF in style? Build <a href=\"https://github.com/OWASP/owasp-swag/blob/master/projects/juice-shop/lego/OWASP%20JuiceShop%20Pi-server%201.2.pdf\" target=\"_blank\">your own LEGO™ tower</a> which holds four Raspberry Pi 4 models with PoE HAT modules <a href=\"https://github.com/juice-shop/multi-juicer/blob/main/guides/raspberry-pi/raspberry-pi.md\" target=\"_blank\">running a MultiJuicer Kubernetes cluster</a>! Wire to a switch and connect to your network to have an out-of-the-box ready CTF up in no time!","price":799,"quantity":3,"limitPerUser":1,"image":"lego_case.jpg","reviews":[{"text":"Check out the /#/photo-wall for some impressions of the assembly process!","author":"bjoernOwasp"}]},{"name":"DSOMM & Juice Shop User Day Ticket","description":"You are going to the OWASP Global AppSec San Francisco 2024? <a href=\"https://www.eventbrite.com/e/owasp-global-appsec-san-francisco-2024-tickets-723699172707\" target=\"_blank\">Get a ticket<sup>*</sup></a> for this amazing side event as well! Check the juice-packed agenda <a href=\"https://owasp.org/www-project-juice-shop/#div-userday2024\" target=\"_blank\">here</a> for all the details!<br><br><small><small><sup>*</sup>=scroll down to <strong>Elevate: DSOMM and Juice Shop User Day (Sept. 25)</strong> after clicking <em>Get Tickets</em> on Eventbrite. Ticket price set to only covers fees for room, AV, and catering throughout the day.</small></small>","price":55.2,"deletedDate":"2024-09-26","limitPerUser":1,"image":"user_day_ticket.png","reviews":[{"text":"The DSOMM Live Assessment session will even use Juice Shop as its \"real-world\" example!","author":"timo"},{"text":"We will showcase the amazing MultiJuicer Lego Tower at this event!","author":"jannik"}]},{"name":"Pineapple Juice (1000ml)","description":"Tropical refreshment from the finest sun-ripened pineapples.","price":2.99,"image":"pineapple_juice.png"},{"name":"Melon Juice (1000ml)","description":"Refreshing and sweet juice made from ripe melons.","price":2.49,"image":"melon_juice.png"},{"name":"Grape Juice (1000ml)","description":"Deep purple and full of antioxidants from selected grapes.","price":2.99,"image":"grape_juice.png"},{"name":"Dragonfruit Juice (500ml)","description":"Exotic and vibrant juice made from dragonfruit.","price":3.99,"image":"dragonfruit_juice.png"},{"name":"Berry Juice (1000ml)","description":"A delicious blend of fresh forest berries.","price":3.49,"image":"berry_juice.png"},{"name":"Basil Smoothie","description":"A unique blend of fresh basil and ginger for a healthy kick.","price":2.99,"image":"basil_smoothie.png","reviews":[{"text":"(ง'̀-'́)ง","author":"basil"}]},{"name":"Bragă (500ml)","description":"Traditional Balkan drink made from fermented millet. Lightly sweet-sour, refreshing, and naturally energizing.","price":2.49,"image":"braga.jpg"},{"name":"Elderflower Cordial (500ml)","description":"Floral and fragrant soft drink made from elderflowers. Traditionally enjoyed chilled.","price":3.29,"image":"elderflower_cordial.jpg"},{"name":"Sea Buckthorn Juice (500ml)","description":"Tangy and slightly sour juice, extremely rich in Vitamin C and antioxidants.","price":3.99,"image":"sea_buckthorn_juice.jpg"},{"name":"Pomegranate Drink (500ml)","description":"A sweet and tart refreshment inspired by classic grenadine flavors.","price":4.49,"image":"pomegranate_drink.jpg"}],"memories":[{"image":"magn(et)ificent!-1571814229653.jpg","caption":"Magn(et)ificent!","user":"bjoernGoogle"},{"image":"my-rare-collectors-item!-[̲̅$̲̅(̲̅-͡°-͜ʖ-͡°̲̅)̲̅$̲̅]-1572603645543.jpg","caption":"My rare collectors item! [̲̅$̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅$̲̅]","user":"bjoernGoogle"},{"image":"favorite-hiking-place.png","caption":"I love going hiking here...","geoStalkingMetaSecurityQuestion":14,"geoStalkingMetaSecurityAnswer":"Daniel Boone National Forest"},{"image":"IMG_4253.jpg","caption":"My old workplace...","geoStalkingVisualSecurityQuestion":10,"geoStalkingVisualSecurityAnswer":"ITsec"},{"image":"BeeHaven.png","caption":"Welcome to the Bee Haven (/#/bee-haven)🐝","user":"evm"},{"image":"sorted-the-pieces,-starting-assembly-process-1721152307290.jpg","caption":"Sorted the pieces, starting assembly process...","user":"bjoernOwasp"},{"image":"building-something-literally-bottom-up-1721152342603.jpg","caption":"Building something literally bottom up...","user":"bjoernOwasp"},{"image":"putting-in-the-hardware-1721152366854.jpg","caption":"Putting in the hardware...","user":"bjoernOwasp"},{"image":"everything-up-and-running!-1721152385146.jpg","caption":"Everything up and running!","user":"bjoernOwasp"}],"ctf":{"showFlagsInNotifications":false,"showCountryDetailsInNotifications":"none","countryMapping":null,"systemWideNotifications":{"url":null,"pollFrequencySeconds":null}}}}
          + + +
          Evidence
          192.168.99.100:3000
          Solution +

          Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + X-Content-Type-Options Header Missing (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvk6yOd + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

          +
          Other info +

          This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

          + +

          At "High" threshold this scan rule will not alert on client or server error responses.

          +
          Request
          + Request line and header section (292 bytes) + + 
          GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvk6yOd HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (230 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/plain; charset=UTF-8
+Content-Length: 96
+Date: Thu, 28 May 2026 10:22:58 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (96 bytes) + + 
          0{"sid":"pd0V5LZ93y-FQn8oAAAA","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000}
          + + +
          Parameter
          x-content-type-options
          Solution +

          Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

          + +

          If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    5. + +
  5. +

    + Risk=Low, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Timestamp Disclosure - Unix (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A timestamp was disclosed by the application/web server. - Unix

          +
          Other info +

          1666666667, which evaluates to: 2022-10-24 22:57:47.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 10:18:52 GMT
+ETag: W/"26af-19e6e1813ac"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 10:21:09 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          1666666667
          Solution +

          Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    6. + + + + +
  6. +

    + Risk=Informational, Confidence=High (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Session Management Response Identified (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/continue-code/ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags +
            + +
          +
          Alert description +

          The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to "Auto-Detect" then this rule will change the session management to use the tokens identified.

          +
          Other info +

          json:continueCode

          +
          Request
          + Request line and header section (297 bytes) + + 
          GET http://20.60.0.1:3000/rest/continue-code/ HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (384 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Content-Length: 79
+ETag: W/"4f-uLu5Lde8X4OncOnJeidFijss6vg"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 10:45:25 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (79 bytes) + + 
          {"continueCode":"y1OzBZxNpnLrM5WmgEKv8XakQ7DA6LcQGJ6yOlV9Pow1jYqbz2eRB34oE5mM"}
          + + +
          Parameter
          continueCode
          Evidence
          continueCode
          Solution +

          This is an informational alert rather than a vulnerability and so there is nothing to fix.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    7. + +
  7. +

    + Risk=Informational, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Modern Web Application (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

          +
          Other info +

          No links have been found while there are scripts, which is an indication that this is a modern web application.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 10:18:52 GMT
+ETag: W/"26af-19e6e1813ac"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 10:21:09 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
          Solution +

          This is an informational alert and so no changes are required.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + User Agent Fuzzer (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvk7mTy + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags +
            +
          • + CUSTOM_PAYLOADS = +
            • +
          • + POLICY_PENTEST = +
            • +
          • + SYSTEMIC +
            • +
          +
          Alert description +

          Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.

          +
          Request
          + Request line and header section (398 bytes) + + 
          GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvk7mTy HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+Cookie: language=en; continueCode=y1OzBZxNpnLrM5WmgEKv8XakQ7DA6LcQGJ6yOlV9Pow1jYqbz2eRB34oE5mM; welcomebanner_status=dismiss
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (230 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/plain; charset=UTF-8
+Content-Length: 96
+Date: Thu, 28 May 2026 10:47:48 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (96 bytes) + + 
          0{"sid":"Xorp3Pbs1alpY9B3AAGq","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000}
          + + +
          Parameter
          Header User-Agent
          Attack
          Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    8. + + + +
+
+ +
+

Appendix

+ +
+

Alert Types

+

This section contains additional information on the types of alerts in the report.

+
    +
  1. +

    SQL Injection

    + + + + + + + + + + + + + + + + + +
    Source + + raised by an active scanner (SQL Injection) + +
    CWE ID89
    WASC ID19
    Reference +
      +
    1. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
      2. +
    +
    +
    2. +
  2. +

    Content Security Policy (CSP) Header Not Set

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Content Security Policy (CSP) Header Not Set) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
      2. +
    2. https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
      3. +
    3. https://www.w3.org/TR/CSP/
      4. +
    4. https://w3c.github.io/webappsec-csp/
      5. +
    5. https://web.dev/articles/csp
      6. +
    6. https://caniuse.com/#feat=contentsecuritypolicy
      7. +
    7. https://content-security-policy.com/
      8. +
    +
    +
    3. +
  3. +

    Cross-Domain Misconfiguration

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Cross-Domain Misconfiguration) + +
    CWE ID264
    WASC ID14
    Reference +
      +
    1. https://vulncat.fortify.com/en/detail?category=HTML5&subcategory=Overly%20Permissive%20CORS%20Policy
      2. +
    +
    +
    4. +
  4. +

    Missing Anti-clickjacking Header

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Anti-clickjacking Header) + +
    CWE ID1021
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
      2. +
    +
    +
    5. +
  5. +

    Session ID in URL Rewrite

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Session ID in URL Rewrite) + +
    CWE ID598
    WASC ID13
    Reference +
      +
    1. https://seclists.org/webappsec/2002/q4/111
      2. +
    +
    +
    6. +
  6. +

    Private IP Disclosure

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Private IP Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://datatracker.ietf.org/doc/html/rfc1918
      2. +
    +
    +
    7. +
  7. +

    Timestamp Disclosure - Unix

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Timestamp Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://cwe.mitre.org/data/definitions/200.html
      2. +
    +
    +
    8. +
  8. +

    X-Content-Type-Options Header Missing

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (X-Content-Type-Options Header Missing) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
      2. +
    2. https://owasp.org/www-community/Security_Headers
      3. +
    +
    +
    9. +
  9. +

    Modern Web Application

    + + + + + + + + +
    Source + + raised by a passive scanner (Modern Web Application) + +
    +
    10. +
  10. +

    Session Management Response Identified

    + + + + + + + + + + + +
    Source + + raised by a passive scanner (Session Management Response Identified) + +
    Reference +
      +
    1. https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id/
      2. +
    +
    +
    11. +
  11. +

    User Agent Fuzzer

    + + + + + + + + + + + +
    Source + + raised by an active scanner (User Agent Fuzzer) + +
    Reference +
      +
    1. https://owasp.org/wstg
      2. +
    +
    +
    12. +
+
+
+ +
+ + + + + diff --git a/TestesRealizados1/Default^Policy/normalize/LICENSE.md b/TestesRealizados1/Default^Policy/normalize/LICENSE.md new file mode 100644 index 0000000..43b5ddc --- /dev/null +++ b/TestesRealizados1/Default^Policy/normalize/LICENSE.md @@ -0,0 +1,21 @@ +# The MIT License (MIT) + +Copyright © Nicolas Gallagher and Jonathan Neal + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/TestesRealizados1/Default^Policy/normalize/normalize.css b/TestesRealizados1/Default^Policy/normalize/normalize.css new file mode 100644 index 0000000..192eb9c --- /dev/null +++ b/TestesRealizados1/Default^Policy/normalize/normalize.css @@ -0,0 +1,349 @@ +/*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */ + +/* Document + ========================================================================== */ + +/** + * 1. Correct the line height in all browsers. + * 2. Prevent adjustments of font size after orientation changes in iOS. + */ + +html { + line-height: 1.15; /* 1 */ + -webkit-text-size-adjust: 100%; /* 2 */ +} + +/* Sections + ========================================================================== */ + +/** + * Remove the margin in all browsers. + */ + +body { + margin: 0; +} + +/** + * Render the `main` element consistently in IE. + */ + +main { + display: block; +} + +/** + * Correct the font size and margin on `h1` elements within `section` and + * `article` contexts in Chrome, Firefox, and Safari. + */ + +h1 { + font-size: 2em; + margin: 0.67em 0; +} + +/* Grouping content + ========================================================================== */ + +/** + * 1. Add the correct box sizing in Firefox. + * 2. Show the overflow in Edge and IE. + */ + +hr { + box-sizing: content-box; /* 1 */ + height: 0; /* 1 */ + overflow: visible; /* 2 */ +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +pre { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/* Text-level semantics + ========================================================================== */ + +/** + * Remove the gray background on active links in IE 10. + */ + +a { + background-color: transparent; +} + +/** + * 1. Remove the bottom border in Chrome 57- + * 2. Add the correct text decoration in Chrome, Edge, IE, Opera, and Safari. + */ + +abbr[title] { + border-bottom: none; /* 1 */ + text-decoration: underline; /* 2 */ + text-decoration: underline dotted; /* 2 */ +} + +/** + * Add the correct font weight in Chrome, Edge, and Safari. + */ + +b, +strong { + font-weight: bolder; +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +code, +kbd, +samp { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/** + * Add the correct font size in all browsers. + */ + +small { + font-size: 80%; +} + +/** + * Prevent `sub` and `sup` elements from affecting the line height in + * all browsers. + */ + +sub, +sup { + font-size: 75%; + line-height: 0; + position: relative; + vertical-align: baseline; +} + +sub { + bottom: -0.25em; +} + +sup { + top: -0.5em; +} + +/* Embedded content + ========================================================================== */ + +/** + * Remove the border on images inside links in IE 10. + */ + +img { + border-style: none; +} + +/* Forms + ========================================================================== */ + +/** + * 1. Change the font styles in all browsers. + * 2. Remove the margin in Firefox and Safari. + */ + +button, +input, +optgroup, +select, +textarea { + font-family: inherit; /* 1 */ + font-size: 100%; /* 1 */ + line-height: 1.15; /* 1 */ + margin: 0; /* 2 */ +} + +/** + * Show the overflow in IE. + * 1. Show the overflow in Edge. + */ + +button, +input { /* 1 */ + overflow: visible; +} + +/** + * Remove the inheritance of text transform in Edge, Firefox, and IE. + * 1. Remove the inheritance of text transform in Firefox. + */ + +button, +select { /* 1 */ + text-transform: none; +} + +/** + * Correct the inability to style clickable types in iOS and Safari. + */ + +button, +[type="button"], +[type="reset"], +[type="submit"] { + -webkit-appearance: button; +} + +/** + * Remove the inner border and padding in Firefox. + */ + +button::-moz-focus-inner, +[type="button"]::-moz-focus-inner, +[type="reset"]::-moz-focus-inner, +[type="submit"]::-moz-focus-inner { + border-style: none; + padding: 0; +} + +/** + * Restore the focus styles unset by the previous rule. + */ + +button:-moz-focusring, +[type="button"]:-moz-focusring, +[type="reset"]:-moz-focusring, +[type="submit"]:-moz-focusring { + outline: 1px dotted ButtonText; +} + +/** + * Correct the padding in Firefox. + */ + +fieldset { + padding: 0.35em 0.75em 0.625em; +} + +/** + * 1. Correct the text wrapping in Edge and IE. + * 2. Correct the color inheritance from `fieldset` elements in IE. + * 3. Remove the padding so developers are not caught out when they zero out + * `fieldset` elements in all browsers. + */ + +legend { + box-sizing: border-box; /* 1 */ + color: inherit; /* 2 */ + display: table; /* 1 */ + max-width: 100%; /* 1 */ + padding: 0; /* 3 */ + white-space: normal; /* 1 */ +} + +/** + * Add the correct vertical alignment in Chrome, Firefox, and Opera. + */ + +progress { + vertical-align: baseline; +} + +/** + * Remove the default vertical scrollbar in IE 10+. + */ + +textarea { + overflow: auto; +} + +/** + * 1. Add the correct box sizing in IE 10. + * 2. Remove the padding in IE 10. + */ + +[type="checkbox"], +[type="radio"] { + box-sizing: border-box; /* 1 */ + padding: 0; /* 2 */ +} + +/** + * Correct the cursor style of increment and decrement buttons in Chrome. + */ + +[type="number"]::-webkit-inner-spin-button, +[type="number"]::-webkit-outer-spin-button { + height: auto; +} + +/** + * 1. Correct the odd appearance in Chrome and Safari. + * 2. Correct the outline style in Safari. + */ + +[type="search"] { + -webkit-appearance: textfield; /* 1 */ + outline-offset: -2px; /* 2 */ +} + +/** + * Remove the inner padding in Chrome and Safari on macOS. + */ + +[type="search"]::-webkit-search-decoration { + -webkit-appearance: none; +} + +/** + * 1. Correct the inability to style clickable types in iOS and Safari. + * 2. Change font properties to `inherit` in Safari. + */ + +::-webkit-file-upload-button { + -webkit-appearance: button; /* 1 */ + font: inherit; /* 2 */ +} + +/* Interactive + ========================================================================== */ + +/* + * Add the correct display in Edge, IE 10+, and Firefox. + */ + +details { + display: block; +} + +/* + * Add the correct display in all browsers. + */ + +summary { + display: list-item; +} + +/* Misc + ========================================================================== */ + +/** + * Add the correct display in IE 10+. + */ + +template { + display: none; +} + +/** + * Add the correct display in IE 10. + */ + +[hidden] { + display: none; +} diff --git a/TestesRealizados1/Default^Policy/themes/original/colors.css b/TestesRealizados1/Default^Policy/themes/original/colors.css new file mode 100644 index 0000000..fd3b963 --- /dev/null +++ b/TestesRealizados1/Default^Policy/themes/original/colors.css @@ -0,0 +1,139 @@ +body { + background-color: #306aa0; + background-image: radial-gradient(circle at top left, #fff 0%, #8ce1d6 15em, #306aa0 100em, #386095 100%); +} + +main, footer { + background-color: #fff; +} + +header { + background-color: #00549e; + color: #fff; +} + +a:link { + color: #004380; +} + +a:visited { + color: #770d67; +} + +a:focus { + background-color: #ffd54d; +} + +a:hover { + background-color: #ffd54d; +} + +a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +header a:link { + color: #f2f7fd; +} + +header a:visited { + color: #f2b5e9; +} + +header a:focus { + background-color: #ffd54d; + color: #004380; +} + +header a:hover { + background-color: #ffd54d; + color: #004380; +} + +header a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #fff6db; +} + +summary:focus { + background-color: #ffd54d; +} + +summary:hover { + background-color: #ffd54d; +} + +summary:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +h2, h3, h4, h5, h6 { + color: #00549e; +} + +.risk-level, .confidence-level { + color: #00549e; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + color: #00549e; +} + +.risk-confidence-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + color: #00549e; +} + +.site-risk-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.alert-type-counts-table > tbody > tr { + border-bottom-color: #00549e; +} + +.alert-type-counts-table th[scope="col"] { + background-color: #00549e; + color: #fff; +} + +.alert-type-counts-table th[scope="col"] { + border-left-color: #fff; +} + +.alerts-table th, .alert-types-table th { + background-color: #306aa0; + color: #fff; +} + +.additional-info-percentages { + color: #00549e; +} + +.insights-table > tbody > tr { + border-bottom-color: #00549e; +} + +.insights-table th[scope="col"] { + background-color: #00549e; + border-left-color: #fff; + color: #fff; +} diff --git a/TestesRealizados1/Default^Policy/themes/original/main.css b/TestesRealizados1/Default^Policy/themes/original/main.css new file mode 100644 index 0000000..050bd3f --- /dev/null +++ b/TestesRealizados1/Default^Policy/themes/original/main.css @@ -0,0 +1,417 @@ +*, *::after, *::before { + box-sizing: border-box; +} + +h1, h2, h3, h4, h5, h6 { + margin: 0; + padding: 0; +} + +pre, ul { + margin: 0; +} + +ol { + list-style-type: none; +} + +h1 { + font-size: 3em; +} + +h2 { + font-size: 2em; +} + +h3, h4, h5, h6 { + font-size: 1em; +} + +html { + box-sizing: border-box; + font-family: Verdana, sans-serif; + line-height: 1.5; +} + +body { + margin: 1.5em 0; +} + +@media screen and (min-width: 50em) { + body { + margin: 1.5em 2ch; + padding: 1.5em 2ch; + } +} + +a:active, header a:active { + outline-style: solid; +} + +header, main { + margin: 0 auto; + max-width: 90ch; + padding: 1.5em 4ch; +} + +header { + border-radius: .25em .25em 0 0; +} + +main { + border-radius: 0 0 .25em .25em; +} + +summary { + cursor: pointer; +} + +.contents { + margin-top: 1.5em; +} + +main > section { + margin-bottom: 4.5em; +} + +.about-this-report > section { + margin-bottom: 3em; +} + +.summaries section { + margin-bottom: 3em; +} + +h2 { + margin-bottom: .75em; +} + +h3 { + margin-bottom: 1.5em; +} + +h4 { + margin-bottom: 1.5em; +} + +.report-parameters--container h4 { + margin-top: 1.5em; +} + +p { + margin: 1.5em 0; +} + +p:first-of-type { + margin-top: 0; +} + +p:last-of-type { + margin-bottom: 0; +} + +.contents li, .alerts li, .alert-types > ol > li { + margin-top: 1.5em; +} + +.alert-types h4 { + margin-bottom: 0; +} + +a { + border-radius: .125em; +} + +caption { + margin-bottom: 1.5em; + text-align: left; +} + +code, .request-method-n-url { + overflow-wrap: anywhere; + white-space: break-spaces; +} + +table { + border-collapse: collapse; +} + +.report-description--container, .report-parameters--container { + margin-left: 2ch; + padding: 0 2ch; +} + +.about-this-report h3, .summaries h3, .appendix h3 { + border-bottom: .05em solid; +} + +.alerts h4 { + text-align: center; +} + +.alerts ol { + padding-left: 0; +} + +.alerts--site-li { + border: .05em solid; + border-radius: .25em; + margin-left: 2ch; + padding: 1.5em 3ch; +} + +.contents ol { + list-style-position: inside; + list-style-type: square; + padding-left: 4ch; +} + +.contexts-list, .sites-list { + list-style-type: square; +} + +.risk-confidence-counts-table { + width: 100%; +} + +.risk-confidence-counts-table tr { + height: 4.5em; +} + +.risk-confidence-counts-table thead > tr { + height: 3em; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table th[scope="rowgroup"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.risk-confidence-counts-table th[scope="row"] { + padding-right: 5%; +} + +@media screen and (max-width: 50em) { + .risk-confidence-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.risk-confidence-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.risk-confidence-counts-table > tbody > tr { + border-top: .05em solid; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table td { + vertical-align: top; +} + +.risk-confidence-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.risk-confidence-counts-table td, .risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + text-align: right; +} + +.site-risk-counts-table { + width: 100%; +} + +.site-risk-counts-table tr { + height: 4.5em; +} + +.site-risk-counts-table thead > tr:first-of-type { + height: 3em; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table th[scope="col"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.site-risk-counts-table th[scope="row"] { + padding-right: 1%; +} + +@media screen and (max-width: 50em) { + .site-risk-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.site-risk-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.site-risk-counts-table > tbody > tr { + border-top: .05em solid; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table td { + vertical-align: top; +} + +.site-risk-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.site-risk-counts-table td, .site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + text-align: right; +} + +.alert-type-counts-table { + width: 100%; +} + +.alert-type-counts-table th, .alert-type-counts-table td { + padding: 0 1rem; + text-align: left; + vertical-align: top; +} + +.alert-type-counts-table td:nth-last-of-type(2) { + padding-left: 1.5rem; +} + +.alert-type-counts-table > tbody > tr { + border-bottom: 0.05em dotted; +} + +.alert-type-counts-table th[scope="col"] { + border-left: 1rem solid; +} + +.alert-type-counts-table th[scope="col"]:first-of-type { + border-left: 0; +} + +.alert-type-counts-table th[scope="col"]:last-of-type, .alert-type-counts-table td:last-of-type { + text-align: right; +} + +.alert-type-counts-table th[scope="col"], .alert-type-counts-table th[scope="row"] { + font-weight: normal; +} + +.alert-type-counts-table th[scope="row"], .alert-type-counts-table td { + padding-bottom: 1.5em; +} + +.alert-type-counts-table thead > th:first-of-type { + width: 45%; +} + +.alerts-table, .alert-types-table, .insights-table { + border-collapse: separate; + border-spacing: 2ch 1.5em; + width: 100%; +} + +.alerts-table th, .alerts-table td, .alert-types-table th, .alert-types-table td, .insights-table td, .insights-table th { + vertical-align: top; +} + +.alerts-table td, .alert-types-table td, .insights-table td { + overflow-wrap: anywhere; +} + +.alerts-table th, .alert-types-table th, .insights-table th { + padding: 0 1ch; +} + +.alerts-table td, .alert-types-table td { + padding: 0 2ch; +} + +.insights-table td { + padding: 0 1ch; +} + +.alerts-table summary { + margin-bottom: 1.5em; +} + +.alert-tags-list { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-tags-list > li { + margin-top: 0; +} + +.request-body, .response-body { + margin-top: 1.5em; +} + +.request-method-n-url { + margin-bottom: 0; +} + +.alert-types-table { + padding-top: 0; +} + +.alert-types-table th { + width: 20%; +} + +.alert-types-table ol { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-types-table li:not(:first-of-type) { + margin-top: 1.5em; +} + +p.alert-types-intro { + margin-bottom: 3em; +} + +.zap-logo { + height: 1em; + margin-right: .25ch; + width: 1em; +} + +h1, h2 { + font-family: Georgia, serif; +} + +.risk-level, .confidence-level, .included-risk-codes, .included-confidence-codes, .additional-info-percentages { + font-family: monospace, monospace; +} + +.context, .site, .request-method-n-url { + font-family: monospace, monospace; +} diff --git a/TestesRealizados1/Default^Policy/zap32x32.png b/TestesRealizados1/Default^Policy/zap32x32.png new file mode 100644 index 0000000000000000000000000000000000000000..9c1019ffb2ad500434d78f20f5a624bd660e6735 GIT binary patch literal 1933 zcmV;82Xgp{P)LZ&X_*%IgUcU=kqE(b z4NRzXHHacGqA;V7EOd-rLRUsK6M0)>lNA+QA(1s>0WooNopVsi`f~3%&(A;3?F-PB zvOj!oo}80&pL3q?@9q2jJ@8;-E^rih7x)VQ$FTzF0Ce^0)w*%xMg@9CT^);$`@`-S z|D^%X0-G{2GScem>Zq-)#c><}&YnG+{?@;fz2@5u5&VQI{0HC&b5Eb8v=CMzq8Xh{uDUJ;6-8cvHPPw(V1AXlBMlio^B!;`1mR7lQz6stN1n` zVSRiJ3Jh}IHmwUh{p952jC=DbQ>IW{T+Bm{EyTg%86hH)s*G@RBZ6ZD zR~$s-xgh|tIK<*bMohZnrPKSTebm&{(An8JZUCD%Zw|w-XamM3aZ{E@QkJ_Sh=4&b zVlZMR6MN-LA+KI)MxOZY4_$EN7gpcl|GBy+*}SFI&@zE+1c5&ojb?% zH-610omUXmkc0pc4MCuY3JRI#ep;zPz!%CkF{7fMRjXD}R#rwLkr?x}`Sa(qYu7G1 z4zIhf6b}b*b0|Z?2bxNbAlb*&-!+hzmq$fKMaqhiM-T+Gw6t*h_U({ddb?6-2&w|A zpn{45bPqNps$5aDKvhCrw+1VURUz5a1;EaoJE^Lw8q=z_wl+#jOPTPwnarrD$C>b1 zeBZ~~fqr423P90ogC0=PH?8Vm*#v}(0|k?r!xzizShj2#GiT1Ey}f-@07XSb?AWn` zo)51w@$*j*Sf2pBs|*LhoR?u5{SD7JEun@R9Ak(IM2sO~gs2fb$L0Oj{d{ntiOR}K z4jw#6R#w)CK$a|7Ld#z-Gd=bqy@><~t0b(&SH%x3{Wghj{ro$E>8w7|8!?eI&lp@s zaK#WcLS%r`jo>*Bw)ZCgII)AS>wjbG)~z%&G>ix$H+M2U56vZe;WP9n69iWA)shSX z`fak)9$cP#M-^Drp9UIWRk0R)RT8QshN)UI2q2optfzJ|r}}xe?|y;IjENjOcI+Mi z7cX9-`|VS7cbpDGkWxfn15~wP#HQ4&KGGL8Zqzd_CM6=?Fb}vQxI!o{fa9gn`BpRU zy|It{{Ct|4nwT|f*5LO}o;*oeSs7W&e}iV^hCM-${BO{>Jm(%YOnIR)X)V55tW|8v z^2ET^D*YDvtkSPaPoj^^$IF?s{&lVgQFL zf4TNCRPNcLzb)TB`ne$0!%HlF+%?X3TygP?!H8f?C?W&GVvG#277}_4P&Z27wKi^_ z`UMY9O6QgM5f&|4M0R!--M6}buJEI=4km*jh{gB1;;i$G!4U@|f*8RtASQ%eXNt)N z2*#qQRjl#oYmeiff0@FG0rvrUs1Grl_V)4yJq|S&*HyA`hPcY4iwPqM T`!Z{P00000NkvXXu0mjf{kVU6 literal 0 HcmV?d00001 diff --git a/TestesRealizados1/Dev&Full/Dev&Full.html b/TestesRealizados1/Dev&Full/Dev&Full.html new file mode 100644 index 0000000..5344918 --- /dev/null +++ b/TestesRealizados1/Dev&Full/Dev&Full.html @@ -0,0 +1,1896 @@ + + + + + +ZAP by Checkmarx Scanning Report + + + + + +
+

ZAP by Checkmarx Scanning Report

+

+ Generated with ZAP + on Thu 28 May 2026, at 08:01:20 +

+

ZAP Version: 2.17.0

+

+ ZAP by Checkmarx +

+
+ +
+ +
+

Contents

+ +
+ +
+

About This Report

+ + + +
+

Report Parameters

+
+

Contexts

+ + +

No contexts were selected, so all contexts were included by default.

+ + +

Sites

+ +

The following sites were included:

+
    +
  • http://20.60.0.1:3000
    • +
+ +

(If no sites were selected, all sites were included by default.)

+

An included site must also be within one of the included contexts for its data to be included in the report.

+ +

Risk levels

+

+ Included: + + High, Medium, Low, Informational +

+

+ Excluded: + None + +

+ +

Confidence levels

+

+ Included: + + + User Confirmed, High, Medium, Low +

+

+ Excluded: + + + User Confirmed, High, Medium, Low, False Positive +

+
+
+
+ + +
+ +
+ +
+

Summaries

+ +
+

Alert Counts by Risk and Confidence

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts for each level of risk and confidence included in the report.

+

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)

+
Confidence
User ConfirmedHighMediumLowTotal
RiskHigh0
(0.0%)		0
(0.0%)		0
(0.0%)		1
(20.0%)		1
(20.0%)
Medium0
(0.0%)		1
(20.0%)		1
(20.0%)		0
(0.0%)		2
(40.0%)
Low0
(0.0%)		0
(0.0%)		0
(0.0%)		1
(20.0%)		1
(20.0%)
Informational0
(0.0%)		0
(0.0%)		1
(20.0%)		0
(0.0%)		1
(20.0%)
Total0
(0.0%)		1
(20.0%)		2
(40.0%)		2
(40.0%)		5
(100%)
+
+ +
+

Alert Counts by Site and Risk

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

+

Alerts with a confidence level of "False Positive" have been excluded from these counts.

+

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)

+
Risk
+ High
(= High) + 		+ Medium
(>= Medium) + 		+ Low
(>= Low) + 		+ Informational
(>= Informational) +
Sitehttp://20.60.0.1:30001
(1)		2
(3)		1
(4)		1
(5)
+
+ +
+

Alert Counts by Alert Type

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts of each alert type, together with the alert type's risk level.

+

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)

+
Alert typeRiskCount
SQL InjectionHigh1
(20.0%)
Content Security Policy (CSP) Header Not SetMedium5
(100.0%)
Cross-Domain MisconfigurationMedium5
(100.0%)
Timestamp Disclosure - UnixLow5
(100.0%)
Modern Web ApplicationInformational5
(100.0%)
Total5
+
+ +
+

Insights

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows information that is likely to be very relevant to you, but which is not related to vulnerabilities, or potentially even related to the application in question.

+
LevelReasonSiteDescriptionStatistic
+
Medium
+ 		+
Exceeded Low
+ 		+
+ 		+
Percentage of memory used
+ 		+
86
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP errors logged - see the zap.log file for details
+ 		+
118
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP warnings logged - see the zap.log file for details
+ 		+
83
+
+
Info
+ 		+
Informational
+ 		+
+ 		+
Percentage of network failures
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 2xx
+ 		+
96 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 4xx
+ 		+
4 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/javascript
+ 		+
9 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/json
+ 		+
4 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/octet-stream
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/jpeg
+ 		+
6 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/png
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/x-icon
+ 		+
4 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/css
+ 		+
4 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/html
+ 		+
66 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/markdown
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/plain
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method GET
+ 		+
98 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method POST
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Count of total endpoints
+ 		+
171
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of slow responses
+ 		+
28 %
+
+
+
+ +
+

Alerts

+
    + + + + + + + + +
  1. +

    + Risk=High, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + SQL Injection (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/products/search?q=%27%28 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          SQL injection may be possible.

          +
          Request
          + Request line and header section (307 bytes) + + 
          GET http://20.60.0.1:3000/rest/products/search?q=%27%28 HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (362 bytes) + + 
          HTTP/1.1 500 Internal Server Error
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 11:48:00 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+content-length: 309
+
+
          + + +
          + Response body (309 bytes) + + 
          {
+  "error": {
+    "message": "SQLITE_ERROR: near \"(\": syntax error",
+    "stack": "Error: SQLITE_ERROR: near \"(\": syntax error",
+    "errno": 1,
+    "code": "SQLITE_ERROR",
+    "sql": "SELECT * FROM Products WHERE ((name LIKE '%'(%' OR description LIKE '%'(%') AND deletedAt IS NULL) ORDER BY name"
+  }
+}
          + + +
          Parameter
          q
          Attack
          '(
          Evidence
          HTTP/1.1 500 Internal Server Error
          Solution +

          Do not trust client side input, even if there is client side validation in place.

          + +

          In general, type check all data on the server side.

          + +

          If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

          + +

          If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

          + +

          If database Stored Procedures can be used, use them.

          + +

          Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

          + +

          Do not create dynamic SQL queries using simple string concatenation.

          + +

          Escape all data received from the client.

          + +

          Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.

          + +

          Apply the principle of least privilege by using the least privileged database user possible.

          + +

          In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

          + +

          Grant the minimum database access that is necessary for the application.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    2. + + + + +
  2. +

    + Risk=Medium, Confidence=High (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Content Security Policy (CSP) Header Not Set (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 11:32:54 GMT
+ETag: W/"26af-19e6e5bdc4a"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 11:43:35 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Solution +

          Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    3. + +
  3. +

    + Risk=Medium, Confidence=Medium (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Cross-Domain Misconfiguration (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/robots.txt + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

          +
          Other info +

          The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

          +
          Request
          + Request line and header section (239 bytes) + + 
          GET http://20.60.0.1:3000/robots.txt HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (378 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: text/plain; charset=utf-8
+Content-Length: 28
+ETag: W/"1c-8HgF6mNyhsSFK0pascC9uB0wjX0"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 11:43:35 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (28 bytes) + + 
          User-agent: *
+Disallow: /ftp
          + + +
          Evidence
          Access-Control-Allow-Origin: *
          Solution +

          Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).

          + +

          Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    4. + + + + + + + + + + +
  4. +

    + Risk=Low, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Timestamp Disclosure - Unix (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A timestamp was disclosed by the application/web server. - Unix

          +
          Other info +

          1666666667, which evaluates to: 2022-10-24 22:57:47.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 11:32:54 GMT
+ETag: W/"26af-19e6e5bdc4a"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 11:43:35 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          1666666667
          Solution +

          Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    5. + + + + + + +
  5. +

    + Risk=Informational, Confidence=Medium (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Modern Web Application (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

          +
          Other info +

          No links have been found while there are scripts, which is an indication that this is a modern web application.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 11:32:54 GMT
+ETag: W/"26af-19e6e5bdc4a"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 11:43:35 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
          Solution +

          This is an informational alert and so no changes are required.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    6. + + + +
+
+ +
+

Appendix

+ +
+

Alert Types

+

This section contains additional information on the types of alerts in the report.

+
    +
  1. +

    SQL Injection

    + + + + + + + + + + + + + + + + + +
    Source + + raised by an active scanner (SQL Injection) + +
    CWE ID89
    WASC ID19
    Reference +
      +
    1. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
      2. +
    +
    +
    2. +
  2. +

    Content Security Policy (CSP) Header Not Set

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Content Security Policy (CSP) Header Not Set) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
      2. +
    2. https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
      3. +
    3. https://www.w3.org/TR/CSP/
      4. +
    4. https://w3c.github.io/webappsec-csp/
      5. +
    5. https://web.dev/articles/csp
      6. +
    6. https://caniuse.com/#feat=contentsecuritypolicy
      7. +
    7. https://content-security-policy.com/
      8. +
    +
    +
    3. +
  3. +

    Cross-Domain Misconfiguration

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Cross-Domain Misconfiguration) + +
    CWE ID264
    WASC ID14
    Reference +
      +
    1. https://vulncat.fortify.com/en/detail?category=HTML5&subcategory=Overly%20Permissive%20CORS%20Policy
      2. +
    +
    +
    4. +
  4. +

    Timestamp Disclosure - Unix

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Timestamp Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://cwe.mitre.org/data/definitions/200.html
      2. +
    +
    +
    5. +
  5. +

    Modern Web Application

    + + + + + + + + +
    Source + + raised by a passive scanner (Modern Web Application) + +
    +
    6. +
+
+
+ +
+ + + + + diff --git a/TestesRealizados1/Dev&Full/normalize/LICENSE.md b/TestesRealizados1/Dev&Full/normalize/LICENSE.md new file mode 100644 index 0000000..43b5ddc --- /dev/null +++ b/TestesRealizados1/Dev&Full/normalize/LICENSE.md @@ -0,0 +1,21 @@ +# The MIT License (MIT) + +Copyright © Nicolas Gallagher and Jonathan Neal + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/TestesRealizados1/Dev&Full/normalize/normalize.css b/TestesRealizados1/Dev&Full/normalize/normalize.css new file mode 100644 index 0000000..192eb9c --- /dev/null +++ b/TestesRealizados1/Dev&Full/normalize/normalize.css @@ -0,0 +1,349 @@ +/*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */ + +/* Document + ========================================================================== */ + +/** + * 1. Correct the line height in all browsers. + * 2. Prevent adjustments of font size after orientation changes in iOS. + */ + +html { + line-height: 1.15; /* 1 */ + -webkit-text-size-adjust: 100%; /* 2 */ +} + +/* Sections + ========================================================================== */ + +/** + * Remove the margin in all browsers. + */ + +body { + margin: 0; +} + +/** + * Render the `main` element consistently in IE. + */ + +main { + display: block; +} + +/** + * Correct the font size and margin on `h1` elements within `section` and + * `article` contexts in Chrome, Firefox, and Safari. + */ + +h1 { + font-size: 2em; + margin: 0.67em 0; +} + +/* Grouping content + ========================================================================== */ + +/** + * 1. Add the correct box sizing in Firefox. + * 2. Show the overflow in Edge and IE. + */ + +hr { + box-sizing: content-box; /* 1 */ + height: 0; /* 1 */ + overflow: visible; /* 2 */ +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +pre { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/* Text-level semantics + ========================================================================== */ + +/** + * Remove the gray background on active links in IE 10. + */ + +a { + background-color: transparent; +} + +/** + * 1. Remove the bottom border in Chrome 57- + * 2. Add the correct text decoration in Chrome, Edge, IE, Opera, and Safari. + */ + +abbr[title] { + border-bottom: none; /* 1 */ + text-decoration: underline; /* 2 */ + text-decoration: underline dotted; /* 2 */ +} + +/** + * Add the correct font weight in Chrome, Edge, and Safari. + */ + +b, +strong { + font-weight: bolder; +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +code, +kbd, +samp { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/** + * Add the correct font size in all browsers. + */ + +small { + font-size: 80%; +} + +/** + * Prevent `sub` and `sup` elements from affecting the line height in + * all browsers. + */ + +sub, +sup { + font-size: 75%; + line-height: 0; + position: relative; + vertical-align: baseline; +} + +sub { + bottom: -0.25em; +} + +sup { + top: -0.5em; +} + +/* Embedded content + ========================================================================== */ + +/** + * Remove the border on images inside links in IE 10. + */ + +img { + border-style: none; +} + +/* Forms + ========================================================================== */ + +/** + * 1. Change the font styles in all browsers. + * 2. Remove the margin in Firefox and Safari. + */ + +button, +input, +optgroup, +select, +textarea { + font-family: inherit; /* 1 */ + font-size: 100%; /* 1 */ + line-height: 1.15; /* 1 */ + margin: 0; /* 2 */ +} + +/** + * Show the overflow in IE. + * 1. Show the overflow in Edge. + */ + +button, +input { /* 1 */ + overflow: visible; +} + +/** + * Remove the inheritance of text transform in Edge, Firefox, and IE. + * 1. Remove the inheritance of text transform in Firefox. + */ + +button, +select { /* 1 */ + text-transform: none; +} + +/** + * Correct the inability to style clickable types in iOS and Safari. + */ + +button, +[type="button"], +[type="reset"], +[type="submit"] { + -webkit-appearance: button; +} + +/** + * Remove the inner border and padding in Firefox. + */ + +button::-moz-focus-inner, +[type="button"]::-moz-focus-inner, +[type="reset"]::-moz-focus-inner, +[type="submit"]::-moz-focus-inner { + border-style: none; + padding: 0; +} + +/** + * Restore the focus styles unset by the previous rule. + */ + +button:-moz-focusring, +[type="button"]:-moz-focusring, +[type="reset"]:-moz-focusring, +[type="submit"]:-moz-focusring { + outline: 1px dotted ButtonText; +} + +/** + * Correct the padding in Firefox. + */ + +fieldset { + padding: 0.35em 0.75em 0.625em; +} + +/** + * 1. Correct the text wrapping in Edge and IE. + * 2. Correct the color inheritance from `fieldset` elements in IE. + * 3. Remove the padding so developers are not caught out when they zero out + * `fieldset` elements in all browsers. + */ + +legend { + box-sizing: border-box; /* 1 */ + color: inherit; /* 2 */ + display: table; /* 1 */ + max-width: 100%; /* 1 */ + padding: 0; /* 3 */ + white-space: normal; /* 1 */ +} + +/** + * Add the correct vertical alignment in Chrome, Firefox, and Opera. + */ + +progress { + vertical-align: baseline; +} + +/** + * Remove the default vertical scrollbar in IE 10+. + */ + +textarea { + overflow: auto; +} + +/** + * 1. Add the correct box sizing in IE 10. + * 2. Remove the padding in IE 10. + */ + +[type="checkbox"], +[type="radio"] { + box-sizing: border-box; /* 1 */ + padding: 0; /* 2 */ +} + +/** + * Correct the cursor style of increment and decrement buttons in Chrome. + */ + +[type="number"]::-webkit-inner-spin-button, +[type="number"]::-webkit-outer-spin-button { + height: auto; +} + +/** + * 1. Correct the odd appearance in Chrome and Safari. + * 2. Correct the outline style in Safari. + */ + +[type="search"] { + -webkit-appearance: textfield; /* 1 */ + outline-offset: -2px; /* 2 */ +} + +/** + * Remove the inner padding in Chrome and Safari on macOS. + */ + +[type="search"]::-webkit-search-decoration { + -webkit-appearance: none; +} + +/** + * 1. Correct the inability to style clickable types in iOS and Safari. + * 2. Change font properties to `inherit` in Safari. + */ + +::-webkit-file-upload-button { + -webkit-appearance: button; /* 1 */ + font: inherit; /* 2 */ +} + +/* Interactive + ========================================================================== */ + +/* + * Add the correct display in Edge, IE 10+, and Firefox. + */ + +details { + display: block; +} + +/* + * Add the correct display in all browsers. + */ + +summary { + display: list-item; +} + +/* Misc + ========================================================================== */ + +/** + * Add the correct display in IE 10+. + */ + +template { + display: none; +} + +/** + * Add the correct display in IE 10. + */ + +[hidden] { + display: none; +} diff --git a/TestesRealizados1/Dev&Full/themes/original/colors.css b/TestesRealizados1/Dev&Full/themes/original/colors.css new file mode 100644 index 0000000..fd3b963 --- /dev/null +++ b/TestesRealizados1/Dev&Full/themes/original/colors.css @@ -0,0 +1,139 @@ +body { + background-color: #306aa0; + background-image: radial-gradient(circle at top left, #fff 0%, #8ce1d6 15em, #306aa0 100em, #386095 100%); +} + +main, footer { + background-color: #fff; +} + +header { + background-color: #00549e; + color: #fff; +} + +a:link { + color: #004380; +} + +a:visited { + color: #770d67; +} + +a:focus { + background-color: #ffd54d; +} + +a:hover { + background-color: #ffd54d; +} + +a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +header a:link { + color: #f2f7fd; +} + +header a:visited { + color: #f2b5e9; +} + +header a:focus { + background-color: #ffd54d; + color: #004380; +} + +header a:hover { + background-color: #ffd54d; + color: #004380; +} + +header a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #fff6db; +} + +summary:focus { + background-color: #ffd54d; +} + +summary:hover { + background-color: #ffd54d; +} + +summary:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +h2, h3, h4, h5, h6 { + color: #00549e; +} + +.risk-level, .confidence-level { + color: #00549e; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + color: #00549e; +} + +.risk-confidence-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + color: #00549e; +} + +.site-risk-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.alert-type-counts-table > tbody > tr { + border-bottom-color: #00549e; +} + +.alert-type-counts-table th[scope="col"] { + background-color: #00549e; + color: #fff; +} + +.alert-type-counts-table th[scope="col"] { + border-left-color: #fff; +} + +.alerts-table th, .alert-types-table th { + background-color: #306aa0; + color: #fff; +} + +.additional-info-percentages { + color: #00549e; +} + +.insights-table > tbody > tr { + border-bottom-color: #00549e; +} + +.insights-table th[scope="col"] { + background-color: #00549e; + border-left-color: #fff; + color: #fff; +} diff --git a/TestesRealizados1/Dev&Full/themes/original/main.css b/TestesRealizados1/Dev&Full/themes/original/main.css new file mode 100644 index 0000000..050bd3f --- /dev/null +++ b/TestesRealizados1/Dev&Full/themes/original/main.css @@ -0,0 +1,417 @@ +*, *::after, *::before { + box-sizing: border-box; +} + +h1, h2, h3, h4, h5, h6 { + margin: 0; + padding: 0; +} + +pre, ul { + margin: 0; +} + +ol { + list-style-type: none; +} + +h1 { + font-size: 3em; +} + +h2 { + font-size: 2em; +} + +h3, h4, h5, h6 { + font-size: 1em; +} + +html { + box-sizing: border-box; + font-family: Verdana, sans-serif; + line-height: 1.5; +} + +body { + margin: 1.5em 0; +} + +@media screen and (min-width: 50em) { + body { + margin: 1.5em 2ch; + padding: 1.5em 2ch; + } +} + +a:active, header a:active { + outline-style: solid; +} + +header, main { + margin: 0 auto; + max-width: 90ch; + padding: 1.5em 4ch; +} + +header { + border-radius: .25em .25em 0 0; +} + +main { + border-radius: 0 0 .25em .25em; +} + +summary { + cursor: pointer; +} + +.contents { + margin-top: 1.5em; +} + +main > section { + margin-bottom: 4.5em; +} + +.about-this-report > section { + margin-bottom: 3em; +} + +.summaries section { + margin-bottom: 3em; +} + +h2 { + margin-bottom: .75em; +} + +h3 { + margin-bottom: 1.5em; +} + +h4 { + margin-bottom: 1.5em; +} + +.report-parameters--container h4 { + margin-top: 1.5em; +} + +p { + margin: 1.5em 0; +} + +p:first-of-type { + margin-top: 0; +} + +p:last-of-type { + margin-bottom: 0; +} + +.contents li, .alerts li, .alert-types > ol > li { + margin-top: 1.5em; +} + +.alert-types h4 { + margin-bottom: 0; +} + +a { + border-radius: .125em; +} + +caption { + margin-bottom: 1.5em; + text-align: left; +} + +code, .request-method-n-url { + overflow-wrap: anywhere; + white-space: break-spaces; +} + +table { + border-collapse: collapse; +} + +.report-description--container, .report-parameters--container { + margin-left: 2ch; + padding: 0 2ch; +} + +.about-this-report h3, .summaries h3, .appendix h3 { + border-bottom: .05em solid; +} + +.alerts h4 { + text-align: center; +} + +.alerts ol { + padding-left: 0; +} + +.alerts--site-li { + border: .05em solid; + border-radius: .25em; + margin-left: 2ch; + padding: 1.5em 3ch; +} + +.contents ol { + list-style-position: inside; + list-style-type: square; + padding-left: 4ch; +} + +.contexts-list, .sites-list { + list-style-type: square; +} + +.risk-confidence-counts-table { + width: 100%; +} + +.risk-confidence-counts-table tr { + height: 4.5em; +} + +.risk-confidence-counts-table thead > tr { + height: 3em; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table th[scope="rowgroup"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.risk-confidence-counts-table th[scope="row"] { + padding-right: 5%; +} + +@media screen and (max-width: 50em) { + .risk-confidence-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.risk-confidence-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.risk-confidence-counts-table > tbody > tr { + border-top: .05em solid; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table td { + vertical-align: top; +} + +.risk-confidence-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.risk-confidence-counts-table td, .risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + text-align: right; +} + +.site-risk-counts-table { + width: 100%; +} + +.site-risk-counts-table tr { + height: 4.5em; +} + +.site-risk-counts-table thead > tr:first-of-type { + height: 3em; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table th[scope="col"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.site-risk-counts-table th[scope="row"] { + padding-right: 1%; +} + +@media screen and (max-width: 50em) { + .site-risk-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.site-risk-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.site-risk-counts-table > tbody > tr { + border-top: .05em solid; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table td { + vertical-align: top; +} + +.site-risk-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.site-risk-counts-table td, .site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + text-align: right; +} + +.alert-type-counts-table { + width: 100%; +} + +.alert-type-counts-table th, .alert-type-counts-table td { + padding: 0 1rem; + text-align: left; + vertical-align: top; +} + +.alert-type-counts-table td:nth-last-of-type(2) { + padding-left: 1.5rem; +} + +.alert-type-counts-table > tbody > tr { + border-bottom: 0.05em dotted; +} + +.alert-type-counts-table th[scope="col"] { + border-left: 1rem solid; +} + +.alert-type-counts-table th[scope="col"]:first-of-type { + border-left: 0; +} + +.alert-type-counts-table th[scope="col"]:last-of-type, .alert-type-counts-table td:last-of-type { + text-align: right; +} + +.alert-type-counts-table th[scope="col"], .alert-type-counts-table th[scope="row"] { + font-weight: normal; +} + +.alert-type-counts-table th[scope="row"], .alert-type-counts-table td { + padding-bottom: 1.5em; +} + +.alert-type-counts-table thead > th:first-of-type { + width: 45%; +} + +.alerts-table, .alert-types-table, .insights-table { + border-collapse: separate; + border-spacing: 2ch 1.5em; + width: 100%; +} + +.alerts-table th, .alerts-table td, .alert-types-table th, .alert-types-table td, .insights-table td, .insights-table th { + vertical-align: top; +} + +.alerts-table td, .alert-types-table td, .insights-table td { + overflow-wrap: anywhere; +} + +.alerts-table th, .alert-types-table th, .insights-table th { + padding: 0 1ch; +} + +.alerts-table td, .alert-types-table td { + padding: 0 2ch; +} + +.insights-table td { + padding: 0 1ch; +} + +.alerts-table summary { + margin-bottom: 1.5em; +} + +.alert-tags-list { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-tags-list > li { + margin-top: 0; +} + +.request-body, .response-body { + margin-top: 1.5em; +} + +.request-method-n-url { + margin-bottom: 0; +} + +.alert-types-table { + padding-top: 0; +} + +.alert-types-table th { + width: 20%; +} + +.alert-types-table ol { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-types-table li:not(:first-of-type) { + margin-top: 1.5em; +} + +p.alert-types-intro { + margin-bottom: 3em; +} + +.zap-logo { + height: 1em; + margin-right: .25ch; + width: 1em; +} + +h1, h2 { + font-family: Georgia, serif; +} + +.risk-level, .confidence-level, .included-risk-codes, .included-confidence-codes, .additional-info-percentages { + font-family: monospace, monospace; +} + +.context, .site, .request-method-n-url { + font-family: monospace, monospace; +} diff --git a/TestesRealizados1/Dev&Full/zap32x32.png b/TestesRealizados1/Dev&Full/zap32x32.png new file mode 100644 index 0000000000000000000000000000000000000000..9c1019ffb2ad500434d78f20f5a624bd660e6735 GIT binary patch literal 1933 zcmV;82Xgp{P)LZ&X_*%IgUcU=kqE(b z4NRzXHHacGqA;V7EOd-rLRUsK6M0)>lNA+QA(1s>0WooNopVsi`f~3%&(A;3?F-PB zvOj!oo}80&pL3q?@9q2jJ@8;-E^rih7x)VQ$FTzF0Ce^0)w*%xMg@9CT^);$`@`-S z|D^%X0-G{2GScem>Zq-)#c><}&YnG+{?@;fz2@5u5&VQI{0HC&b5Eb8v=CMzq8Xh{uDUJ;6-8cvHPPw(V1AXlBMlio^B!;`1mR7lQz6stN1n` zVSRiJ3Jh}IHmwUh{p952jC=DbQ>IW{T+Bm{EyTg%86hH)s*G@RBZ6ZD zR~$s-xgh|tIK<*bMohZnrPKSTebm&{(An8JZUCD%Zw|w-XamM3aZ{E@QkJ_Sh=4&b zVlZMR6MN-LA+KI)MxOZY4_$EN7gpcl|GBy+*}SFI&@zE+1c5&ojb?% zH-610omUXmkc0pc4MCuY3JRI#ep;zPz!%CkF{7fMRjXD}R#rwLkr?x}`Sa(qYu7G1 z4zIhf6b}b*b0|Z?2bxNbAlb*&-!+hzmq$fKMaqhiM-T+Gw6t*h_U({ddb?6-2&w|A zpn{45bPqNps$5aDKvhCrw+1VURUz5a1;EaoJE^Lw8q=z_wl+#jOPTPwnarrD$C>b1 zeBZ~~fqr423P90ogC0=PH?8Vm*#v}(0|k?r!xzizShj2#GiT1Ey}f-@07XSb?AWn` zo)51w@$*j*Sf2pBs|*LhoR?u5{SD7JEun@R9Ak(IM2sO~gs2fb$L0Oj{d{ntiOR}K z4jw#6R#w)CK$a|7Ld#z-Gd=bqy@><~t0b(&SH%x3{Wghj{ro$E>8w7|8!?eI&lp@s zaK#WcLS%r`jo>*Bw)ZCgII)AS>wjbG)~z%&G>ix$H+M2U56vZe;WP9n69iWA)shSX z`fak)9$cP#M-^Drp9UIWRk0R)RT8QshN)UI2q2optfzJ|r}}xe?|y;IjENjOcI+Mi z7cX9-`|VS7cbpDGkWxfn15~wP#HQ4&KGGL8Zqzd_CM6=?Fb}vQxI!o{fa9gn`BpRU zy|It{{Ct|4nwT|f*5LO}o;*oeSs7W&e}iV^hCM-${BO{>Jm(%YOnIR)X)V55tW|8v z^2ET^D*YDvtkSPaPoj^^$IF?s{&lVgQFL zf4TNCRPNcLzb)TB`ne$0!%HlF+%?X3TygP?!H8f?C?W&GVvG#277}_4P&Z27wKi^_ z`UMY9O6QgM5f&|4M0R!--M6}buJEI=4km*jh{gB1;;i$G!4U@|f*8RtASQ%eXNt)N z2*#qQRjl#oYmeiff0@FG0rvrUs1Grl_V)4yJq|S&*HyA`hPcY4iwPqM T`!Z{P00000NkvXXu0mjf{kVU6 literal 0 HcmV?d00001 diff --git a/TestesRealizados1/Dev&Standard/Dev&Standard.html b/TestesRealizados1/Dev&Standard/Dev&Standard.html new file mode 100644 index 0000000..c43c690 --- /dev/null +++ b/TestesRealizados1/Dev&Standard/Dev&Standard.html @@ -0,0 +1,2645 @@ + + + + + +ZAP by Checkmarx Scanning Report + + + + + +
+

ZAP by Checkmarx Scanning Report

+

+ Generated with ZAP + on Thu 28 May 2026, at 08:32:21 +

+

ZAP Version: 2.17.0

+

+ ZAP by Checkmarx +

+
+ +
+ +
+

Contents

+ +
+ +
+

About This Report

+ + + +
+

Report Parameters

+
+

Contexts

+ + +

No contexts were selected, so all contexts were included by default.

+ + +

Sites

+ +

The following sites were included:

+
    +
  • http://20.60.0.1:3000
    • +
+ +

(If no sites were selected, all sites were included by default.)

+

An included site must also be within one of the included contexts for its data to be included in the report.

+ +

Risk levels

+

+ Included: + + High, Medium, Low, Informational +

+

+ Excluded: + None + +

+ +

Confidence levels

+

+ Included: + + + User Confirmed, High, Medium, Low +

+

+ Excluded: + + + User Confirmed, High, Medium, Low, False Positive +

+
+
+
+ + +
+ +
+ +
+

Summaries

+ +
+

Alert Counts by Risk and Confidence

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts for each level of risk and confidence included in the report.

+

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)

+
Confidence
User ConfirmedHighMediumLowTotal
RiskHigh0
(0.0%)		0
(0.0%)		0
(0.0%)		1
(11.1%)		1
(11.1%)
Medium0
(0.0%)		2
(22.2%)		2
(22.2%)		0
(0.0%)		4
(44.4%)
Low0
(0.0%)		0
(0.0%)		2
(22.2%)		1
(11.1%)		3
(33.3%)
Informational0
(0.0%)		0
(0.0%)		1
(11.1%)		0
(0.0%)		1
(11.1%)
Total0
(0.0%)		2
(22.2%)		5
(55.6%)		2
(22.2%)		9
(100%)
+
+ +
+

Alert Counts by Site and Risk

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

+

Alerts with a confidence level of "False Positive" have been excluded from these counts.

+

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)

+
Risk
+ High
(= High) + 		+ Medium
(>= Medium) + 		+ Low
(>= Low) + 		+ Informational
(>= Informational) +
Sitehttp://20.60.0.1:30001
(1)		4
(5)		3
(8)		1
(9)
+
+ +
+

Alert Counts by Alert Type

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts of each alert type, together with the alert type's risk level.

+

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)

+
Alert typeRiskCount
SQL InjectionHigh1
(11.1%)
Content Security Policy (CSP) Header Not SetMedium5
(55.6%)
Cross-Domain MisconfigurationMedium5
(55.6%)
Missing Anti-clickjacking HeaderMedium3
(33.3%)
Session ID in URL RewriteMedium5
(55.6%)
Private IP DisclosureLow1
(11.1%)
Timestamp Disclosure - UnixLow5
(55.6%)
X-Content-Type-Options Header MissingLow5
(55.6%)
Modern Web ApplicationInformational5
(55.6%)
Total9
+
+ +
+

Insights

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows information that is likely to be very relevant to you, but which is not related to vulnerabilities, or potentially even related to the application in question.

+
LevelReasonSiteDescriptionStatistic
+
Medium
+ 		+
Exceeded Low
+ 		+
+ 		+
Percentage of memory used
+ 		+
85
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP errors logged - see the zap.log file for details
+ 		+
180
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP warnings logged - see the zap.log file for details
+ 		+
63
+
+
Low
+ 		+
Exceeded Low
+ 		+
+ 		+
Percentage of network failures
+ 		+
5 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 2xx
+ 		+
91 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 3xx
+ 		+
5 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 4xx
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/javascript
+ 		+
7 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/json
+ 		+
8 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/octet-stream
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/jpeg
+ 		+
4 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/png
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/svg+xml
+ 		+
19 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/x-icon
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/css
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/html
+ 		+
50 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/markdown
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/plain
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method GET
+ 		+
98 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method POST
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Count of total endpoints
+ 		+
226
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of slow responses
+ 		+
33 %
+
+
+
+ +
+

Alerts

+
    + + + + + + + + +
  1. +

    + Risk=High, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + SQL Injection (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/products/search?q=%27%28 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          SQL injection may be possible.

          +
          Request
          + Request line and header section (433 bytes) + + 
          GET http://20.60.0.1:3000/rest/products/search?q=%27%28 HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+Cookie: language=en; continueCode=y1OzBZxNpnLrM5WmgEKv8XakQ7DA6LcQGJ6yOlV9Pow1jYqbz2eRB34oE5mM; welcomebanner_status=dismiss
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (362 bytes) + + 
          HTTP/1.1 500 Internal Server Error
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 12:29:02 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+content-length: 309
+
+
          + + +
          + Response body (309 bytes) + + 
          {
+  "error": {
+    "message": "SQLITE_ERROR: near \"(\": syntax error",
+    "stack": "Error: SQLITE_ERROR: near \"(\": syntax error",
+    "errno": 1,
+    "code": "SQLITE_ERROR",
+    "sql": "SELECT * FROM Products WHERE ((name LIKE '%'(%' OR description LIKE '%'(%') AND deletedAt IS NULL) ORDER BY name"
+  }
+}
          + + +
          Parameter
          q
          Attack
          '(
          Evidence
          HTTP/1.1 500 Internal Server Error
          Solution +

          Do not trust client side input, even if there is client side validation in place.

          + +

          In general, type check all data on the server side.

          + +

          If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

          + +

          If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

          + +

          If database Stored Procedures can be used, use them.

          + +

          Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

          + +

          Do not create dynamic SQL queries using simple string concatenation.

          + +

          Escape all data received from the client.

          + +

          Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.

          + +

          Apply the principle of least privilege by using the least privileged database user possible.

          + +

          In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

          + +

          Grant the minimum database access that is necessary for the application.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    2. + + + + +
  2. +

    + Risk=Medium, Confidence=High (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Content Security Policy (CSP) Header Not Set (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 12:13:04 GMT
+ETag: W/"26af-19e6e80a1b5"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 12:19:28 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Solution +

          Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + Session ID in URL Rewrite (1) +
        +
          +
        1. + + POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvkX-o2&sid=KZ3HJUr0aCv_HSEPAAAA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

          +
          Request
          + Request line and header section (408 bytes) + + 
          POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvkX-o2&sid=KZ3HJUr0aCv_HSEPAAAA HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Content-type: text/plain;charset=UTF-8
+Content-Length: 2
+Origin: http://20.60.0.1:3000
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (2 bytes) + + 
          40
          + + +
          Response
          + Status line and header section (213 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/html
+Content-Length: 2
+Date: Thu, 28 May 2026 12:21:02 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (2 bytes) + + 
          ok
          + + +
          Parameter
          sid
          Evidence
          KZ3HJUr0aCv_HSEPAAAA
          Solution +

          For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    3. + +
  3. +

    + Risk=Medium, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Cross-Domain Misconfiguration (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

          +
          Other info +

          The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 12:13:04 GMT
+ETag: W/"26af-19e6e80a1b5"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 12:19:28 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          Access-Control-Allow-Origin: *
          Solution +

          Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).

          + +

          Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + Missing Anti-clickjacking Header (1) +
        +
          +
        1. + + POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvkX-o2&sid=KZ3HJUr0aCv_HSEPAAAA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The response does not protect against 'ClickJacking' attacks. It should include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options.

          +
          Request
          + Request line and header section (408 bytes) + + 
          POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvkX-o2&sid=KZ3HJUr0aCv_HSEPAAAA HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Content-type: text/plain;charset=UTF-8
+Content-Length: 2
+Origin: http://20.60.0.1:3000
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (2 bytes) + + 
          40
          + + +
          Response
          + Status line and header section (213 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/html
+Content-Length: 2
+Date: Thu, 28 May 2026 12:21:02 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (2 bytes) + + 
          ok
          + + +
          Parameter
          x-frame-options
          Solution +

          Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.

          + +

          If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    4. + + + + + + + + +
  4. +

    + Risk=Low, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Private IP Disclosure (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/admin/application-configuration + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

          +
          Other info +

          192.168.99.100:3000

          + +

          192.168.99.100:4200

          +
          Request
          + Request line and header section (314 bytes) + + 
          GET http://20.60.0.1:3000/rest/admin/application-configuration HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (389 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Content-Length: 23513
+ETag: W/"5bd9-reVonwE2GOcMzw2LpzIkSqyB2OE"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 12:21:01 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (23513 bytes) + + 
          {"config":{"server":{"port":3000,"basePath":"","baseUrl":"http://localhost:3000"},"application":{"domain":"juice-sh.op","name":"OWASP Juice Shop","logo":"JuiceShop_Logo.png","favicon":"favicon_js.ico","theme":"bluegrey-lightgreen","showVersionNumber":true,"showGitHubLinks":true,"localBackupEnabled":true,"numberOfRandomFakeUsers":0,"altcoinName":"Juicycoin","privacyContactEmail":"donotreply@owasp-juice.shop","customMetricsPrefix":"juiceshop","chatBot":{"name":"Juicy the Smart Assistant","avatar":"JuicyChatBot.png","model":"gemma4:e4b","llmMaxRetries":2,"sampleQuestions":["CHATBOT_PROMPT_RECOMMENDATION_SUMMER_PARTY","CHATBOT_PROMPT_RECOMMENDATION_POPULAR","CHATBOT_PROMPT_RECOMMENDATION_SUGAR_FREE","CHATBOT_PROMPT_RECOMMENDATION_START_DAY","CHATBOT_PROMPT_RECOMMENDATION_SEASONAL"]},"social":{"blueSkyUrl":"https://bsky.app/profile/owasp-juice.shop","mastodonUrl":"https://fosstodon.org/@owasp_juiceshop","twitterUrl":"https://twitter.com/owasp_juiceshop","facebookUrl":"https://www.facebook.com/owasp.juiceshop","slackUrl":"https://owasp.org/slack/invite","redditUrl":"https://www.reddit.com/r/owasp_juiceshop","pressKitUrl":"https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop","nftUrl":"https://opensea.io/collection/juice-shop","questionnaireUrl":null},"recyclePage":{"topProductImage":"fruit_press.jpg","bottomProductImage":"apple_pressings.jpg"},"welcomeBanner":{"showOnFirstStart":true,"title":"Welcome to OWASP Juice Shop!","message":"<p>Being a web application with a vast number of intended security vulnerabilities, the <strong>OWASP Juice Shop</strong> is supposed to be the opposite of a best practice or template application for web developers: It is an awareness, training, demonstration and exercise tool for security risks in modern web applications. The <strong>OWASP Juice Shop</strong> is an open-source project hosted by the non-profit <a href='https://owasp.org' target='_blank'>Open Worldwide Application Security Project (OWASP)</a> and is developed and maintained by volunteers. Check out the link below for more information and documentation on the project.</p><h1><a href='https://owasp-juice.shop' target='_blank'>https://owasp-juice.shop</a></h1>"},"cookieConsent":{"message":"This website uses fruit cookies to ensure you get the juiciest tracking experience.","dismissText":"Me want it!","linkText":"But me wait!","linkUrl":"https://www.youtube.com/watch?v=9PnbKL3wuH4"},"securityTxt":{"contact":"mailto:donotreply@owasp-juice.shop","encryption":"https://keybase.io/bkimminich/pgp_keys.asc?fingerprint=19c01cb7157e4645e9e2c863062a85a8cbfbdcda","acknowledgements":"/#/score-board","hiring":"/#/jobs","csaf":"/.well-known/csaf/provider-metadata.json"},"promotion":{"video":"owasp_promo.mp4","subtitles":"owasp_promo.vtt"},"easterEggPlanet":{"name":"Orangeuze","overlayMap":"orangemap2k.avif"},"googleOauth":{"clientId":"1005568560502-6hm16lef8oh46hr2d98vf2ohlnj4nfhq.apps.googleusercontent.com","authorizedRedirects":[{"uri":"https://demo.owasp-juice.shop"},{"uri":"https://juice-shop.herokuapp.com"},{"uri":"https://preview.owasp-juice.shop"},{"uri":"https://juice-shop-staging.herokuapp.com"},{"uri":"https://juice-shop.wtf"},{"uri":"http://localhost:3000","proxy":"https://local3000.owasp-juice.shop"},{"uri":"http://127.0.0.1:3000","proxy":"https://local3000.owasp-juice.shop"},{"uri":"http://localhost:4200","proxy":"https://local4200.owasp-juice.shop"},{"uri":"http://127.0.0.1:4200","proxy":"https://local4200.owasp-juice.shop"},{"uri":"http://192.168.99.100:3000","proxy":"https://localmac.owasp-juice.shop"},{"uri":"http://192.168.99.100:4200","proxy":"https://localmac.owasp-juice.shop"},{"uri":"http://penguin.termina.linux.test:3000","proxy":"https://localchromeos.owasp-juice.shop"},{"uri":"http://penguin.termina.linux.test:4200","proxy":"https://localchromeos.owasp-juice.shop"}]}},"challenges":{"showSolvedNotifications":true,"showHints":true,"showMitigations":true,"codingChallengesEnabled":"solved","restrictToTutorialsFirst":false,"overwriteUrlForProductTamperingChallenge":"https://owasp.slack.com","xssBonusPayload":"<iframe width=\"100%\" height=\"166\" scrolling=\"no\" frameborder=\"no\" allow=\"autoplay\" src=\"https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true\"></iframe>","safetyMode":"auto","csafHashValue":"7e7ce7c65db3bf0625fcea4573d25cff41f2f7e3474f2c74334b14fc65bb4fd26af802ad17a3a03bf0eee6827a00fb8f7905f338c31b5e6ea9cb31620242e843","metricsIgnoredUserAgents":["Prometheus","Alloy","promscrape","otelcol"]},"hackingInstructor":{"isEnabled":true,"avatarImage":"JuicyBot.png","hintPlaybackSpeed":"normal"},"products":[{"name":"Apple Juice (1000ml)","price":1.99,"deluxePrice":0.99,"limitPerUser":5,"description":"The all-time classic.","image":"apple_juice.jpg","reviews":[{"text":"One of my favorites!","author":"admin"},{"text":"Great! We'll have an apple party. Everyone brings an apple and - STUFFS IT DOWN EACH OTHER'S THROAT!","author":"basil"}]},{"name":"Orange Juice (1000ml)","description":"Made from oranges hand-picked by Uncle Dittmeyer.","price":2.99,"deluxePrice":2.49,"image":"orange_juice.jpg","reviews":[{"text":"y0ur f1r3wall needs m0r3 musc13","author":"uvogin"}]},{"name":"Eggfruit Juice (500ml)","description":"Now with even more exotic flavour.","price":8.99,"image":"eggfruit_juice.jpg","reviews":[{"text":"I bought it, would buy again. 5/7","author":"admin"}]},{"name":"Raspberry Juice (1000ml)","description":"Made from blended Raspberry Pi, water and sugar.","price":4.99,"image":"raspberry_juice.jpg"},{"name":"Lemon Juice (500ml)","description":"Sour but full of vitamins.","price":2.99,"deluxePrice":1.99,"limitPerUser":5,"image":"lemon_juice.jpg"},{"name":"Banana Juice (1000ml)","description":"Monkeys love it the most.","price":1.99,"image":"banana_juice.jpg","reviews":[{"text":"Fry liked it too.","author":"bender"}]},{"name":"OWASP Juice Shop T-Shirt","description":"Real fans wear it 24/7!","price":22.49,"limitPerUser":5,"image":"fan_shirt.jpg"},{"name":"OWASP Juice Shop CTF Girlie-Shirt","description":"For serious Capture-the-Flag heroines only!","price":22.49,"image":"fan_girlie.jpg"},{"name":"OWASP SSL Advanced Forensic Tool (O-Saft)","description":"O-Saft is an easy to use tool to show information about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.","price":0.01,"image":"orange_juice.jpg","urlForProductTamperingChallenge":"https://www.owasp.org/index.php/O-Saft"},{"name":"Christmas Super-Surprise-Box (2014 Edition)","description":"Contains a random selection of 10 bottles (each 500ml) of our tastiest juices and an extra fan shirt for an unbeatable price!","price":29.99,"image":"undefined.jpg","useForChristmasSpecialChallenge":true},{"name":"Rippertuer Special Juice","description":"Contains a magical collection of the rarest fruits gathered from all around the world, like Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos... and others, at an unbelievable price! <br/><span style=\"color:red;\">This item has been made unavailable because of lack of safety standards.</span>","price":16.99,"image":"undefined.jpg","keywordsForPastebinDataLeakChallenge":["hueteroneel","eurogium edule"]},{"name":"OWASP Juice Shop Sticker (2015/2016 design)","description":"Die-cut sticker with the official 2015/2016 logo. By now this is a rare collectors item. <em>Out of stock!</em>","price":999.99,"image":"sticker.png","deletedDate":"2017-04-28"},{"name":"OWASP Juice Shop Iron-Ons (16pcs)","description":"Upgrade your clothes with washer safe <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">iron-ons</a> of the OWASP Juice Shop or CTF Extension logo!","price":14.99,"image":"iron-on.jpg"},{"name":"OWASP Juice Shop Magnets (16pcs)","description":"Your fridge will be even cooler with these OWASP Juice Shop or CTF Extension logo <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">magnets</a>!","price":15.99,"image":"magnets.jpg"},{"name":"OWASP Juice Shop Sticker Page","description":"Massive decoration opportunities with these OWASP Juice Shop or CTF Extension <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker pages</a>! Each page has 16 stickers on it.","price":9.99,"image":"sticker_page.jpg"},{"name":"OWASP Juice Shop Sticker Single","description":"Super high-quality vinyl <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker single</a> with the OWASP Juice Shop or CTF Extension logo! The ultimate laptop decal!","price":4.99,"image":"sticker_single.jpg"},{"name":"OWASP Juice Shop Temporary Tattoos (16pcs)","description":"Get one of these <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">temporary tattoos</a> to proudly wear the OWASP Juice Shop or CTF Extension logo on your skin! If you tweet a photo of yourself with the tattoo, you get a couple of our stickers for free! Please mention <a href=\"https://twitter.com/owasp_juiceshop\" target=\"_blank\"><code>@owasp_juiceshop</code></a> in your tweet!","price":14.99,"image":"tattoo.jpg","reviews":[{"text":"I straight-up gots nuff props fo'these tattoos!","author":"rapper"}]},{"name":"OWASP Juice Shop Mug","description":"Black mug with regular logo on one side and CTF logo on the other! Your colleagues will envy you!","price":21.99,"image":"fan_mug.jpg"},{"name":"OWASP Juice Shop Hoodie","description":"Mr. Robot-style apparel. But in black. And with logo.","price":49.99,"image":"fan_hoodie.jpg"},{"name":"OWASP Juice Shop-CTF Velcro Patch","description":"4x3.5\" embroidered patch with velcro backside. The ultimate decal for every tactical bag or backpack!","price":2.92,"quantity":5,"limitPerUser":5,"image":"velcro-patch.jpg","reviews":[{"text":"This thang would look phat on Bobby's jacked fur coat!","author":"rapper"},{"text":"Looks so much better on my uniform than the boring Starfleet symbol.","author":"jim"}]},{"name":"Woodruff Syrup \"Forest Master X-Treme\"","description":"Harvested and manufactured in the Black Forest, Germany. Can cause hyperactive behavior in children. Can cause permanent green tongue when consumed undiluted.","price":6.99,"image":"woodruff_syrup.jpg"},{"name":"Green Smoothie","description":"Looks poisonous but is actually very good for your health! Made from green cabbage, spinach, kiwi and grass.","price":1.99,"image":"green_smoothie.jpg","reviews":[{"text":"Fresh out of a replicator.","author":"jim"}]},{"name":"Quince Juice (1000ml)","description":"Juice of the <em>Cydonia oblonga</em> fruit. Not exactly sweet but rich in Vitamin C.","price":4.99,"image":"quince.jpg"},{"name":"Apple Pomace","description":"Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be <a href=\"/#recycle\">sent back to us</a> for recycling.","price":0.89,"limitPerUser":5,"image":"apple_pressings.jpg"},{"name":"Fruit Press","description":"Fruits go in. Juice comes out. Pomace you can send back to us for recycling purposes.","price":89.99,"image":"fruit_press.jpg"},{"name":"OWASP Juice Shop Logo (3D-printed)","description":"This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.","price":99.99,"image":"3d_keychain.jpg","fileForRetrieveBlueprintChallenge":"JuiceShop.stl","exifForBlueprintChallenge":["OpenSCAD"]},{"name":"Juice Shop Artwork","description":"Unique masterpiece painted with different kinds of juice on 90g/m² lined paper.","price":278.74,"quantity":0,"image":"artwork.jpg","deletedDate":"2020-12-24"},{"name":"Global OWASP WASPY Award 2017 Nomination","description":"Your chance to nominate up to three quiet pillars of the OWASP community ends 2017-06-30! <a href=\"https://www.owasp.org/index.php/WASPY_Awards_2017\">Nominate now!</a>","price":0.03,"image":"waspy.png","deletedDate":"2017-07-01"},{"name":"Strawberry Juice (500ml)","description":"Sweet & tasty!","price":3.99,"image":"strawberry_juice.jpeg"},{"name":"Carrot Juice (1000ml)","description":"As the old German saying goes: \"Carrots are good for the eyes. Or has anyone ever seen a rabbit with glasses?\"","price":2.99,"image":"carrot_juice.jpeg","reviews":[{"text":"0 st4rs f0r 7h3 h0rr1bl3 s3cur17y","author":"uvogin"}]},{"name":"OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition)","description":"10 sheets of Sweden-themed stickers with 15 stickers on each.","price":19.1,"image":"stickersheet_se.png","deletedDate":"2017-09-20"},{"name":"Pwning OWASP Juice Shop","description":"<em>The official Companion Guide</em> by Björn Kimminich available <a href=\"https://leanpub.com/juice-shop\">for free on LeanPub</a> and also <a href=\"https://pwning.owasp-juice.shop\">readable online</a>!","price":5.99,"image":"cover_small.jpg","reviews":[{"text":"Even more interesting than watching Interdimensional Cable!","author":"morty"}]},{"name":"Melon Bike (Comeback-Product 2018 Edition)","description":"The wheels of this bicycle are made from real water melons. You might not want to ride it up/down the curb too hard.","price":2999,"quantity":3,"limitPerUser":1,"image":"melon_bike.jpeg"},{"name":"OWASP Juice Shop Coaster (10pcs)","description":"Our 95mm circle coasters are printed in full color and made from thick, premium coaster board.","price":19.99,"quantity":0,"image":"coaster.jpg"},{"name":"OWASP Snakes and Ladders - Web Applications","description":"This amazing web application security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1969196030\">available for Tabletop Simulator on Steam Workshop</a> now!","price":0.01,"quantity":8,"image":"snakes_ladders.jpg","reviews":[{"text":"Wait for a 10$ Steam sale of Tabletop Simulator!","author":"bjoernOwasp"}]},{"name":"OWASP Snakes and Ladders - Mobile Apps","description":"This amazing mobile app security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1970691216\">available for Tabletop Simulator on Steam Workshop</a> now!","price":0.01,"quantity":0,"image":"snakes_ladders_m.jpg","reviews":[{"text":"Here yo' learn how tha fuck ta not show yo' goddamn phone on camera!","author":"rapper"}]},{"name":"OWASP Juice Shop Holographic Sticker","description":"Die-cut holographic sticker. Stand out from those 08/15-sticker-covered laptops with this shiny beacon of 80's coolness!","price":2,"quantity":0,"image":"holo_sticker.png","reviews":[{"text":"Rad, dude!","author":"rapper"},{"text":"Looks spacy on Bones' new tricorder!","author":"jim"},{"text":"Will put one on the Planet Express ship's bumper!","author":"bender"}]},{"name":"OWASP Juice Shop \"King of the Hill\" Facemask","description":"Facemask with compartment for filter from 50% cotton and 50% polyester.","price":13.49,"quantity":0,"limitPerUser":1,"image":"fan_facemask.jpg","reviews":[{"text":"K33p5 y0ur ju1cy 5plu773r 70 y0ur53lf!","author":"uvogin"},{"text":"Puny mask for puny human weaklings!","author":"bender"}]},{"name":"Juice Shop Adversary Trading Card (Common)","description":"Common rarity \"Juice Shop\" card for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.","price":2.99,"deluxePrice":0.99,"deletedDate":"2020-11-30","limitPerUser":5,"image":"ccg_common.png","reviews":[{"text":"Ooooh, puny human playing Mau Mau, now?","author":"bender"}]},{"name":"Juice Shop Adversary Trading Card (Super Rare)","description":"Super rare \"Juice Shop\" card with holographic foil-coating for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.","price":99.99,"deluxePrice":69.99,"deletedDate":"2020-11-30","quantity":2,"limitPerUser":1,"image":"ccg_foil.png","reviews":[{"text":"Mau Mau with bling-bling? Humans are so pathetic!","author":"bender"}]},{"name":"Juice Shop \"Permafrost\" 2020 Edition","description":"Exact version of <a href=\"https://github.com/juice-shop/juice-shop/releases/tag/v9.3.1-PERMAFROST\">OWASP Juice Shop that was archived on 02/02/2020</a> by the GitHub Archive Program and ultimately went into the <a href=\"https://github.blog/2020-07-16-github-archive-program-the-journey-of-the-worlds-open-source-code-to-the-arctic\">Arctic Code Vault</a> on July 8. 2020 where it will be safely stored for at least 1000 years.","price":9999.99,"quantity":1,"limitPerUser":1,"image":"permafrost.jpg","reviews":[{"text":"🧊 Let it go, let it go 🎶 Can't hold it back anymore 🎶 Let it go, let it go 🎶 Turn away and slam the door ❄️","author":"rapper"}]},{"name":"Best Juice Shop Salesman Artwork","description":"Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before <em>finally</em> adding his expertise to the Juice Shop marketing team.","price":5000,"quantity":1,"image":"artwork2.jpg","reviews":[{"text":"I'd stand on my head to make you a deal for this piece of art.","author":"stan"},{"text":"Just when my opinion of humans couldn't get any lower, along comes Stan...","author":"bender"}]},{"name":"OWASP Juice Shop Card (non-foil)","description":"Mythic rare <small><em>(obviously...)</em></small> card \"OWASP Juice Shop\" with three distinctly useful abilities. Alpha printing, mint condition. A true collectors piece to own!","price":1000,"quantity":3,"limitPerUser":1,"image":"card_alpha.jpg","reviews":[{"text":"DO NOT PLAY WITH THIS! Double-sleeve, then put it in the GitHub Arctic Vault for perfect preservation and boost of secondary market value!","author":"accountant"}]},{"name":"20th Anniversary Celebration Ticket","description":"Get your <a href=\"https://20thanniversary.owasp.org/\" target=\"_blank\">free 🎫 for OWASP 20th Anniversary Celebration</a> online conference! Hear from world renowned keynotes and special speakers, network with your peers and interact with our event sponsors. With an anticipated 10k+ attendees from around the world, you will not want to miss this live on-line event!","price":1e-20,"deletedDate":"2021-09-25","limitPerUser":1,"image":"20th.jpeg","reviews":[{"text":"I'll be there! Will you, too?","author":"bjoernOwasp"}]},{"name":"OWASP Juice Shop LEGO™ Tower","description":"Want to host a Juice Shop CTF in style? Build <a href=\"https://github.com/OWASP/owasp-swag/blob/master/projects/juice-shop/lego/OWASP%20JuiceShop%20Pi-server%201.2.pdf\" target=\"_blank\">your own LEGO™ tower</a> which holds four Raspberry Pi 4 models with PoE HAT modules <a href=\"https://github.com/juice-shop/multi-juicer/blob/main/guides/raspberry-pi/raspberry-pi.md\" target=\"_blank\">running a MultiJuicer Kubernetes cluster</a>! Wire to a switch and connect to your network to have an out-of-the-box ready CTF up in no time!","price":799,"quantity":3,"limitPerUser":1,"image":"lego_case.jpg","reviews":[{"text":"Check out the /#/photo-wall for some impressions of the assembly process!","author":"bjoernOwasp"}]},{"name":"DSOMM & Juice Shop User Day Ticket","description":"You are going to the OWASP Global AppSec San Francisco 2024? <a href=\"https://www.eventbrite.com/e/owasp-global-appsec-san-francisco-2024-tickets-723699172707\" target=\"_blank\">Get a ticket<sup>*</sup></a> for this amazing side event as well! Check the juice-packed agenda <a href=\"https://owasp.org/www-project-juice-shop/#div-userday2024\" target=\"_blank\">here</a> for all the details!<br><br><small><small><sup>*</sup>=scroll down to <strong>Elevate: DSOMM and Juice Shop User Day (Sept. 25)</strong> after clicking <em>Get Tickets</em> on Eventbrite. Ticket price set to only covers fees for room, AV, and catering throughout the day.</small></small>","price":55.2,"deletedDate":"2024-09-26","limitPerUser":1,"image":"user_day_ticket.png","reviews":[{"text":"The DSOMM Live Assessment session will even use Juice Shop as its \"real-world\" example!","author":"timo"},{"text":"We will showcase the amazing MultiJuicer Lego Tower at this event!","author":"jannik"}]},{"name":"Pineapple Juice (1000ml)","description":"Tropical refreshment from the finest sun-ripened pineapples.","price":2.99,"image":"pineapple_juice.png"},{"name":"Melon Juice (1000ml)","description":"Refreshing and sweet juice made from ripe melons.","price":2.49,"image":"melon_juice.png"},{"name":"Grape Juice (1000ml)","description":"Deep purple and full of antioxidants from selected grapes.","price":2.99,"image":"grape_juice.png"},{"name":"Dragonfruit Juice (500ml)","description":"Exotic and vibrant juice made from dragonfruit.","price":3.99,"image":"dragonfruit_juice.png"},{"name":"Berry Juice (1000ml)","description":"A delicious blend of fresh forest berries.","price":3.49,"image":"berry_juice.png"},{"name":"Basil Smoothie","description":"A unique blend of fresh basil and ginger for a healthy kick.","price":2.99,"image":"basil_smoothie.png","reviews":[{"text":"(ง'̀-'́)ง","author":"basil"}]},{"name":"Bragă (500ml)","description":"Traditional Balkan drink made from fermented millet. Lightly sweet-sour, refreshing, and naturally energizing.","price":2.49,"image":"braga.jpg"},{"name":"Elderflower Cordial (500ml)","description":"Floral and fragrant soft drink made from elderflowers. Traditionally enjoyed chilled.","price":3.29,"image":"elderflower_cordial.jpg"},{"name":"Sea Buckthorn Juice (500ml)","description":"Tangy and slightly sour juice, extremely rich in Vitamin C and antioxidants.","price":3.99,"image":"sea_buckthorn_juice.jpg"},{"name":"Pomegranate Drink (500ml)","description":"A sweet and tart refreshment inspired by classic grenadine flavors.","price":4.49,"image":"pomegranate_drink.jpg"}],"memories":[{"image":"magn(et)ificent!-1571814229653.jpg","caption":"Magn(et)ificent!","user":"bjoernGoogle"},{"image":"my-rare-collectors-item!-[̲̅$̲̅(̲̅-͡°-͜ʖ-͡°̲̅)̲̅$̲̅]-1572603645543.jpg","caption":"My rare collectors item! [̲̅$̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅$̲̅]","user":"bjoernGoogle"},{"image":"favorite-hiking-place.png","caption":"I love going hiking here...","geoStalkingMetaSecurityQuestion":14,"geoStalkingMetaSecurityAnswer":"Daniel Boone National Forest"},{"image":"IMG_4253.jpg","caption":"My old workplace...","geoStalkingVisualSecurityQuestion":10,"geoStalkingVisualSecurityAnswer":"ITsec"},{"image":"BeeHaven.png","caption":"Welcome to the Bee Haven (/#/bee-haven)🐝","user":"evm"},{"image":"sorted-the-pieces,-starting-assembly-process-1721152307290.jpg","caption":"Sorted the pieces, starting assembly process...","user":"bjoernOwasp"},{"image":"building-something-literally-bottom-up-1721152342603.jpg","caption":"Building something literally bottom up...","user":"bjoernOwasp"},{"image":"putting-in-the-hardware-1721152366854.jpg","caption":"Putting in the hardware...","user":"bjoernOwasp"},{"image":"everything-up-and-running!-1721152385146.jpg","caption":"Everything up and running!","user":"bjoernOwasp"}],"ctf":{"showFlagsInNotifications":false,"showCountryDetailsInNotifications":"none","countryMapping":null,"systemWideNotifications":{"url":null,"pollFrequencySeconds":null}}}}
          + + +
          Evidence
          192.168.99.100:3000
          Solution +

          Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + X-Content-Type-Options Header Missing (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvkX-Q0 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

          +
          Other info +

          This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

          + +

          At "High" threshold this scan rule will not alert on client or server error responses.

          +
          Request
          + Request line and header section (292 bytes) + + 
          GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvkX-Q0 HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (230 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/plain; charset=UTF-8
+Content-Length: 96
+Date: Thu, 28 May 2026 12:21:00 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (96 bytes) + + 
          0{"sid":"KZ3HJUr0aCv_HSEPAAAA","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000}
          + + +
          Parameter
          x-content-type-options
          Solution +

          Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

          + +

          If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    5. + +
  5. +

    + Risk=Low, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Timestamp Disclosure - Unix (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A timestamp was disclosed by the application/web server. - Unix

          +
          Other info +

          1666666667, which evaluates to: 2022-10-24 22:57:47.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 12:13:04 GMT
+ETag: W/"26af-19e6e80a1b5"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 12:19:28 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          1666666667
          Solution +

          Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    6. + + + + + + +
  6. +

    + Risk=Informational, Confidence=Medium (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Modern Web Application (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

          +
          Other info +

          No links have been found while there are scripts, which is an indication that this is a modern web application.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 12:13:04 GMT
+ETag: W/"26af-19e6e80a1b5"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 12:19:28 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
          Solution +

          This is an informational alert and so no changes are required.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    7. + + + +
+
+ +
+

Appendix

+ +
+

Alert Types

+

This section contains additional information on the types of alerts in the report.

+
    +
  1. +

    SQL Injection

    + + + + + + + + + + + + + + + + + +
    Source + + raised by an active scanner (SQL Injection) + +
    CWE ID89
    WASC ID19
    Reference +
      +
    1. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
      2. +
    +
    +
    2. +
  2. +

    Content Security Policy (CSP) Header Not Set

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Content Security Policy (CSP) Header Not Set) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
      2. +
    2. https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
      3. +
    3. https://www.w3.org/TR/CSP/
      4. +
    4. https://w3c.github.io/webappsec-csp/
      5. +
    5. https://web.dev/articles/csp
      6. +
    6. https://caniuse.com/#feat=contentsecuritypolicy
      7. +
    7. https://content-security-policy.com/
      8. +
    +
    +
    3. +
  3. +

    Cross-Domain Misconfiguration

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Cross-Domain Misconfiguration) + +
    CWE ID264
    WASC ID14
    Reference +
      +
    1. https://vulncat.fortify.com/en/detail?category=HTML5&subcategory=Overly%20Permissive%20CORS%20Policy
      2. +
    +
    +
    4. +
  4. +

    Missing Anti-clickjacking Header

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Anti-clickjacking Header) + +
    CWE ID1021
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
      2. +
    +
    +
    5. +
  5. +

    Session ID in URL Rewrite

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Session ID in URL Rewrite) + +
    CWE ID598
    WASC ID13
    Reference +
      +
    1. https://seclists.org/webappsec/2002/q4/111
      2. +
    +
    +
    6. +
  6. +

    Private IP Disclosure

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Private IP Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://datatracker.ietf.org/doc/html/rfc1918
      2. +
    +
    +
    7. +
  7. +

    Timestamp Disclosure - Unix

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Timestamp Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://cwe.mitre.org/data/definitions/200.html
      2. +
    +
    +
    8. +
  8. +

    X-Content-Type-Options Header Missing

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (X-Content-Type-Options Header Missing) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
      2. +
    2. https://owasp.org/www-community/Security_Headers
      3. +
    +
    +
    9. +
  9. +

    Modern Web Application

    + + + + + + + + +
    Source + + raised by a passive scanner (Modern Web Application) + +
    +
    10. +
+
+
+ +
+ + + + + diff --git a/TestesRealizados1/Dev&Standard/normalize/LICENSE.md b/TestesRealizados1/Dev&Standard/normalize/LICENSE.md new file mode 100644 index 0000000..43b5ddc --- /dev/null +++ b/TestesRealizados1/Dev&Standard/normalize/LICENSE.md @@ -0,0 +1,21 @@ +# The MIT License (MIT) + +Copyright © Nicolas Gallagher and Jonathan Neal + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/TestesRealizados1/Dev&Standard/normalize/normalize.css b/TestesRealizados1/Dev&Standard/normalize/normalize.css new file mode 100644 index 0000000..192eb9c --- /dev/null +++ b/TestesRealizados1/Dev&Standard/normalize/normalize.css @@ -0,0 +1,349 @@ +/*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */ + +/* Document + ========================================================================== */ + +/** + * 1. Correct the line height in all browsers. + * 2. Prevent adjustments of font size after orientation changes in iOS. + */ + +html { + line-height: 1.15; /* 1 */ + -webkit-text-size-adjust: 100%; /* 2 */ +} + +/* Sections + ========================================================================== */ + +/** + * Remove the margin in all browsers. + */ + +body { + margin: 0; +} + +/** + * Render the `main` element consistently in IE. + */ + +main { + display: block; +} + +/** + * Correct the font size and margin on `h1` elements within `section` and + * `article` contexts in Chrome, Firefox, and Safari. + */ + +h1 { + font-size: 2em; + margin: 0.67em 0; +} + +/* Grouping content + ========================================================================== */ + +/** + * 1. Add the correct box sizing in Firefox. + * 2. Show the overflow in Edge and IE. + */ + +hr { + box-sizing: content-box; /* 1 */ + height: 0; /* 1 */ + overflow: visible; /* 2 */ +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +pre { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/* Text-level semantics + ========================================================================== */ + +/** + * Remove the gray background on active links in IE 10. + */ + +a { + background-color: transparent; +} + +/** + * 1. Remove the bottom border in Chrome 57- + * 2. Add the correct text decoration in Chrome, Edge, IE, Opera, and Safari. + */ + +abbr[title] { + border-bottom: none; /* 1 */ + text-decoration: underline; /* 2 */ + text-decoration: underline dotted; /* 2 */ +} + +/** + * Add the correct font weight in Chrome, Edge, and Safari. + */ + +b, +strong { + font-weight: bolder; +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +code, +kbd, +samp { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/** + * Add the correct font size in all browsers. + */ + +small { + font-size: 80%; +} + +/** + * Prevent `sub` and `sup` elements from affecting the line height in + * all browsers. + */ + +sub, +sup { + font-size: 75%; + line-height: 0; + position: relative; + vertical-align: baseline; +} + +sub { + bottom: -0.25em; +} + +sup { + top: -0.5em; +} + +/* Embedded content + ========================================================================== */ + +/** + * Remove the border on images inside links in IE 10. + */ + +img { + border-style: none; +} + +/* Forms + ========================================================================== */ + +/** + * 1. Change the font styles in all browsers. + * 2. Remove the margin in Firefox and Safari. + */ + +button, +input, +optgroup, +select, +textarea { + font-family: inherit; /* 1 */ + font-size: 100%; /* 1 */ + line-height: 1.15; /* 1 */ + margin: 0; /* 2 */ +} + +/** + * Show the overflow in IE. + * 1. Show the overflow in Edge. + */ + +button, +input { /* 1 */ + overflow: visible; +} + +/** + * Remove the inheritance of text transform in Edge, Firefox, and IE. + * 1. Remove the inheritance of text transform in Firefox. + */ + +button, +select { /* 1 */ + text-transform: none; +} + +/** + * Correct the inability to style clickable types in iOS and Safari. + */ + +button, +[type="button"], +[type="reset"], +[type="submit"] { + -webkit-appearance: button; +} + +/** + * Remove the inner border and padding in Firefox. + */ + +button::-moz-focus-inner, +[type="button"]::-moz-focus-inner, +[type="reset"]::-moz-focus-inner, +[type="submit"]::-moz-focus-inner { + border-style: none; + padding: 0; +} + +/** + * Restore the focus styles unset by the previous rule. + */ + +button:-moz-focusring, +[type="button"]:-moz-focusring, +[type="reset"]:-moz-focusring, +[type="submit"]:-moz-focusring { + outline: 1px dotted ButtonText; +} + +/** + * Correct the padding in Firefox. + */ + +fieldset { + padding: 0.35em 0.75em 0.625em; +} + +/** + * 1. Correct the text wrapping in Edge and IE. + * 2. Correct the color inheritance from `fieldset` elements in IE. + * 3. Remove the padding so developers are not caught out when they zero out + * `fieldset` elements in all browsers. + */ + +legend { + box-sizing: border-box; /* 1 */ + color: inherit; /* 2 */ + display: table; /* 1 */ + max-width: 100%; /* 1 */ + padding: 0; /* 3 */ + white-space: normal; /* 1 */ +} + +/** + * Add the correct vertical alignment in Chrome, Firefox, and Opera. + */ + +progress { + vertical-align: baseline; +} + +/** + * Remove the default vertical scrollbar in IE 10+. + */ + +textarea { + overflow: auto; +} + +/** + * 1. Add the correct box sizing in IE 10. + * 2. Remove the padding in IE 10. + */ + +[type="checkbox"], +[type="radio"] { + box-sizing: border-box; /* 1 */ + padding: 0; /* 2 */ +} + +/** + * Correct the cursor style of increment and decrement buttons in Chrome. + */ + +[type="number"]::-webkit-inner-spin-button, +[type="number"]::-webkit-outer-spin-button { + height: auto; +} + +/** + * 1. Correct the odd appearance in Chrome and Safari. + * 2. Correct the outline style in Safari. + */ + +[type="search"] { + -webkit-appearance: textfield; /* 1 */ + outline-offset: -2px; /* 2 */ +} + +/** + * Remove the inner padding in Chrome and Safari on macOS. + */ + +[type="search"]::-webkit-search-decoration { + -webkit-appearance: none; +} + +/** + * 1. Correct the inability to style clickable types in iOS and Safari. + * 2. Change font properties to `inherit` in Safari. + */ + +::-webkit-file-upload-button { + -webkit-appearance: button; /* 1 */ + font: inherit; /* 2 */ +} + +/* Interactive + ========================================================================== */ + +/* + * Add the correct display in Edge, IE 10+, and Firefox. + */ + +details { + display: block; +} + +/* + * Add the correct display in all browsers. + */ + +summary { + display: list-item; +} + +/* Misc + ========================================================================== */ + +/** + * Add the correct display in IE 10+. + */ + +template { + display: none; +} + +/** + * Add the correct display in IE 10. + */ + +[hidden] { + display: none; +} diff --git a/TestesRealizados1/Dev&Standard/themes/original/colors.css b/TestesRealizados1/Dev&Standard/themes/original/colors.css new file mode 100644 index 0000000..fd3b963 --- /dev/null +++ b/TestesRealizados1/Dev&Standard/themes/original/colors.css @@ -0,0 +1,139 @@ +body { + background-color: #306aa0; + background-image: radial-gradient(circle at top left, #fff 0%, #8ce1d6 15em, #306aa0 100em, #386095 100%); +} + +main, footer { + background-color: #fff; +} + +header { + background-color: #00549e; + color: #fff; +} + +a:link { + color: #004380; +} + +a:visited { + color: #770d67; +} + +a:focus { + background-color: #ffd54d; +} + +a:hover { + background-color: #ffd54d; +} + +a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +header a:link { + color: #f2f7fd; +} + +header a:visited { + color: #f2b5e9; +} + +header a:focus { + background-color: #ffd54d; + color: #004380; +} + +header a:hover { + background-color: #ffd54d; + color: #004380; +} + +header a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #fff6db; +} + +summary:focus { + background-color: #ffd54d; +} + +summary:hover { + background-color: #ffd54d; +} + +summary:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +h2, h3, h4, h5, h6 { + color: #00549e; +} + +.risk-level, .confidence-level { + color: #00549e; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + color: #00549e; +} + +.risk-confidence-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + color: #00549e; +} + +.site-risk-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.alert-type-counts-table > tbody > tr { + border-bottom-color: #00549e; +} + +.alert-type-counts-table th[scope="col"] { + background-color: #00549e; + color: #fff; +} + +.alert-type-counts-table th[scope="col"] { + border-left-color: #fff; +} + +.alerts-table th, .alert-types-table th { + background-color: #306aa0; + color: #fff; +} + +.additional-info-percentages { + color: #00549e; +} + +.insights-table > tbody > tr { + border-bottom-color: #00549e; +} + +.insights-table th[scope="col"] { + background-color: #00549e; + border-left-color: #fff; + color: #fff; +} diff --git a/TestesRealizados1/Dev&Standard/themes/original/main.css b/TestesRealizados1/Dev&Standard/themes/original/main.css new file mode 100644 index 0000000..050bd3f --- /dev/null +++ b/TestesRealizados1/Dev&Standard/themes/original/main.css @@ -0,0 +1,417 @@ +*, *::after, *::before { + box-sizing: border-box; +} + +h1, h2, h3, h4, h5, h6 { + margin: 0; + padding: 0; +} + +pre, ul { + margin: 0; +} + +ol { + list-style-type: none; +} + +h1 { + font-size: 3em; +} + +h2 { + font-size: 2em; +} + +h3, h4, h5, h6 { + font-size: 1em; +} + +html { + box-sizing: border-box; + font-family: Verdana, sans-serif; + line-height: 1.5; +} + +body { + margin: 1.5em 0; +} + +@media screen and (min-width: 50em) { + body { + margin: 1.5em 2ch; + padding: 1.5em 2ch; + } +} + +a:active, header a:active { + outline-style: solid; +} + +header, main { + margin: 0 auto; + max-width: 90ch; + padding: 1.5em 4ch; +} + +header { + border-radius: .25em .25em 0 0; +} + +main { + border-radius: 0 0 .25em .25em; +} + +summary { + cursor: pointer; +} + +.contents { + margin-top: 1.5em; +} + +main > section { + margin-bottom: 4.5em; +} + +.about-this-report > section { + margin-bottom: 3em; +} + +.summaries section { + margin-bottom: 3em; +} + +h2 { + margin-bottom: .75em; +} + +h3 { + margin-bottom: 1.5em; +} + +h4 { + margin-bottom: 1.5em; +} + +.report-parameters--container h4 { + margin-top: 1.5em; +} + +p { + margin: 1.5em 0; +} + +p:first-of-type { + margin-top: 0; +} + +p:last-of-type { + margin-bottom: 0; +} + +.contents li, .alerts li, .alert-types > ol > li { + margin-top: 1.5em; +} + +.alert-types h4 { + margin-bottom: 0; +} + +a { + border-radius: .125em; +} + +caption { + margin-bottom: 1.5em; + text-align: left; +} + +code, .request-method-n-url { + overflow-wrap: anywhere; + white-space: break-spaces; +} + +table { + border-collapse: collapse; +} + +.report-description--container, .report-parameters--container { + margin-left: 2ch; + padding: 0 2ch; +} + +.about-this-report h3, .summaries h3, .appendix h3 { + border-bottom: .05em solid; +} + +.alerts h4 { + text-align: center; +} + +.alerts ol { + padding-left: 0; +} + +.alerts--site-li { + border: .05em solid; + border-radius: .25em; + margin-left: 2ch; + padding: 1.5em 3ch; +} + +.contents ol { + list-style-position: inside; + list-style-type: square; + padding-left: 4ch; +} + +.contexts-list, .sites-list { + list-style-type: square; +} + +.risk-confidence-counts-table { + width: 100%; +} + +.risk-confidence-counts-table tr { + height: 4.5em; +} + +.risk-confidence-counts-table thead > tr { + height: 3em; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table th[scope="rowgroup"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.risk-confidence-counts-table th[scope="row"] { + padding-right: 5%; +} + +@media screen and (max-width: 50em) { + .risk-confidence-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.risk-confidence-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.risk-confidence-counts-table > tbody > tr { + border-top: .05em solid; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table td { + vertical-align: top; +} + +.risk-confidence-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.risk-confidence-counts-table td, .risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + text-align: right; +} + +.site-risk-counts-table { + width: 100%; +} + +.site-risk-counts-table tr { + height: 4.5em; +} + +.site-risk-counts-table thead > tr:first-of-type { + height: 3em; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table th[scope="col"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.site-risk-counts-table th[scope="row"] { + padding-right: 1%; +} + +@media screen and (max-width: 50em) { + .site-risk-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.site-risk-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.site-risk-counts-table > tbody > tr { + border-top: .05em solid; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table td { + vertical-align: top; +} + +.site-risk-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.site-risk-counts-table td, .site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + text-align: right; +} + +.alert-type-counts-table { + width: 100%; +} + +.alert-type-counts-table th, .alert-type-counts-table td { + padding: 0 1rem; + text-align: left; + vertical-align: top; +} + +.alert-type-counts-table td:nth-last-of-type(2) { + padding-left: 1.5rem; +} + +.alert-type-counts-table > tbody > tr { + border-bottom: 0.05em dotted; +} + +.alert-type-counts-table th[scope="col"] { + border-left: 1rem solid; +} + +.alert-type-counts-table th[scope="col"]:first-of-type { + border-left: 0; +} + +.alert-type-counts-table th[scope="col"]:last-of-type, .alert-type-counts-table td:last-of-type { + text-align: right; +} + +.alert-type-counts-table th[scope="col"], .alert-type-counts-table th[scope="row"] { + font-weight: normal; +} + +.alert-type-counts-table th[scope="row"], .alert-type-counts-table td { + padding-bottom: 1.5em; +} + +.alert-type-counts-table thead > th:first-of-type { + width: 45%; +} + +.alerts-table, .alert-types-table, .insights-table { + border-collapse: separate; + border-spacing: 2ch 1.5em; + width: 100%; +} + +.alerts-table th, .alerts-table td, .alert-types-table th, .alert-types-table td, .insights-table td, .insights-table th { + vertical-align: top; +} + +.alerts-table td, .alert-types-table td, .insights-table td { + overflow-wrap: anywhere; +} + +.alerts-table th, .alert-types-table th, .insights-table th { + padding: 0 1ch; +} + +.alerts-table td, .alert-types-table td { + padding: 0 2ch; +} + +.insights-table td { + padding: 0 1ch; +} + +.alerts-table summary { + margin-bottom: 1.5em; +} + +.alert-tags-list { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-tags-list > li { + margin-top: 0; +} + +.request-body, .response-body { + margin-top: 1.5em; +} + +.request-method-n-url { + margin-bottom: 0; +} + +.alert-types-table { + padding-top: 0; +} + +.alert-types-table th { + width: 20%; +} + +.alert-types-table ol { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-types-table li:not(:first-of-type) { + margin-top: 1.5em; +} + +p.alert-types-intro { + margin-bottom: 3em; +} + +.zap-logo { + height: 1em; + margin-right: .25ch; + width: 1em; +} + +h1, h2 { + font-family: Georgia, serif; +} + +.risk-level, .confidence-level, .included-risk-codes, .included-confidence-codes, .additional-info-percentages { + font-family: monospace, monospace; +} + +.context, .site, .request-method-n-url { + font-family: monospace, monospace; +} diff --git a/TestesRealizados1/Dev&Standard/zap32x32.png b/TestesRealizados1/Dev&Standard/zap32x32.png new file mode 100644 index 0000000000000000000000000000000000000000..9c1019ffb2ad500434d78f20f5a624bd660e6735 GIT binary patch literal 1933 zcmV;82Xgp{P)LZ&X_*%IgUcU=kqE(b z4NRzXHHacGqA;V7EOd-rLRUsK6M0)>lNA+QA(1s>0WooNopVsi`f~3%&(A;3?F-PB zvOj!oo}80&pL3q?@9q2jJ@8;-E^rih7x)VQ$FTzF0Ce^0)w*%xMg@9CT^);$`@`-S z|D^%X0-G{2GScem>Zq-)#c><}&YnG+{?@;fz2@5u5&VQI{0HC&b5Eb8v=CMzq8Xh{uDUJ;6-8cvHPPw(V1AXlBMlio^B!;`1mR7lQz6stN1n` zVSRiJ3Jh}IHmwUh{p952jC=DbQ>IW{T+Bm{EyTg%86hH)s*G@RBZ6ZD zR~$s-xgh|tIK<*bMohZnrPKSTebm&{(An8JZUCD%Zw|w-XamM3aZ{E@QkJ_Sh=4&b zVlZMR6MN-LA+KI)MxOZY4_$EN7gpcl|GBy+*}SFI&@zE+1c5&ojb?% zH-610omUXmkc0pc4MCuY3JRI#ep;zPz!%CkF{7fMRjXD}R#rwLkr?x}`Sa(qYu7G1 z4zIhf6b}b*b0|Z?2bxNbAlb*&-!+hzmq$fKMaqhiM-T+Gw6t*h_U({ddb?6-2&w|A zpn{45bPqNps$5aDKvhCrw+1VURUz5a1;EaoJE^Lw8q=z_wl+#jOPTPwnarrD$C>b1 zeBZ~~fqr423P90ogC0=PH?8Vm*#v}(0|k?r!xzizShj2#GiT1Ey}f-@07XSb?AWn` zo)51w@$*j*Sf2pBs|*LhoR?u5{SD7JEun@R9Ak(IM2sO~gs2fb$L0Oj{d{ntiOR}K z4jw#6R#w)CK$a|7Ld#z-Gd=bqy@><~t0b(&SH%x3{Wghj{ro$E>8w7|8!?eI&lp@s zaK#WcLS%r`jo>*Bw)ZCgII)AS>wjbG)~z%&G>ix$H+M2U56vZe;WP9n69iWA)shSX z`fak)9$cP#M-^Drp9UIWRk0R)RT8QshN)UI2q2optfzJ|r}}xe?|y;IjENjOcI+Mi z7cX9-`|VS7cbpDGkWxfn15~wP#HQ4&KGGL8Zqzd_CM6=?Fb}vQxI!o{fa9gn`BpRU zy|It{{Ct|4nwT|f*5LO}o;*oeSs7W&e}iV^hCM-${BO{>Jm(%YOnIR)X)V55tW|8v z^2ET^D*YDvtkSPaPoj^^$IF?s{&lVgQFL zf4TNCRPNcLzb)TB`ne$0!%HlF+%?X3TygP?!H8f?C?W&GVvG#277}_4P&Z27wKi^_ z`UMY9O6QgM5f&|4M0R!--M6}buJEI=4km*jh{gB1;;i$G!4U@|f*8RtASQ%eXNt)N z2*#qQRjl#oYmeiff0@FG0rvrUs1Grl_V)4yJq|S&*HyA`hPcY4iwPqM T`!Z{P00000NkvXXu0mjf{kVU6 literal 0 HcmV?d00001 diff --git a/TestesRealizados1/Pen&Test/Pen&Test.html b/TestesRealizados1/Pen&Test/Pen&Test.html new file mode 100644 index 0000000..0dc6962 --- /dev/null +++ b/TestesRealizados1/Pen&Test/Pen&Test.html @@ -0,0 +1,2794 @@ + + + + + +ZAP by Checkmarx Scanning Report + + + + + +
+

ZAP by Checkmarx Scanning Report

+

+ Generated with ZAP + on Thu 28 May 2026, at 08:58:18 +

+

ZAP Version: 2.17.0

+

+ ZAP by Checkmarx +

+
+ +
+ +
+

Contents

+ +
+ +
+

About This Report

+ + + +
+

Report Parameters

+
+

Contexts

+ + +

No contexts were selected, so all contexts were included by default.

+ + +

Sites

+ +

The following sites were included:

+
    +
  • http://20.60.0.1:3000
    • +
+ +

(If no sites were selected, all sites were included by default.)

+

An included site must also be within one of the included contexts for its data to be included in the report.

+ +

Risk levels

+

+ Included: + + High, Medium, Low, Informational +

+

+ Excluded: + None + +

+ +

Confidence levels

+

+ Included: + + + User Confirmed, High, Medium, Low +

+

+ Excluded: + + + User Confirmed, High, Medium, Low, False Positive +

+
+
+
+ + +
+ +
+ +
+

Summaries

+ +
+

Alert Counts by Risk and Confidence

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts for each level of risk and confidence included in the report.

+

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)

+
Confidence
User ConfirmedHighMediumLowTotal
RiskHigh0
(0.0%)		0
(0.0%)		0
(0.0%)		1
(10.0%)		1
(10.0%)
Medium0
(0.0%)		2
(20.0%)		2
(20.0%)		0
(0.0%)		4
(40.0%)
Low0
(0.0%)		0
(0.0%)		2
(20.0%)		1
(10.0%)		3
(30.0%)
Informational0
(0.0%)		0
(0.0%)		2
(20.0%)		0
(0.0%)		2
(20.0%)
Total0
(0.0%)		2
(20.0%)		6
(60.0%)		2
(20.0%)		10
(100%)
+
+ +
+

Alert Counts by Site and Risk

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

+

Alerts with a confidence level of "False Positive" have been excluded from these counts.

+

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)

+
Risk
+ High
(= High) + 		+ Medium
(>= Medium) + 		+ Low
(>= Low) + 		+ Informational
(>= Informational) +
Sitehttp://20.60.0.1:30001
(1)		4
(5)		3
(8)		2
(10)
+
+ +
+

Alert Counts by Alert Type

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts of each alert type, together with the alert type's risk level.

+

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)

+
Alert typeRiskCount
SQL InjectionHigh1
(10.0%)
Content Security Policy (CSP) Header Not SetMedium5
(50.0%)
Cross-Domain MisconfigurationMedium5
(50.0%)
Missing Anti-clickjacking HeaderMedium3
(30.0%)
Session ID in URL RewriteMedium5
(50.0%)
Private IP DisclosureLow1
(10.0%)
Timestamp Disclosure - UnixLow5
(50.0%)
X-Content-Type-Options Header MissingLow5
(50.0%)
Modern Web ApplicationInformational5
(50.0%)
User Agent FuzzerInformational5
(50.0%)
Total10
+
+ +
+

Insights

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows information that is likely to be very relevant to you, but which is not related to vulnerabilities, or potentially even related to the application in question.

+
LevelReasonSiteDescriptionStatistic
+
Medium
+ 		+
Exceeded Low
+ 		+
+ 		+
Percentage of memory used
+ 		+
93
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP errors logged - see the zap.log file for details
+ 		+
381
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP warnings logged - see the zap.log file for details
+ 		+
62
+
+
Low
+ 		+
Exceeded High
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 4xx
+ 		+
53 %
+
+
Info
+ 		+
Informational
+ 		+
+ 		+
Percentage of network failures
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 1xx
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 2xx
+ 		+
50 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 3xx
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 5xx
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/javascript
+ 		+
9 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/json
+ 		+
4 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/octet-stream
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/jpeg
+ 		+
6 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/png
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/x-icon
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/css
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/html
+ 		+
66 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/markdown
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/plain
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method GET
+ 		+
98 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method POST
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Count of total endpoints
+ 		+
171
+
+
Info
+ 		+
Exceeded Low
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of slow responses
+ 		+
14 %
+
+
+
+ +
+

Alerts

+
    + + + + + + + + +
  1. +

    + Risk=High, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + SQL Injection (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/products/search?q=%27%28 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          SQL injection may be possible.

          +
          Request
          + Request line and header section (307 bytes) + + 
          GET http://20.60.0.1:3000/rest/products/search?q=%27%28 HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (362 bytes) + + 
          HTTP/1.1 500 Internal Server Error
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 12:39:56 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+content-length: 309
+
+
          + + +
          + Response body (309 bytes) + + 
          {
+  "error": {
+    "message": "SQLITE_ERROR: near \"(\": syntax error",
+    "stack": "Error: SQLITE_ERROR: near \"(\": syntax error",
+    "errno": 1,
+    "code": "SQLITE_ERROR",
+    "sql": "SELECT * FROM Products WHERE ((name LIKE '%'(%' OR description LIKE '%'(%') AND deletedAt IS NULL) ORDER BY name"
+  }
+}
          + + +
          Parameter
          q
          Attack
          '(
          Evidence
          HTTP/1.1 500 Internal Server Error
          Solution +

          Do not trust client side input, even if there is client side validation in place.

          + +

          In general, type check all data on the server side.

          + +

          If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

          + +

          If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

          + +

          If database Stored Procedures can be used, use them.

          + +

          Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

          + +

          Do not create dynamic SQL queries using simple string concatenation.

          + +

          Escape all data received from the client.

          + +

          Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.

          + +

          Apply the principle of least privilege by using the least privileged database user possible.

          + +

          In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

          + +

          Grant the minimum database access that is necessary for the application.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    2. + + + + +
  2. +

    + Risk=Medium, Confidence=High (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Content Security Policy (CSP) Header Not Set (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 12:33:00 GMT
+ETag: W/"26af-19e6e92e42d"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 12:35:31 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Solution +

          Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + Session ID in URL Rewrite (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvkbSE6&sid=nEG8pvOYamU1m7K1AAAA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

          +
          Request
          + Request line and header section (317 bytes) + + 
          GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvkbSE6&sid=nEG8pvOYamU1m7K1AAAA HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (231 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/plain; charset=UTF-8
+Content-Length: 612
+Date: Thu, 28 May 2026 12:36:09 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (612 bytes) + + 
          40{"sid":"f2XAKT1guDtHCa8WAAAB"}42["server started"]42["challenge solved",{"key":"directoryListingChallenge","name":"Confidential Document","challenge":"Confidential Document (Access a confidential document.)","flag":"8d2072c6b0a455608ca1a293dc0c9579883fc6a5","hidden":false,"isRestore":false,"codingChallenge":true}]42["challenge solved",{"key":"errorHandlingChallenge","name":"Error Handling","challenge":"Error Handling (Provoke an error that is neither very gracefully nor consistently handled.)","flag":"9c297196ecf8890bc1e900fcf3aebae8c9f9880a","hidden":false,"isRestore":false,"codingChallenge":false}]
          + + +
          Parameter
          sid
          Evidence
          nEG8pvOYamU1m7K1AAAA
          Solution +

          For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    3. + +
  3. +

    + Risk=Medium, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Cross-Domain Misconfiguration (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

          +
          Other info +

          The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 12:33:00 GMT
+ETag: W/"26af-19e6e92e42d"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 12:35:31 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          Access-Control-Allow-Origin: *
          Solution +

          Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).

          + +

          Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + Missing Anti-clickjacking Header (1) +
        +
          +
        1. + + POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvkbSE4&sid=nEG8pvOYamU1m7K1AAAA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The response does not protect against 'ClickJacking' attacks. It should include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options.

          +
          Request
          + Request line and header section (408 bytes) + + 
          POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvkbSE4&sid=nEG8pvOYamU1m7K1AAAA HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Content-type: text/plain;charset=UTF-8
+Content-Length: 2
+Origin: http://20.60.0.1:3000
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (2 bytes) + + 
          40
          + + +
          Response
          + Status line and header section (213 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/html
+Content-Length: 2
+Date: Thu, 28 May 2026 12:36:09 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (2 bytes) + + 
          ok
          + + +
          Parameter
          x-frame-options
          Solution +

          Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.

          + +

          If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    4. + + + + + + + + +
  4. +

    + Risk=Low, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Private IP Disclosure (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/admin/application-configuration + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

          +
          Other info +

          192.168.99.100:3000

          + +

          192.168.99.100:4200

          +
          Request
          + Request line and header section (314 bytes) + + 
          GET http://20.60.0.1:3000/rest/admin/application-configuration HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (389 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Content-Length: 23513
+ETag: W/"5bd9-reVonwE2GOcMzw2LpzIkSqyB2OE"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 12:36:08 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (23513 bytes) + + 
          {"config":{"server":{"port":3000,"basePath":"","baseUrl":"http://localhost:3000"},"application":{"domain":"juice-sh.op","name":"OWASP Juice Shop","logo":"JuiceShop_Logo.png","favicon":"favicon_js.ico","theme":"bluegrey-lightgreen","showVersionNumber":true,"showGitHubLinks":true,"localBackupEnabled":true,"numberOfRandomFakeUsers":0,"altcoinName":"Juicycoin","privacyContactEmail":"donotreply@owasp-juice.shop","customMetricsPrefix":"juiceshop","chatBot":{"name":"Juicy the Smart Assistant","avatar":"JuicyChatBot.png","model":"gemma4:e4b","llmMaxRetries":2,"sampleQuestions":["CHATBOT_PROMPT_RECOMMENDATION_SUMMER_PARTY","CHATBOT_PROMPT_RECOMMENDATION_POPULAR","CHATBOT_PROMPT_RECOMMENDATION_SUGAR_FREE","CHATBOT_PROMPT_RECOMMENDATION_START_DAY","CHATBOT_PROMPT_RECOMMENDATION_SEASONAL"]},"social":{"blueSkyUrl":"https://bsky.app/profile/owasp-juice.shop","mastodonUrl":"https://fosstodon.org/@owasp_juiceshop","twitterUrl":"https://twitter.com/owasp_juiceshop","facebookUrl":"https://www.facebook.com/owasp.juiceshop","slackUrl":"https://owasp.org/slack/invite","redditUrl":"https://www.reddit.com/r/owasp_juiceshop","pressKitUrl":"https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop","nftUrl":"https://opensea.io/collection/juice-shop","questionnaireUrl":null},"recyclePage":{"topProductImage":"fruit_press.jpg","bottomProductImage":"apple_pressings.jpg"},"welcomeBanner":{"showOnFirstStart":true,"title":"Welcome to OWASP Juice Shop!","message":"<p>Being a web application with a vast number of intended security vulnerabilities, the <strong>OWASP Juice Shop</strong> is supposed to be the opposite of a best practice or template application for web developers: It is an awareness, training, demonstration and exercise tool for security risks in modern web applications. The <strong>OWASP Juice Shop</strong> is an open-source project hosted by the non-profit <a href='https://owasp.org' target='_blank'>Open Worldwide Application Security Project (OWASP)</a> and is developed and maintained by volunteers. Check out the link below for more information and documentation on the project.</p><h1><a href='https://owasp-juice.shop' target='_blank'>https://owasp-juice.shop</a></h1>"},"cookieConsent":{"message":"This website uses fruit cookies to ensure you get the juiciest tracking experience.","dismissText":"Me want it!","linkText":"But me wait!","linkUrl":"https://www.youtube.com/watch?v=9PnbKL3wuH4"},"securityTxt":{"contact":"mailto:donotreply@owasp-juice.shop","encryption":"https://keybase.io/bkimminich/pgp_keys.asc?fingerprint=19c01cb7157e4645e9e2c863062a85a8cbfbdcda","acknowledgements":"/#/score-board","hiring":"/#/jobs","csaf":"/.well-known/csaf/provider-metadata.json"},"promotion":{"video":"owasp_promo.mp4","subtitles":"owasp_promo.vtt"},"easterEggPlanet":{"name":"Orangeuze","overlayMap":"orangemap2k.avif"},"googleOauth":{"clientId":"1005568560502-6hm16lef8oh46hr2d98vf2ohlnj4nfhq.apps.googleusercontent.com","authorizedRedirects":[{"uri":"https://demo.owasp-juice.shop"},{"uri":"https://juice-shop.herokuapp.com"},{"uri":"https://preview.owasp-juice.shop"},{"uri":"https://juice-shop-staging.herokuapp.com"},{"uri":"https://juice-shop.wtf"},{"uri":"http://localhost:3000","proxy":"https://local3000.owasp-juice.shop"},{"uri":"http://127.0.0.1:3000","proxy":"https://local3000.owasp-juice.shop"},{"uri":"http://localhost:4200","proxy":"https://local4200.owasp-juice.shop"},{"uri":"http://127.0.0.1:4200","proxy":"https://local4200.owasp-juice.shop"},{"uri":"http://192.168.99.100:3000","proxy":"https://localmac.owasp-juice.shop"},{"uri":"http://192.168.99.100:4200","proxy":"https://localmac.owasp-juice.shop"},{"uri":"http://penguin.termina.linux.test:3000","proxy":"https://localchromeos.owasp-juice.shop"},{"uri":"http://penguin.termina.linux.test:4200","proxy":"https://localchromeos.owasp-juice.shop"}]}},"challenges":{"showSolvedNotifications":true,"showHints":true,"showMitigations":true,"codingChallengesEnabled":"solved","restrictToTutorialsFirst":false,"overwriteUrlForProductTamperingChallenge":"https://owasp.slack.com","xssBonusPayload":"<iframe width=\"100%\" height=\"166\" scrolling=\"no\" frameborder=\"no\" allow=\"autoplay\" src=\"https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true\"></iframe>","safetyMode":"auto","csafHashValue":"7e7ce7c65db3bf0625fcea4573d25cff41f2f7e3474f2c74334b14fc65bb4fd26af802ad17a3a03bf0eee6827a00fb8f7905f338c31b5e6ea9cb31620242e843","metricsIgnoredUserAgents":["Prometheus","Alloy","promscrape","otelcol"]},"hackingInstructor":{"isEnabled":true,"avatarImage":"JuicyBot.png","hintPlaybackSpeed":"normal"},"products":[{"name":"Apple Juice (1000ml)","price":1.99,"deluxePrice":0.99,"limitPerUser":5,"description":"The all-time classic.","image":"apple_juice.jpg","reviews":[{"text":"One of my favorites!","author":"admin"},{"text":"Great! We'll have an apple party. Everyone brings an apple and - STUFFS IT DOWN EACH OTHER'S THROAT!","author":"basil"}]},{"name":"Orange Juice (1000ml)","description":"Made from oranges hand-picked by Uncle Dittmeyer.","price":2.99,"deluxePrice":2.49,"image":"orange_juice.jpg","reviews":[{"text":"y0ur f1r3wall needs m0r3 musc13","author":"uvogin"}]},{"name":"Eggfruit Juice (500ml)","description":"Now with even more exotic flavour.","price":8.99,"image":"eggfruit_juice.jpg","reviews":[{"text":"I bought it, would buy again. 5/7","author":"admin"}]},{"name":"Raspberry Juice (1000ml)","description":"Made from blended Raspberry Pi, water and sugar.","price":4.99,"image":"raspberry_juice.jpg"},{"name":"Lemon Juice (500ml)","description":"Sour but full of vitamins.","price":2.99,"deluxePrice":1.99,"limitPerUser":5,"image":"lemon_juice.jpg"},{"name":"Banana Juice (1000ml)","description":"Monkeys love it the most.","price":1.99,"image":"banana_juice.jpg","reviews":[{"text":"Fry liked it too.","author":"bender"}]},{"name":"OWASP Juice Shop T-Shirt","description":"Real fans wear it 24/7!","price":22.49,"limitPerUser":5,"image":"fan_shirt.jpg"},{"name":"OWASP Juice Shop CTF Girlie-Shirt","description":"For serious Capture-the-Flag heroines only!","price":22.49,"image":"fan_girlie.jpg"},{"name":"OWASP SSL Advanced Forensic Tool (O-Saft)","description":"O-Saft is an easy to use tool to show information about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.","price":0.01,"image":"orange_juice.jpg","urlForProductTamperingChallenge":"https://www.owasp.org/index.php/O-Saft"},{"name":"Christmas Super-Surprise-Box (2014 Edition)","description":"Contains a random selection of 10 bottles (each 500ml) of our tastiest juices and an extra fan shirt for an unbeatable price!","price":29.99,"image":"undefined.jpg","useForChristmasSpecialChallenge":true},{"name":"Rippertuer Special Juice","description":"Contains a magical collection of the rarest fruits gathered from all around the world, like Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos... and others, at an unbelievable price! <br/><span style=\"color:red;\">This item has been made unavailable because of lack of safety standards.</span>","price":16.99,"image":"undefined.jpg","keywordsForPastebinDataLeakChallenge":["hueteroneel","eurogium edule"]},{"name":"OWASP Juice Shop Sticker (2015/2016 design)","description":"Die-cut sticker with the official 2015/2016 logo. By now this is a rare collectors item. <em>Out of stock!</em>","price":999.99,"image":"sticker.png","deletedDate":"2017-04-28"},{"name":"OWASP Juice Shop Iron-Ons (16pcs)","description":"Upgrade your clothes with washer safe <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">iron-ons</a> of the OWASP Juice Shop or CTF Extension logo!","price":14.99,"image":"iron-on.jpg"},{"name":"OWASP Juice Shop Magnets (16pcs)","description":"Your fridge will be even cooler with these OWASP Juice Shop or CTF Extension logo <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">magnets</a>!","price":15.99,"image":"magnets.jpg"},{"name":"OWASP Juice Shop Sticker Page","description":"Massive decoration opportunities with these OWASP Juice Shop or CTF Extension <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker pages</a>! Each page has 16 stickers on it.","price":9.99,"image":"sticker_page.jpg"},{"name":"OWASP Juice Shop Sticker Single","description":"Super high-quality vinyl <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker single</a> with the OWASP Juice Shop or CTF Extension logo! The ultimate laptop decal!","price":4.99,"image":"sticker_single.jpg"},{"name":"OWASP Juice Shop Temporary Tattoos (16pcs)","description":"Get one of these <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">temporary tattoos</a> to proudly wear the OWASP Juice Shop or CTF Extension logo on your skin! If you tweet a photo of yourself with the tattoo, you get a couple of our stickers for free! Please mention <a href=\"https://twitter.com/owasp_juiceshop\" target=\"_blank\"><code>@owasp_juiceshop</code></a> in your tweet!","price":14.99,"image":"tattoo.jpg","reviews":[{"text":"I straight-up gots nuff props fo'these tattoos!","author":"rapper"}]},{"name":"OWASP Juice Shop Mug","description":"Black mug with regular logo on one side and CTF logo on the other! Your colleagues will envy you!","price":21.99,"image":"fan_mug.jpg"},{"name":"OWASP Juice Shop Hoodie","description":"Mr. Robot-style apparel. But in black. And with logo.","price":49.99,"image":"fan_hoodie.jpg"},{"name":"OWASP Juice Shop-CTF Velcro Patch","description":"4x3.5\" embroidered patch with velcro backside. The ultimate decal for every tactical bag or backpack!","price":2.92,"quantity":5,"limitPerUser":5,"image":"velcro-patch.jpg","reviews":[{"text":"This thang would look phat on Bobby's jacked fur coat!","author":"rapper"},{"text":"Looks so much better on my uniform than the boring Starfleet symbol.","author":"jim"}]},{"name":"Woodruff Syrup \"Forest Master X-Treme\"","description":"Harvested and manufactured in the Black Forest, Germany. Can cause hyperactive behavior in children. Can cause permanent green tongue when consumed undiluted.","price":6.99,"image":"woodruff_syrup.jpg"},{"name":"Green Smoothie","description":"Looks poisonous but is actually very good for your health! Made from green cabbage, spinach, kiwi and grass.","price":1.99,"image":"green_smoothie.jpg","reviews":[{"text":"Fresh out of a replicator.","author":"jim"}]},{"name":"Quince Juice (1000ml)","description":"Juice of the <em>Cydonia oblonga</em> fruit. Not exactly sweet but rich in Vitamin C.","price":4.99,"image":"quince.jpg"},{"name":"Apple Pomace","description":"Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be <a href=\"/#recycle\">sent back to us</a> for recycling.","price":0.89,"limitPerUser":5,"image":"apple_pressings.jpg"},{"name":"Fruit Press","description":"Fruits go in. Juice comes out. Pomace you can send back to us for recycling purposes.","price":89.99,"image":"fruit_press.jpg"},{"name":"OWASP Juice Shop Logo (3D-printed)","description":"This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.","price":99.99,"image":"3d_keychain.jpg","fileForRetrieveBlueprintChallenge":"JuiceShop.stl","exifForBlueprintChallenge":["OpenSCAD"]},{"name":"Juice Shop Artwork","description":"Unique masterpiece painted with different kinds of juice on 90g/m² lined paper.","price":278.74,"quantity":0,"image":"artwork.jpg","deletedDate":"2020-12-24"},{"name":"Global OWASP WASPY Award 2017 Nomination","description":"Your chance to nominate up to three quiet pillars of the OWASP community ends 2017-06-30! <a href=\"https://www.owasp.org/index.php/WASPY_Awards_2017\">Nominate now!</a>","price":0.03,"image":"waspy.png","deletedDate":"2017-07-01"},{"name":"Strawberry Juice (500ml)","description":"Sweet & tasty!","price":3.99,"image":"strawberry_juice.jpeg"},{"name":"Carrot Juice (1000ml)","description":"As the old German saying goes: \"Carrots are good for the eyes. Or has anyone ever seen a rabbit with glasses?\"","price":2.99,"image":"carrot_juice.jpeg","reviews":[{"text":"0 st4rs f0r 7h3 h0rr1bl3 s3cur17y","author":"uvogin"}]},{"name":"OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition)","description":"10 sheets of Sweden-themed stickers with 15 stickers on each.","price":19.1,"image":"stickersheet_se.png","deletedDate":"2017-09-20"},{"name":"Pwning OWASP Juice Shop","description":"<em>The official Companion Guide</em> by Björn Kimminich available <a href=\"https://leanpub.com/juice-shop\">for free on LeanPub</a> and also <a href=\"https://pwning.owasp-juice.shop\">readable online</a>!","price":5.99,"image":"cover_small.jpg","reviews":[{"text":"Even more interesting than watching Interdimensional Cable!","author":"morty"}]},{"name":"Melon Bike (Comeback-Product 2018 Edition)","description":"The wheels of this bicycle are made from real water melons. You might not want to ride it up/down the curb too hard.","price":2999,"quantity":3,"limitPerUser":1,"image":"melon_bike.jpeg"},{"name":"OWASP Juice Shop Coaster (10pcs)","description":"Our 95mm circle coasters are printed in full color and made from thick, premium coaster board.","price":19.99,"quantity":0,"image":"coaster.jpg"},{"name":"OWASP Snakes and Ladders - Web Applications","description":"This amazing web application security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1969196030\">available for Tabletop Simulator on Steam Workshop</a> now!","price":0.01,"quantity":8,"image":"snakes_ladders.jpg","reviews":[{"text":"Wait for a 10$ Steam sale of Tabletop Simulator!","author":"bjoernOwasp"}]},{"name":"OWASP Snakes and Ladders - Mobile Apps","description":"This amazing mobile app security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1970691216\">available for Tabletop Simulator on Steam Workshop</a> now!","price":0.01,"quantity":0,"image":"snakes_ladders_m.jpg","reviews":[{"text":"Here yo' learn how tha fuck ta not show yo' goddamn phone on camera!","author":"rapper"}]},{"name":"OWASP Juice Shop Holographic Sticker","description":"Die-cut holographic sticker. Stand out from those 08/15-sticker-covered laptops with this shiny beacon of 80's coolness!","price":2,"quantity":0,"image":"holo_sticker.png","reviews":[{"text":"Rad, dude!","author":"rapper"},{"text":"Looks spacy on Bones' new tricorder!","author":"jim"},{"text":"Will put one on the Planet Express ship's bumper!","author":"bender"}]},{"name":"OWASP Juice Shop \"King of the Hill\" Facemask","description":"Facemask with compartment for filter from 50% cotton and 50% polyester.","price":13.49,"quantity":0,"limitPerUser":1,"image":"fan_facemask.jpg","reviews":[{"text":"K33p5 y0ur ju1cy 5plu773r 70 y0ur53lf!","author":"uvogin"},{"text":"Puny mask for puny human weaklings!","author":"bender"}]},{"name":"Juice Shop Adversary Trading Card (Common)","description":"Common rarity \"Juice Shop\" card for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.","price":2.99,"deluxePrice":0.99,"deletedDate":"2020-11-30","limitPerUser":5,"image":"ccg_common.png","reviews":[{"text":"Ooooh, puny human playing Mau Mau, now?","author":"bender"}]},{"name":"Juice Shop Adversary Trading Card (Super Rare)","description":"Super rare \"Juice Shop\" card with holographic foil-coating for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.","price":99.99,"deluxePrice":69.99,"deletedDate":"2020-11-30","quantity":2,"limitPerUser":1,"image":"ccg_foil.png","reviews":[{"text":"Mau Mau with bling-bling? Humans are so pathetic!","author":"bender"}]},{"name":"Juice Shop \"Permafrost\" 2020 Edition","description":"Exact version of <a href=\"https://github.com/juice-shop/juice-shop/releases/tag/v9.3.1-PERMAFROST\">OWASP Juice Shop that was archived on 02/02/2020</a> by the GitHub Archive Program and ultimately went into the <a href=\"https://github.blog/2020-07-16-github-archive-program-the-journey-of-the-worlds-open-source-code-to-the-arctic\">Arctic Code Vault</a> on July 8. 2020 where it will be safely stored for at least 1000 years.","price":9999.99,"quantity":1,"limitPerUser":1,"image":"permafrost.jpg","reviews":[{"text":"🧊 Let it go, let it go 🎶 Can't hold it back anymore 🎶 Let it go, let it go 🎶 Turn away and slam the door ❄️","author":"rapper"}]},{"name":"Best Juice Shop Salesman Artwork","description":"Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before <em>finally</em> adding his expertise to the Juice Shop marketing team.","price":5000,"quantity":1,"image":"artwork2.jpg","reviews":[{"text":"I'd stand on my head to make you a deal for this piece of art.","author":"stan"},{"text":"Just when my opinion of humans couldn't get any lower, along comes Stan...","author":"bender"}]},{"name":"OWASP Juice Shop Card (non-foil)","description":"Mythic rare <small><em>(obviously...)</em></small> card \"OWASP Juice Shop\" with three distinctly useful abilities. Alpha printing, mint condition. A true collectors piece to own!","price":1000,"quantity":3,"limitPerUser":1,"image":"card_alpha.jpg","reviews":[{"text":"DO NOT PLAY WITH THIS! Double-sleeve, then put it in the GitHub Arctic Vault for perfect preservation and boost of secondary market value!","author":"accountant"}]},{"name":"20th Anniversary Celebration Ticket","description":"Get your <a href=\"https://20thanniversary.owasp.org/\" target=\"_blank\">free 🎫 for OWASP 20th Anniversary Celebration</a> online conference! Hear from world renowned keynotes and special speakers, network with your peers and interact with our event sponsors. With an anticipated 10k+ attendees from around the world, you will not want to miss this live on-line event!","price":1e-20,"deletedDate":"2021-09-25","limitPerUser":1,"image":"20th.jpeg","reviews":[{"text":"I'll be there! Will you, too?","author":"bjoernOwasp"}]},{"name":"OWASP Juice Shop LEGO™ Tower","description":"Want to host a Juice Shop CTF in style? Build <a href=\"https://github.com/OWASP/owasp-swag/blob/master/projects/juice-shop/lego/OWASP%20JuiceShop%20Pi-server%201.2.pdf\" target=\"_blank\">your own LEGO™ tower</a> which holds four Raspberry Pi 4 models with PoE HAT modules <a href=\"https://github.com/juice-shop/multi-juicer/blob/main/guides/raspberry-pi/raspberry-pi.md\" target=\"_blank\">running a MultiJuicer Kubernetes cluster</a>! Wire to a switch and connect to your network to have an out-of-the-box ready CTF up in no time!","price":799,"quantity":3,"limitPerUser":1,"image":"lego_case.jpg","reviews":[{"text":"Check out the /#/photo-wall for some impressions of the assembly process!","author":"bjoernOwasp"}]},{"name":"DSOMM & Juice Shop User Day Ticket","description":"You are going to the OWASP Global AppSec San Francisco 2024? <a href=\"https://www.eventbrite.com/e/owasp-global-appsec-san-francisco-2024-tickets-723699172707\" target=\"_blank\">Get a ticket<sup>*</sup></a> for this amazing side event as well! Check the juice-packed agenda <a href=\"https://owasp.org/www-project-juice-shop/#div-userday2024\" target=\"_blank\">here</a> for all the details!<br><br><small><small><sup>*</sup>=scroll down to <strong>Elevate: DSOMM and Juice Shop User Day (Sept. 25)</strong> after clicking <em>Get Tickets</em> on Eventbrite. Ticket price set to only covers fees for room, AV, and catering throughout the day.</small></small>","price":55.2,"deletedDate":"2024-09-26","limitPerUser":1,"image":"user_day_ticket.png","reviews":[{"text":"The DSOMM Live Assessment session will even use Juice Shop as its \"real-world\" example!","author":"timo"},{"text":"We will showcase the amazing MultiJuicer Lego Tower at this event!","author":"jannik"}]},{"name":"Pineapple Juice (1000ml)","description":"Tropical refreshment from the finest sun-ripened pineapples.","price":2.99,"image":"pineapple_juice.png"},{"name":"Melon Juice (1000ml)","description":"Refreshing and sweet juice made from ripe melons.","price":2.49,"image":"melon_juice.png"},{"name":"Grape Juice (1000ml)","description":"Deep purple and full of antioxidants from selected grapes.","price":2.99,"image":"grape_juice.png"},{"name":"Dragonfruit Juice (500ml)","description":"Exotic and vibrant juice made from dragonfruit.","price":3.99,"image":"dragonfruit_juice.png"},{"name":"Berry Juice (1000ml)","description":"A delicious blend of fresh forest berries.","price":3.49,"image":"berry_juice.png"},{"name":"Basil Smoothie","description":"A unique blend of fresh basil and ginger for a healthy kick.","price":2.99,"image":"basil_smoothie.png","reviews":[{"text":"(ง'̀-'́)ง","author":"basil"}]},{"name":"Bragă (500ml)","description":"Traditional Balkan drink made from fermented millet. Lightly sweet-sour, refreshing, and naturally energizing.","price":2.49,"image":"braga.jpg"},{"name":"Elderflower Cordial (500ml)","description":"Floral and fragrant soft drink made from elderflowers. Traditionally enjoyed chilled.","price":3.29,"image":"elderflower_cordial.jpg"},{"name":"Sea Buckthorn Juice (500ml)","description":"Tangy and slightly sour juice, extremely rich in Vitamin C and antioxidants.","price":3.99,"image":"sea_buckthorn_juice.jpg"},{"name":"Pomegranate Drink (500ml)","description":"A sweet and tart refreshment inspired by classic grenadine flavors.","price":4.49,"image":"pomegranate_drink.jpg"}],"memories":[{"image":"magn(et)ificent!-1571814229653.jpg","caption":"Magn(et)ificent!","user":"bjoernGoogle"},{"image":"my-rare-collectors-item!-[̲̅$̲̅(̲̅-͡°-͜ʖ-͡°̲̅)̲̅$̲̅]-1572603645543.jpg","caption":"My rare collectors item! [̲̅$̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅$̲̅]","user":"bjoernGoogle"},{"image":"favorite-hiking-place.png","caption":"I love going hiking here...","geoStalkingMetaSecurityQuestion":14,"geoStalkingMetaSecurityAnswer":"Daniel Boone National Forest"},{"image":"IMG_4253.jpg","caption":"My old workplace...","geoStalkingVisualSecurityQuestion":10,"geoStalkingVisualSecurityAnswer":"ITsec"},{"image":"BeeHaven.png","caption":"Welcome to the Bee Haven (/#/bee-haven)🐝","user":"evm"},{"image":"sorted-the-pieces,-starting-assembly-process-1721152307290.jpg","caption":"Sorted the pieces, starting assembly process...","user":"bjoernOwasp"},{"image":"building-something-literally-bottom-up-1721152342603.jpg","caption":"Building something literally bottom up...","user":"bjoernOwasp"},{"image":"putting-in-the-hardware-1721152366854.jpg","caption":"Putting in the hardware...","user":"bjoernOwasp"},{"image":"everything-up-and-running!-1721152385146.jpg","caption":"Everything up and running!","user":"bjoernOwasp"}],"ctf":{"showFlagsInNotifications":false,"showCountryDetailsInNotifications":"none","countryMapping":null,"systemWideNotifications":{"url":null,"pollFrequencySeconds":null}}}}
          + + +
          Evidence
          192.168.99.100:3000
          Solution +

          Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + X-Content-Type-Options Header Missing (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvkbS2E + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

          +
          Other info +

          This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

          + +

          At "High" threshold this scan rule will not alert on client or server error responses.

          +
          Request
          + Request line and header section (292 bytes) + + 
          GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvkbS2E HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (230 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/plain; charset=UTF-8
+Content-Length: 96
+Date: Thu, 28 May 2026 12:36:08 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (96 bytes) + + 
          0{"sid":"nEG8pvOYamU1m7K1AAAA","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000}
          + + +
          Parameter
          x-content-type-options
          Solution +

          Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

          + +

          If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    5. + +
  5. +

    + Risk=Low, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Timestamp Disclosure - Unix (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A timestamp was disclosed by the application/web server. - Unix

          +
          Other info +

          1666666667, which evaluates to: 2022-10-24 22:57:47.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 12:33:00 GMT
+ETag: W/"26af-19e6e92e42d"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 12:35:31 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          1666666667
          Solution +

          Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    6. + + + + + + +
  6. +

    + Risk=Informational, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Modern Web Application (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

          +
          Other info +

          No links have been found while there are scripts, which is an indication that this is a modern web application.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 12:33:00 GMT
+ETag: W/"26af-19e6e92e42d"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 12:35:31 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
          Solution +

          This is an informational alert and so no changes are required.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + User Agent Fuzzer (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=websocket&sid=ORXVHK2iM9FnA7rnAAAI + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags +
            +
          • + CUSTOM_PAYLOADS = +
            • +
          • + POLICY_PENTEST = +
            • +
          • + SYSTEMIC +
            • +
          +
          Alert description +

          Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.

          +
          Request
          + Request line and header section (557 bytes) + + 
          GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=websocket&sid=ORXVHK2iM9FnA7rnAAAI HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Sec-WebSocket-Version: 13
+Origin: http://20.60.0.1:3000
+Sec-WebSocket-Key: u649l9b9D6JhCVZVqb3H3w==
+Connection: keep-alive, Upgrade
+Cookie: language=en; continueCode=y1OzBZxNpnLrM5WmgEKv8XakQ7DA6LcQGJ6yOlV9Pow1jYqbz2eRB34oE5mM; welcomebanner_status=dismiss
+Pragma: no-cache
+Cache-Control: no-cache
+Upgrade: websocket
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (92 bytes) + + 
          HTTP/1.1 400 Bad Request
+Connection: close
+Content-type: text/html
+Content-Length: 18
+
+
          + + +
          + Response body (18 bytes) + + 
          Session ID unknown
          + + +
          Parameter
          Header User-Agent
          Attack
          Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    7. + + + +
+
+ +
+

Appendix

+ +
+

Alert Types

+

This section contains additional information on the types of alerts in the report.

+
    +
  1. +

    SQL Injection

    + + + + + + + + + + + + + + + + + +
    Source + + raised by an active scanner (SQL Injection) + +
    CWE ID89
    WASC ID19
    Reference +
      +
    1. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
      2. +
    +
    +
    2. +
  2. +

    Content Security Policy (CSP) Header Not Set

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Content Security Policy (CSP) Header Not Set) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
      2. +
    2. https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
      3. +
    3. https://www.w3.org/TR/CSP/
      4. +
    4. https://w3c.github.io/webappsec-csp/
      5. +
    5. https://web.dev/articles/csp
      6. +
    6. https://caniuse.com/#feat=contentsecuritypolicy
      7. +
    7. https://content-security-policy.com/
      8. +
    +
    +
    3. +
  3. +

    Cross-Domain Misconfiguration

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Cross-Domain Misconfiguration) + +
    CWE ID264
    WASC ID14
    Reference +
      +
    1. https://vulncat.fortify.com/en/detail?category=HTML5&subcategory=Overly%20Permissive%20CORS%20Policy
      2. +
    +
    +
    4. +
  4. +

    Missing Anti-clickjacking Header

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Anti-clickjacking Header) + +
    CWE ID1021
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
      2. +
    +
    +
    5. +
  5. +

    Session ID in URL Rewrite

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Session ID in URL Rewrite) + +
    CWE ID598
    WASC ID13
    Reference +
      +
    1. https://seclists.org/webappsec/2002/q4/111
      2. +
    +
    +
    6. +
  6. +

    Private IP Disclosure

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Private IP Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://datatracker.ietf.org/doc/html/rfc1918
      2. +
    +
    +
    7. +
  7. +

    Timestamp Disclosure - Unix

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Timestamp Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://cwe.mitre.org/data/definitions/200.html
      2. +
    +
    +
    8. +
  8. +

    X-Content-Type-Options Header Missing

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (X-Content-Type-Options Header Missing) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
      2. +
    2. https://owasp.org/www-community/Security_Headers
      3. +
    +
    +
    9. +
  9. +

    Modern Web Application

    + + + + + + + + +
    Source + + raised by a passive scanner (Modern Web Application) + +
    +
    10. +
  10. +

    User Agent Fuzzer

    + + + + + + + + + + + +
    Source + + raised by an active scanner (User Agent Fuzzer) + +
    Reference +
      +
    1. https://owasp.org/wstg
      2. +
    +
    +
    11. +
+
+
+ +
+ + + + + diff --git a/TestesRealizados1/Pen&Test/normalize/LICENSE.md b/TestesRealizados1/Pen&Test/normalize/LICENSE.md new file mode 100644 index 0000000..43b5ddc --- /dev/null +++ b/TestesRealizados1/Pen&Test/normalize/LICENSE.md @@ -0,0 +1,21 @@ +# The MIT License (MIT) + +Copyright © Nicolas Gallagher and Jonathan Neal + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/TestesRealizados1/Pen&Test/normalize/normalize.css b/TestesRealizados1/Pen&Test/normalize/normalize.css new file mode 100644 index 0000000..192eb9c --- /dev/null +++ b/TestesRealizados1/Pen&Test/normalize/normalize.css @@ -0,0 +1,349 @@ +/*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */ + +/* Document + ========================================================================== */ + +/** + * 1. Correct the line height in all browsers. + * 2. Prevent adjustments of font size after orientation changes in iOS. + */ + +html { + line-height: 1.15; /* 1 */ + -webkit-text-size-adjust: 100%; /* 2 */ +} + +/* Sections + ========================================================================== */ + +/** + * Remove the margin in all browsers. + */ + +body { + margin: 0; +} + +/** + * Render the `main` element consistently in IE. + */ + +main { + display: block; +} + +/** + * Correct the font size and margin on `h1` elements within `section` and + * `article` contexts in Chrome, Firefox, and Safari. + */ + +h1 { + font-size: 2em; + margin: 0.67em 0; +} + +/* Grouping content + ========================================================================== */ + +/** + * 1. Add the correct box sizing in Firefox. + * 2. Show the overflow in Edge and IE. + */ + +hr { + box-sizing: content-box; /* 1 */ + height: 0; /* 1 */ + overflow: visible; /* 2 */ +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +pre { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/* Text-level semantics + ========================================================================== */ + +/** + * Remove the gray background on active links in IE 10. + */ + +a { + background-color: transparent; +} + +/** + * 1. Remove the bottom border in Chrome 57- + * 2. Add the correct text decoration in Chrome, Edge, IE, Opera, and Safari. + */ + +abbr[title] { + border-bottom: none; /* 1 */ + text-decoration: underline; /* 2 */ + text-decoration: underline dotted; /* 2 */ +} + +/** + * Add the correct font weight in Chrome, Edge, and Safari. + */ + +b, +strong { + font-weight: bolder; +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +code, +kbd, +samp { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/** + * Add the correct font size in all browsers. + */ + +small { + font-size: 80%; +} + +/** + * Prevent `sub` and `sup` elements from affecting the line height in + * all browsers. + */ + +sub, +sup { + font-size: 75%; + line-height: 0; + position: relative; + vertical-align: baseline; +} + +sub { + bottom: -0.25em; +} + +sup { + top: -0.5em; +} + +/* Embedded content + ========================================================================== */ + +/** + * Remove the border on images inside links in IE 10. + */ + +img { + border-style: none; +} + +/* Forms + ========================================================================== */ + +/** + * 1. Change the font styles in all browsers. + * 2. Remove the margin in Firefox and Safari. + */ + +button, +input, +optgroup, +select, +textarea { + font-family: inherit; /* 1 */ + font-size: 100%; /* 1 */ + line-height: 1.15; /* 1 */ + margin: 0; /* 2 */ +} + +/** + * Show the overflow in IE. + * 1. Show the overflow in Edge. + */ + +button, +input { /* 1 */ + overflow: visible; +} + +/** + * Remove the inheritance of text transform in Edge, Firefox, and IE. + * 1. Remove the inheritance of text transform in Firefox. + */ + +button, +select { /* 1 */ + text-transform: none; +} + +/** + * Correct the inability to style clickable types in iOS and Safari. + */ + +button, +[type="button"], +[type="reset"], +[type="submit"] { + -webkit-appearance: button; +} + +/** + * Remove the inner border and padding in Firefox. + */ + +button::-moz-focus-inner, +[type="button"]::-moz-focus-inner, +[type="reset"]::-moz-focus-inner, +[type="submit"]::-moz-focus-inner { + border-style: none; + padding: 0; +} + +/** + * Restore the focus styles unset by the previous rule. + */ + +button:-moz-focusring, +[type="button"]:-moz-focusring, +[type="reset"]:-moz-focusring, +[type="submit"]:-moz-focusring { + outline: 1px dotted ButtonText; +} + +/** + * Correct the padding in Firefox. + */ + +fieldset { + padding: 0.35em 0.75em 0.625em; +} + +/** + * 1. Correct the text wrapping in Edge and IE. + * 2. Correct the color inheritance from `fieldset` elements in IE. + * 3. Remove the padding so developers are not caught out when they zero out + * `fieldset` elements in all browsers. + */ + +legend { + box-sizing: border-box; /* 1 */ + color: inherit; /* 2 */ + display: table; /* 1 */ + max-width: 100%; /* 1 */ + padding: 0; /* 3 */ + white-space: normal; /* 1 */ +} + +/** + * Add the correct vertical alignment in Chrome, Firefox, and Opera. + */ + +progress { + vertical-align: baseline; +} + +/** + * Remove the default vertical scrollbar in IE 10+. + */ + +textarea { + overflow: auto; +} + +/** + * 1. Add the correct box sizing in IE 10. + * 2. Remove the padding in IE 10. + */ + +[type="checkbox"], +[type="radio"] { + box-sizing: border-box; /* 1 */ + padding: 0; /* 2 */ +} + +/** + * Correct the cursor style of increment and decrement buttons in Chrome. + */ + +[type="number"]::-webkit-inner-spin-button, +[type="number"]::-webkit-outer-spin-button { + height: auto; +} + +/** + * 1. Correct the odd appearance in Chrome and Safari. + * 2. Correct the outline style in Safari. + */ + +[type="search"] { + -webkit-appearance: textfield; /* 1 */ + outline-offset: -2px; /* 2 */ +} + +/** + * Remove the inner padding in Chrome and Safari on macOS. + */ + +[type="search"]::-webkit-search-decoration { + -webkit-appearance: none; +} + +/** + * 1. Correct the inability to style clickable types in iOS and Safari. + * 2. Change font properties to `inherit` in Safari. + */ + +::-webkit-file-upload-button { + -webkit-appearance: button; /* 1 */ + font: inherit; /* 2 */ +} + +/* Interactive + ========================================================================== */ + +/* + * Add the correct display in Edge, IE 10+, and Firefox. + */ + +details { + display: block; +} + +/* + * Add the correct display in all browsers. + */ + +summary { + display: list-item; +} + +/* Misc + ========================================================================== */ + +/** + * Add the correct display in IE 10+. + */ + +template { + display: none; +} + +/** + * Add the correct display in IE 10. + */ + +[hidden] { + display: none; +} diff --git a/TestesRealizados1/Pen&Test/themes/original/colors.css b/TestesRealizados1/Pen&Test/themes/original/colors.css new file mode 100644 index 0000000..fd3b963 --- /dev/null +++ b/TestesRealizados1/Pen&Test/themes/original/colors.css @@ -0,0 +1,139 @@ +body { + background-color: #306aa0; + background-image: radial-gradient(circle at top left, #fff 0%, #8ce1d6 15em, #306aa0 100em, #386095 100%); +} + +main, footer { + background-color: #fff; +} + +header { + background-color: #00549e; + color: #fff; +} + +a:link { + color: #004380; +} + +a:visited { + color: #770d67; +} + +a:focus { + background-color: #ffd54d; +} + +a:hover { + background-color: #ffd54d; +} + +a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +header a:link { + color: #f2f7fd; +} + +header a:visited { + color: #f2b5e9; +} + +header a:focus { + background-color: #ffd54d; + color: #004380; +} + +header a:hover { + background-color: #ffd54d; + color: #004380; +} + +header a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #fff6db; +} + +summary:focus { + background-color: #ffd54d; +} + +summary:hover { + background-color: #ffd54d; +} + +summary:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +h2, h3, h4, h5, h6 { + color: #00549e; +} + +.risk-level, .confidence-level { + color: #00549e; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + color: #00549e; +} + +.risk-confidence-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + color: #00549e; +} + +.site-risk-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.alert-type-counts-table > tbody > tr { + border-bottom-color: #00549e; +} + +.alert-type-counts-table th[scope="col"] { + background-color: #00549e; + color: #fff; +} + +.alert-type-counts-table th[scope="col"] { + border-left-color: #fff; +} + +.alerts-table th, .alert-types-table th { + background-color: #306aa0; + color: #fff; +} + +.additional-info-percentages { + color: #00549e; +} + +.insights-table > tbody > tr { + border-bottom-color: #00549e; +} + +.insights-table th[scope="col"] { + background-color: #00549e; + border-left-color: #fff; + color: #fff; +} diff --git a/TestesRealizados1/Pen&Test/themes/original/main.css b/TestesRealizados1/Pen&Test/themes/original/main.css new file mode 100644 index 0000000..050bd3f --- /dev/null +++ b/TestesRealizados1/Pen&Test/themes/original/main.css @@ -0,0 +1,417 @@ +*, *::after, *::before { + box-sizing: border-box; +} + +h1, h2, h3, h4, h5, h6 { + margin: 0; + padding: 0; +} + +pre, ul { + margin: 0; +} + +ol { + list-style-type: none; +} + +h1 { + font-size: 3em; +} + +h2 { + font-size: 2em; +} + +h3, h4, h5, h6 { + font-size: 1em; +} + +html { + box-sizing: border-box; + font-family: Verdana, sans-serif; + line-height: 1.5; +} + +body { + margin: 1.5em 0; +} + +@media screen and (min-width: 50em) { + body { + margin: 1.5em 2ch; + padding: 1.5em 2ch; + } +} + +a:active, header a:active { + outline-style: solid; +} + +header, main { + margin: 0 auto; + max-width: 90ch; + padding: 1.5em 4ch; +} + +header { + border-radius: .25em .25em 0 0; +} + +main { + border-radius: 0 0 .25em .25em; +} + +summary { + cursor: pointer; +} + +.contents { + margin-top: 1.5em; +} + +main > section { + margin-bottom: 4.5em; +} + +.about-this-report > section { + margin-bottom: 3em; +} + +.summaries section { + margin-bottom: 3em; +} + +h2 { + margin-bottom: .75em; +} + +h3 { + margin-bottom: 1.5em; +} + +h4 { + margin-bottom: 1.5em; +} + +.report-parameters--container h4 { + margin-top: 1.5em; +} + +p { + margin: 1.5em 0; +} + +p:first-of-type { + margin-top: 0; +} + +p:last-of-type { + margin-bottom: 0; +} + +.contents li, .alerts li, .alert-types > ol > li { + margin-top: 1.5em; +} + +.alert-types h4 { + margin-bottom: 0; +} + +a { + border-radius: .125em; +} + +caption { + margin-bottom: 1.5em; + text-align: left; +} + +code, .request-method-n-url { + overflow-wrap: anywhere; + white-space: break-spaces; +} + +table { + border-collapse: collapse; +} + +.report-description--container, .report-parameters--container { + margin-left: 2ch; + padding: 0 2ch; +} + +.about-this-report h3, .summaries h3, .appendix h3 { + border-bottom: .05em solid; +} + +.alerts h4 { + text-align: center; +} + +.alerts ol { + padding-left: 0; +} + +.alerts--site-li { + border: .05em solid; + border-radius: .25em; + margin-left: 2ch; + padding: 1.5em 3ch; +} + +.contents ol { + list-style-position: inside; + list-style-type: square; + padding-left: 4ch; +} + +.contexts-list, .sites-list { + list-style-type: square; +} + +.risk-confidence-counts-table { + width: 100%; +} + +.risk-confidence-counts-table tr { + height: 4.5em; +} + +.risk-confidence-counts-table thead > tr { + height: 3em; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table th[scope="rowgroup"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.risk-confidence-counts-table th[scope="row"] { + padding-right: 5%; +} + +@media screen and (max-width: 50em) { + .risk-confidence-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.risk-confidence-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.risk-confidence-counts-table > tbody > tr { + border-top: .05em solid; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table td { + vertical-align: top; +} + +.risk-confidence-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.risk-confidence-counts-table td, .risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + text-align: right; +} + +.site-risk-counts-table { + width: 100%; +} + +.site-risk-counts-table tr { + height: 4.5em; +} + +.site-risk-counts-table thead > tr:first-of-type { + height: 3em; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table th[scope="col"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.site-risk-counts-table th[scope="row"] { + padding-right: 1%; +} + +@media screen and (max-width: 50em) { + .site-risk-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.site-risk-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.site-risk-counts-table > tbody > tr { + border-top: .05em solid; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table td { + vertical-align: top; +} + +.site-risk-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.site-risk-counts-table td, .site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + text-align: right; +} + +.alert-type-counts-table { + width: 100%; +} + +.alert-type-counts-table th, .alert-type-counts-table td { + padding: 0 1rem; + text-align: left; + vertical-align: top; +} + +.alert-type-counts-table td:nth-last-of-type(2) { + padding-left: 1.5rem; +} + +.alert-type-counts-table > tbody > tr { + border-bottom: 0.05em dotted; +} + +.alert-type-counts-table th[scope="col"] { + border-left: 1rem solid; +} + +.alert-type-counts-table th[scope="col"]:first-of-type { + border-left: 0; +} + +.alert-type-counts-table th[scope="col"]:last-of-type, .alert-type-counts-table td:last-of-type { + text-align: right; +} + +.alert-type-counts-table th[scope="col"], .alert-type-counts-table th[scope="row"] { + font-weight: normal; +} + +.alert-type-counts-table th[scope="row"], .alert-type-counts-table td { + padding-bottom: 1.5em; +} + +.alert-type-counts-table thead > th:first-of-type { + width: 45%; +} + +.alerts-table, .alert-types-table, .insights-table { + border-collapse: separate; + border-spacing: 2ch 1.5em; + width: 100%; +} + +.alerts-table th, .alerts-table td, .alert-types-table th, .alert-types-table td, .insights-table td, .insights-table th { + vertical-align: top; +} + +.alerts-table td, .alert-types-table td, .insights-table td { + overflow-wrap: anywhere; +} + +.alerts-table th, .alert-types-table th, .insights-table th { + padding: 0 1ch; +} + +.alerts-table td, .alert-types-table td { + padding: 0 2ch; +} + +.insights-table td { + padding: 0 1ch; +} + +.alerts-table summary { + margin-bottom: 1.5em; +} + +.alert-tags-list { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-tags-list > li { + margin-top: 0; +} + +.request-body, .response-body { + margin-top: 1.5em; +} + +.request-method-n-url { + margin-bottom: 0; +} + +.alert-types-table { + padding-top: 0; +} + +.alert-types-table th { + width: 20%; +} + +.alert-types-table ol { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-types-table li:not(:first-of-type) { + margin-top: 1.5em; +} + +p.alert-types-intro { + margin-bottom: 3em; +} + +.zap-logo { + height: 1em; + margin-right: .25ch; + width: 1em; +} + +h1, h2 { + font-family: Georgia, serif; +} + +.risk-level, .confidence-level, .included-risk-codes, .included-confidence-codes, .additional-info-percentages { + font-family: monospace, monospace; +} + +.context, .site, .request-method-n-url { + font-family: monospace, monospace; +} diff --git a/TestesRealizados1/Pen&Test/zap32x32.png b/TestesRealizados1/Pen&Test/zap32x32.png new file mode 100644 index 0000000000000000000000000000000000000000..9c1019ffb2ad500434d78f20f5a624bd660e6735 GIT binary patch literal 1933 zcmV;82Xgp{P)LZ&X_*%IgUcU=kqE(b z4NRzXHHacGqA;V7EOd-rLRUsK6M0)>lNA+QA(1s>0WooNopVsi`f~3%&(A;3?F-PB zvOj!oo}80&pL3q?@9q2jJ@8;-E^rih7x)VQ$FTzF0Ce^0)w*%xMg@9CT^);$`@`-S z|D^%X0-G{2GScem>Zq-)#c><}&YnG+{?@;fz2@5u5&VQI{0HC&b5Eb8v=CMzq8Xh{uDUJ;6-8cvHPPw(V1AXlBMlio^B!;`1mR7lQz6stN1n` zVSRiJ3Jh}IHmwUh{p952jC=DbQ>IW{T+Bm{EyTg%86hH)s*G@RBZ6ZD zR~$s-xgh|tIK<*bMohZnrPKSTebm&{(An8JZUCD%Zw|w-XamM3aZ{E@QkJ_Sh=4&b zVlZMR6MN-LA+KI)MxOZY4_$EN7gpcl|GBy+*}SFI&@zE+1c5&ojb?% zH-610omUXmkc0pc4MCuY3JRI#ep;zPz!%CkF{7fMRjXD}R#rwLkr?x}`Sa(qYu7G1 z4zIhf6b}b*b0|Z?2bxNbAlb*&-!+hzmq$fKMaqhiM-T+Gw6t*h_U({ddb?6-2&w|A zpn{45bPqNps$5aDKvhCrw+1VURUz5a1;EaoJE^Lw8q=z_wl+#jOPTPwnarrD$C>b1 zeBZ~~fqr423P90ogC0=PH?8Vm*#v}(0|k?r!xzizShj2#GiT1Ey}f-@07XSb?AWn` zo)51w@$*j*Sf2pBs|*LhoR?u5{SD7JEun@R9Ak(IM2sO~gs2fb$L0Oj{d{ntiOR}K z4jw#6R#w)CK$a|7Ld#z-Gd=bqy@><~t0b(&SH%x3{Wghj{ro$E>8w7|8!?eI&lp@s zaK#WcLS%r`jo>*Bw)ZCgII)AS>wjbG)~z%&G>ix$H+M2U56vZe;WP9n69iWA)shSX z`fak)9$cP#M-^Drp9UIWRk0R)RT8QshN)UI2q2optfzJ|r}}xe?|y;IjENjOcI+Mi z7cX9-`|VS7cbpDGkWxfn15~wP#HQ4&KGGL8Zqzd_CM6=?Fb}vQxI!o{fa9gn`BpRU zy|It{{Ct|4nwT|f*5LO}o;*oeSs7W&e}iV^hCM-${BO{>Jm(%YOnIR)X)V55tW|8v z^2ET^D*YDvtkSPaPoj^^$IF?s{&lVgQFL zf4TNCRPNcLzb)TB`ne$0!%HlF+%?X3TygP?!H8f?C?W&GVvG#277}_4P&Z27wKi^_ z`UMY9O6QgM5f&|4M0R!--M6}buJEI=4km*jh{gB1;;i$G!4U@|f*8RtASQ%eXNt)N z2*#qQRjl#oYmeiff0@FG0rvrUs1Grl_V)4yJq|S&*HyA`hPcY4iwPqM T`!Z{P00000NkvXXu0mjf{kVU6 literal 0 HcmV?d00001 diff --git a/TestesRealizados1/QA&CICD/QA&CICD.html b/TestesRealizados1/QA&CICD/QA&CICD.html new file mode 100644 index 0000000..585b789 --- /dev/null +++ b/TestesRealizados1/QA&CICD/QA&CICD.html @@ -0,0 +1,1896 @@ + + + + + +ZAP by Checkmarx Scanning Report + + + + + +
+

ZAP by Checkmarx Scanning Report

+

+ Generated with ZAP + on Thu 28 May 2026, at 09:08:47 +

+

ZAP Version: 2.17.0

+

+ ZAP by Checkmarx +

+
+ +
+ +
+

Contents

+ +
+ +
+

About This Report

+ + + +
+

Report Parameters

+
+

Contexts

+ + +

No contexts were selected, so all contexts were included by default.

+ + +

Sites

+ +

The following sites were included:

+
    +
  • http://20.60.0.1:3000
    • +
+ +

(If no sites were selected, all sites were included by default.)

+

An included site must also be within one of the included contexts for its data to be included in the report.

+ +

Risk levels

+

+ Included: + + High, Medium, Low, Informational +

+

+ Excluded: + None + +

+ +

Confidence levels

+

+ Included: + + + User Confirmed, High, Medium, Low +

+

+ Excluded: + + + User Confirmed, High, Medium, Low, False Positive +

+
+
+
+ + +
+ +
+ +
+

Summaries

+ +
+

Alert Counts by Risk and Confidence

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts for each level of risk and confidence included in the report.

+

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)

+
Confidence
User ConfirmedHighMediumLowTotal
RiskHigh0
(0.0%)		0
(0.0%)		0
(0.0%)		1
(20.0%)		1
(20.0%)
Medium0
(0.0%)		1
(20.0%)		1
(20.0%)		0
(0.0%)		2
(40.0%)
Low0
(0.0%)		0
(0.0%)		0
(0.0%)		1
(20.0%)		1
(20.0%)
Informational0
(0.0%)		0
(0.0%)		1
(20.0%)		0
(0.0%)		1
(20.0%)
Total0
(0.0%)		1
(20.0%)		2
(40.0%)		2
(40.0%)		5
(100%)
+
+ +
+

Alert Counts by Site and Risk

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

+

Alerts with a confidence level of "False Positive" have been excluded from these counts.

+

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)

+
Risk
+ High
(= High) + 		+ Medium
(>= Medium) + 		+ Low
(>= Low) + 		+ Informational
(>= Informational) +
Sitehttp://20.60.0.1:30001
(1)		2
(3)		1
(4)		1
(5)
+
+ +
+

Alert Counts by Alert Type

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts of each alert type, together with the alert type's risk level.

+

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)

+
Alert typeRiskCount
SQL InjectionHigh1
(20.0%)
Content Security Policy (CSP) Header Not SetMedium5
(100.0%)
Cross-Domain MisconfigurationMedium5
(100.0%)
Timestamp Disclosure - UnixLow5
(100.0%)
Modern Web ApplicationInformational5
(100.0%)
Total5
+
+ +
+

Insights

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows information that is likely to be very relevant to you, but which is not related to vulnerabilities, or potentially even related to the application in question.

+
LevelReasonSiteDescriptionStatistic
+
Medium
+ 		+
Exceeded Low
+ 		+
+ 		+
Percentage of memory used
+ 		+
80
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP errors logged - see the zap.log file for details
+ 		+
112
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP warnings logged - see the zap.log file for details
+ 		+
28
+
+
Info
+ 		+
Informational
+ 		+
+ 		+
Percentage of network failures
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 2xx
+ 		+
95 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 4xx
+ 		+
4 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/javascript
+ 		+
9 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/json
+ 		+
4 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/octet-stream
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/jpeg
+ 		+
6 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/png
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/x-icon
+ 		+
5 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/css
+ 		+
5 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/html
+ 		+
66 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/markdown
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/plain
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method GET
+ 		+
98 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method POST
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Count of total endpoints
+ 		+
171
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of slow responses
+ 		+
13 %
+
+
+
+ +
+

Alerts

+
    + + + + + + + + +
  1. +

    + Risk=High, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + SQL Injection (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/products/search?q=%27%28 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          SQL injection may be possible.

          +
          Request
          + Request line and header section (307 bytes) + + 
          GET http://20.60.0.1:3000/rest/products/search?q=%27%28 HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (362 bytes) + + 
          HTTP/1.1 500 Internal Server Error
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 13:05:12 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+content-length: 309
+
+
          + + +
          + Response body (309 bytes) + + 
          {
+  "error": {
+    "message": "SQLITE_ERROR: near \"(\": syntax error",
+    "stack": "Error: SQLITE_ERROR: near \"(\": syntax error",
+    "errno": 1,
+    "code": "SQLITE_ERROR",
+    "sql": "SELECT * FROM Products WHERE ((name LIKE '%'(%' OR description LIKE '%'(%') AND deletedAt IS NULL) ORDER BY name"
+  }
+}
          + + +
          Parameter
          q
          Attack
          '(
          Evidence
          HTTP/1.1 500 Internal Server Error
          Solution +

          Do not trust client side input, even if there is client side validation in place.

          + +

          In general, type check all data on the server side.

          + +

          If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

          + +

          If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

          + +

          If database Stored Procedures can be used, use them.

          + +

          Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

          + +

          Do not create dynamic SQL queries using simple string concatenation.

          + +

          Escape all data received from the client.

          + +

          Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.

          + +

          Apply the principle of least privilege by using the least privileged database user possible.

          + +

          In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

          + +

          Grant the minimum database access that is necessary for the application.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    2. + + + + +
  2. +

    + Risk=Medium, Confidence=High (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Content Security Policy (CSP) Header Not Set (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 12:58:56 GMT
+ETag: W/"26af-19e6eaa9eaf"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 13:01:59 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Solution +

          Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    3. + +
  3. +

    + Risk=Medium, Confidence=Medium (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Cross-Domain Misconfiguration (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/robots.txt + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

          +
          Other info +

          The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

          +
          Request
          + Request line and header section (239 bytes) + + 
          GET http://20.60.0.1:3000/robots.txt HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (378 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: text/plain; charset=utf-8
+Content-Length: 28
+ETag: W/"1c-8HgF6mNyhsSFK0pascC9uB0wjX0"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 13:01:58 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (28 bytes) + + 
          User-agent: *
+Disallow: /ftp
          + + +
          Evidence
          Access-Control-Allow-Origin: *
          Solution +

          Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).

          + +

          Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    4. + + + + + + + + + + +
  4. +

    + Risk=Low, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Timestamp Disclosure - Unix (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A timestamp was disclosed by the application/web server. - Unix

          +
          Other info +

          1666666667, which evaluates to: 2022-10-24 22:57:47.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 12:58:56 GMT
+ETag: W/"26af-19e6eaa9eaf"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 13:01:58 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          1666666667
          Solution +

          Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    5. + + + + + + +
  5. +

    + Risk=Informational, Confidence=Medium (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Modern Web Application (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

          +
          Other info +

          No links have been found while there are scripts, which is an indication that this is a modern web application.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 12:58:56 GMT
+ETag: W/"26af-19e6eaa9eaf"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 13:01:59 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
          Solution +

          This is an informational alert and so no changes are required.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    6. + + + +
+
+ +
+

Appendix

+ +
+

Alert Types

+

This section contains additional information on the types of alerts in the report.

+
    +
  1. +

    SQL Injection

    + + + + + + + + + + + + + + + + + +
    Source + + raised by an active scanner (SQL Injection) + +
    CWE ID89
    WASC ID19
    Reference +
      +
    1. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
      2. +
    +
    +
    2. +
  2. +

    Content Security Policy (CSP) Header Not Set

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Content Security Policy (CSP) Header Not Set) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
      2. +
    2. https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
      3. +
    3. https://www.w3.org/TR/CSP/
      4. +
    4. https://w3c.github.io/webappsec-csp/
      5. +
    5. https://web.dev/articles/csp
      6. +
    6. https://caniuse.com/#feat=contentsecuritypolicy
      7. +
    7. https://content-security-policy.com/
      8. +
    +
    +
    3. +
  3. +

    Cross-Domain Misconfiguration

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Cross-Domain Misconfiguration) + +
    CWE ID264
    WASC ID14
    Reference +
      +
    1. https://vulncat.fortify.com/en/detail?category=HTML5&subcategory=Overly%20Permissive%20CORS%20Policy
      2. +
    +
    +
    4. +
  4. +

    Timestamp Disclosure - Unix

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Timestamp Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://cwe.mitre.org/data/definitions/200.html
      2. +
    +
    +
    5. +
  5. +

    Modern Web Application

    + + + + + + + + +
    Source + + raised by a passive scanner (Modern Web Application) + +
    +
    6. +
+
+
+ +
+ + + + + diff --git a/TestesRealizados1/QA&CICD/normalize/LICENSE.md b/TestesRealizados1/QA&CICD/normalize/LICENSE.md new file mode 100644 index 0000000..43b5ddc --- /dev/null +++ b/TestesRealizados1/QA&CICD/normalize/LICENSE.md @@ -0,0 +1,21 @@ +# The MIT License (MIT) + +Copyright © Nicolas Gallagher and Jonathan Neal + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/TestesRealizados1/QA&CICD/normalize/normalize.css b/TestesRealizados1/QA&CICD/normalize/normalize.css new file mode 100644 index 0000000..192eb9c --- /dev/null +++ b/TestesRealizados1/QA&CICD/normalize/normalize.css @@ -0,0 +1,349 @@ +/*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */ + +/* Document + ========================================================================== */ + +/** + * 1. Correct the line height in all browsers. + * 2. Prevent adjustments of font size after orientation changes in iOS. + */ + +html { + line-height: 1.15; /* 1 */ + -webkit-text-size-adjust: 100%; /* 2 */ +} + +/* Sections + ========================================================================== */ + +/** + * Remove the margin in all browsers. + */ + +body { + margin: 0; +} + +/** + * Render the `main` element consistently in IE. + */ + +main { + display: block; +} + +/** + * Correct the font size and margin on `h1` elements within `section` and + * `article` contexts in Chrome, Firefox, and Safari. + */ + +h1 { + font-size: 2em; + margin: 0.67em 0; +} + +/* Grouping content + ========================================================================== */ + +/** + * 1. Add the correct box sizing in Firefox. + * 2. Show the overflow in Edge and IE. + */ + +hr { + box-sizing: content-box; /* 1 */ + height: 0; /* 1 */ + overflow: visible; /* 2 */ +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +pre { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/* Text-level semantics + ========================================================================== */ + +/** + * Remove the gray background on active links in IE 10. + */ + +a { + background-color: transparent; +} + +/** + * 1. Remove the bottom border in Chrome 57- + * 2. Add the correct text decoration in Chrome, Edge, IE, Opera, and Safari. + */ + +abbr[title] { + border-bottom: none; /* 1 */ + text-decoration: underline; /* 2 */ + text-decoration: underline dotted; /* 2 */ +} + +/** + * Add the correct font weight in Chrome, Edge, and Safari. + */ + +b, +strong { + font-weight: bolder; +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +code, +kbd, +samp { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/** + * Add the correct font size in all browsers. + */ + +small { + font-size: 80%; +} + +/** + * Prevent `sub` and `sup` elements from affecting the line height in + * all browsers. + */ + +sub, +sup { + font-size: 75%; + line-height: 0; + position: relative; + vertical-align: baseline; +} + +sub { + bottom: -0.25em; +} + +sup { + top: -0.5em; +} + +/* Embedded content + ========================================================================== */ + +/** + * Remove the border on images inside links in IE 10. + */ + +img { + border-style: none; +} + +/* Forms + ========================================================================== */ + +/** + * 1. Change the font styles in all browsers. + * 2. Remove the margin in Firefox and Safari. + */ + +button, +input, +optgroup, +select, +textarea { + font-family: inherit; /* 1 */ + font-size: 100%; /* 1 */ + line-height: 1.15; /* 1 */ + margin: 0; /* 2 */ +} + +/** + * Show the overflow in IE. + * 1. Show the overflow in Edge. + */ + +button, +input { /* 1 */ + overflow: visible; +} + +/** + * Remove the inheritance of text transform in Edge, Firefox, and IE. + * 1. Remove the inheritance of text transform in Firefox. + */ + +button, +select { /* 1 */ + text-transform: none; +} + +/** + * Correct the inability to style clickable types in iOS and Safari. + */ + +button, +[type="button"], +[type="reset"], +[type="submit"] { + -webkit-appearance: button; +} + +/** + * Remove the inner border and padding in Firefox. + */ + +button::-moz-focus-inner, +[type="button"]::-moz-focus-inner, +[type="reset"]::-moz-focus-inner, +[type="submit"]::-moz-focus-inner { + border-style: none; + padding: 0; +} + +/** + * Restore the focus styles unset by the previous rule. + */ + +button:-moz-focusring, +[type="button"]:-moz-focusring, +[type="reset"]:-moz-focusring, +[type="submit"]:-moz-focusring { + outline: 1px dotted ButtonText; +} + +/** + * Correct the padding in Firefox. + */ + +fieldset { + padding: 0.35em 0.75em 0.625em; +} + +/** + * 1. Correct the text wrapping in Edge and IE. + * 2. Correct the color inheritance from `fieldset` elements in IE. + * 3. Remove the padding so developers are not caught out when they zero out + * `fieldset` elements in all browsers. + */ + +legend { + box-sizing: border-box; /* 1 */ + color: inherit; /* 2 */ + display: table; /* 1 */ + max-width: 100%; /* 1 */ + padding: 0; /* 3 */ + white-space: normal; /* 1 */ +} + +/** + * Add the correct vertical alignment in Chrome, Firefox, and Opera. + */ + +progress { + vertical-align: baseline; +} + +/** + * Remove the default vertical scrollbar in IE 10+. + */ + +textarea { + overflow: auto; +} + +/** + * 1. Add the correct box sizing in IE 10. + * 2. Remove the padding in IE 10. + */ + +[type="checkbox"], +[type="radio"] { + box-sizing: border-box; /* 1 */ + padding: 0; /* 2 */ +} + +/** + * Correct the cursor style of increment and decrement buttons in Chrome. + */ + +[type="number"]::-webkit-inner-spin-button, +[type="number"]::-webkit-outer-spin-button { + height: auto; +} + +/** + * 1. Correct the odd appearance in Chrome and Safari. + * 2. Correct the outline style in Safari. + */ + +[type="search"] { + -webkit-appearance: textfield; /* 1 */ + outline-offset: -2px; /* 2 */ +} + +/** + * Remove the inner padding in Chrome and Safari on macOS. + */ + +[type="search"]::-webkit-search-decoration { + -webkit-appearance: none; +} + +/** + * 1. Correct the inability to style clickable types in iOS and Safari. + * 2. Change font properties to `inherit` in Safari. + */ + +::-webkit-file-upload-button { + -webkit-appearance: button; /* 1 */ + font: inherit; /* 2 */ +} + +/* Interactive + ========================================================================== */ + +/* + * Add the correct display in Edge, IE 10+, and Firefox. + */ + +details { + display: block; +} + +/* + * Add the correct display in all browsers. + */ + +summary { + display: list-item; +} + +/* Misc + ========================================================================== */ + +/** + * Add the correct display in IE 10+. + */ + +template { + display: none; +} + +/** + * Add the correct display in IE 10. + */ + +[hidden] { + display: none; +} diff --git a/TestesRealizados1/QA&CICD/themes/original/colors.css b/TestesRealizados1/QA&CICD/themes/original/colors.css new file mode 100644 index 0000000..fd3b963 --- /dev/null +++ b/TestesRealizados1/QA&CICD/themes/original/colors.css @@ -0,0 +1,139 @@ +body { + background-color: #306aa0; + background-image: radial-gradient(circle at top left, #fff 0%, #8ce1d6 15em, #306aa0 100em, #386095 100%); +} + +main, footer { + background-color: #fff; +} + +header { + background-color: #00549e; + color: #fff; +} + +a:link { + color: #004380; +} + +a:visited { + color: #770d67; +} + +a:focus { + background-color: #ffd54d; +} + +a:hover { + background-color: #ffd54d; +} + +a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +header a:link { + color: #f2f7fd; +} + +header a:visited { + color: #f2b5e9; +} + +header a:focus { + background-color: #ffd54d; + color: #004380; +} + +header a:hover { + background-color: #ffd54d; + color: #004380; +} + +header a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #fff6db; +} + +summary:focus { + background-color: #ffd54d; +} + +summary:hover { + background-color: #ffd54d; +} + +summary:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +h2, h3, h4, h5, h6 { + color: #00549e; +} + +.risk-level, .confidence-level { + color: #00549e; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + color: #00549e; +} + +.risk-confidence-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + color: #00549e; +} + +.site-risk-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.alert-type-counts-table > tbody > tr { + border-bottom-color: #00549e; +} + +.alert-type-counts-table th[scope="col"] { + background-color: #00549e; + color: #fff; +} + +.alert-type-counts-table th[scope="col"] { + border-left-color: #fff; +} + +.alerts-table th, .alert-types-table th { + background-color: #306aa0; + color: #fff; +} + +.additional-info-percentages { + color: #00549e; +} + +.insights-table > tbody > tr { + border-bottom-color: #00549e; +} + +.insights-table th[scope="col"] { + background-color: #00549e; + border-left-color: #fff; + color: #fff; +} diff --git a/TestesRealizados1/QA&CICD/themes/original/main.css b/TestesRealizados1/QA&CICD/themes/original/main.css new file mode 100644 index 0000000..050bd3f --- /dev/null +++ b/TestesRealizados1/QA&CICD/themes/original/main.css @@ -0,0 +1,417 @@ +*, *::after, *::before { + box-sizing: border-box; +} + +h1, h2, h3, h4, h5, h6 { + margin: 0; + padding: 0; +} + +pre, ul { + margin: 0; +} + +ol { + list-style-type: none; +} + +h1 { + font-size: 3em; +} + +h2 { + font-size: 2em; +} + +h3, h4, h5, h6 { + font-size: 1em; +} + +html { + box-sizing: border-box; + font-family: Verdana, sans-serif; + line-height: 1.5; +} + +body { + margin: 1.5em 0; +} + +@media screen and (min-width: 50em) { + body { + margin: 1.5em 2ch; + padding: 1.5em 2ch; + } +} + +a:active, header a:active { + outline-style: solid; +} + +header, main { + margin: 0 auto; + max-width: 90ch; + padding: 1.5em 4ch; +} + +header { + border-radius: .25em .25em 0 0; +} + +main { + border-radius: 0 0 .25em .25em; +} + +summary { + cursor: pointer; +} + +.contents { + margin-top: 1.5em; +} + +main > section { + margin-bottom: 4.5em; +} + +.about-this-report > section { + margin-bottom: 3em; +} + +.summaries section { + margin-bottom: 3em; +} + +h2 { + margin-bottom: .75em; +} + +h3 { + margin-bottom: 1.5em; +} + +h4 { + margin-bottom: 1.5em; +} + +.report-parameters--container h4 { + margin-top: 1.5em; +} + +p { + margin: 1.5em 0; +} + +p:first-of-type { + margin-top: 0; +} + +p:last-of-type { + margin-bottom: 0; +} + +.contents li, .alerts li, .alert-types > ol > li { + margin-top: 1.5em; +} + +.alert-types h4 { + margin-bottom: 0; +} + +a { + border-radius: .125em; +} + +caption { + margin-bottom: 1.5em; + text-align: left; +} + +code, .request-method-n-url { + overflow-wrap: anywhere; + white-space: break-spaces; +} + +table { + border-collapse: collapse; +} + +.report-description--container, .report-parameters--container { + margin-left: 2ch; + padding: 0 2ch; +} + +.about-this-report h3, .summaries h3, .appendix h3 { + border-bottom: .05em solid; +} + +.alerts h4 { + text-align: center; +} + +.alerts ol { + padding-left: 0; +} + +.alerts--site-li { + border: .05em solid; + border-radius: .25em; + margin-left: 2ch; + padding: 1.5em 3ch; +} + +.contents ol { + list-style-position: inside; + list-style-type: square; + padding-left: 4ch; +} + +.contexts-list, .sites-list { + list-style-type: square; +} + +.risk-confidence-counts-table { + width: 100%; +} + +.risk-confidence-counts-table tr { + height: 4.5em; +} + +.risk-confidence-counts-table thead > tr { + height: 3em; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table th[scope="rowgroup"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.risk-confidence-counts-table th[scope="row"] { + padding-right: 5%; +} + +@media screen and (max-width: 50em) { + .risk-confidence-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.risk-confidence-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.risk-confidence-counts-table > tbody > tr { + border-top: .05em solid; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table td { + vertical-align: top; +} + +.risk-confidence-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.risk-confidence-counts-table td, .risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + text-align: right; +} + +.site-risk-counts-table { + width: 100%; +} + +.site-risk-counts-table tr { + height: 4.5em; +} + +.site-risk-counts-table thead > tr:first-of-type { + height: 3em; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table th[scope="col"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.site-risk-counts-table th[scope="row"] { + padding-right: 1%; +} + +@media screen and (max-width: 50em) { + .site-risk-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.site-risk-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.site-risk-counts-table > tbody > tr { + border-top: .05em solid; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table td { + vertical-align: top; +} + +.site-risk-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.site-risk-counts-table td, .site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + text-align: right; +} + +.alert-type-counts-table { + width: 100%; +} + +.alert-type-counts-table th, .alert-type-counts-table td { + padding: 0 1rem; + text-align: left; + vertical-align: top; +} + +.alert-type-counts-table td:nth-last-of-type(2) { + padding-left: 1.5rem; +} + +.alert-type-counts-table > tbody > tr { + border-bottom: 0.05em dotted; +} + +.alert-type-counts-table th[scope="col"] { + border-left: 1rem solid; +} + +.alert-type-counts-table th[scope="col"]:first-of-type { + border-left: 0; +} + +.alert-type-counts-table th[scope="col"]:last-of-type, .alert-type-counts-table td:last-of-type { + text-align: right; +} + +.alert-type-counts-table th[scope="col"], .alert-type-counts-table th[scope="row"] { + font-weight: normal; +} + +.alert-type-counts-table th[scope="row"], .alert-type-counts-table td { + padding-bottom: 1.5em; +} + +.alert-type-counts-table thead > th:first-of-type { + width: 45%; +} + +.alerts-table, .alert-types-table, .insights-table { + border-collapse: separate; + border-spacing: 2ch 1.5em; + width: 100%; +} + +.alerts-table th, .alerts-table td, .alert-types-table th, .alert-types-table td, .insights-table td, .insights-table th { + vertical-align: top; +} + +.alerts-table td, .alert-types-table td, .insights-table td { + overflow-wrap: anywhere; +} + +.alerts-table th, .alert-types-table th, .insights-table th { + padding: 0 1ch; +} + +.alerts-table td, .alert-types-table td { + padding: 0 2ch; +} + +.insights-table td { + padding: 0 1ch; +} + +.alerts-table summary { + margin-bottom: 1.5em; +} + +.alert-tags-list { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-tags-list > li { + margin-top: 0; +} + +.request-body, .response-body { + margin-top: 1.5em; +} + +.request-method-n-url { + margin-bottom: 0; +} + +.alert-types-table { + padding-top: 0; +} + +.alert-types-table th { + width: 20%; +} + +.alert-types-table ol { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-types-table li:not(:first-of-type) { + margin-top: 1.5em; +} + +p.alert-types-intro { + margin-bottom: 3em; +} + +.zap-logo { + height: 1em; + margin-right: .25ch; + width: 1em; +} + +h1, h2 { + font-family: Georgia, serif; +} + +.risk-level, .confidence-level, .included-risk-codes, .included-confidence-codes, .additional-info-percentages { + font-family: monospace, monospace; +} + +.context, .site, .request-method-n-url { + font-family: monospace, monospace; +} diff --git a/TestesRealizados1/QA&CICD/zap32x32.png b/TestesRealizados1/QA&CICD/zap32x32.png new file mode 100644 index 0000000000000000000000000000000000000000..9c1019ffb2ad500434d78f20f5a624bd660e6735 GIT binary patch literal 1933 zcmV;82Xgp{P)LZ&X_*%IgUcU=kqE(b z4NRzXHHacGqA;V7EOd-rLRUsK6M0)>lNA+QA(1s>0WooNopVsi`f~3%&(A;3?F-PB zvOj!oo}80&pL3q?@9q2jJ@8;-E^rih7x)VQ$FTzF0Ce^0)w*%xMg@9CT^);$`@`-S z|D^%X0-G{2GScem>Zq-)#c><}&YnG+{?@;fz2@5u5&VQI{0HC&b5Eb8v=CMzq8Xh{uDUJ;6-8cvHPPw(V1AXlBMlio^B!;`1mR7lQz6stN1n` zVSRiJ3Jh}IHmwUh{p952jC=DbQ>IW{T+Bm{EyTg%86hH)s*G@RBZ6ZD zR~$s-xgh|tIK<*bMohZnrPKSTebm&{(An8JZUCD%Zw|w-XamM3aZ{E@QkJ_Sh=4&b zVlZMR6MN-LA+KI)MxOZY4_$EN7gpcl|GBy+*}SFI&@zE+1c5&ojb?% zH-610omUXmkc0pc4MCuY3JRI#ep;zPz!%CkF{7fMRjXD}R#rwLkr?x}`Sa(qYu7G1 z4zIhf6b}b*b0|Z?2bxNbAlb*&-!+hzmq$fKMaqhiM-T+Gw6t*h_U({ddb?6-2&w|A zpn{45bPqNps$5aDKvhCrw+1VURUz5a1;EaoJE^Lw8q=z_wl+#jOPTPwnarrD$C>b1 zeBZ~~fqr423P90ogC0=PH?8Vm*#v}(0|k?r!xzizShj2#GiT1Ey}f-@07XSb?AWn` zo)51w@$*j*Sf2pBs|*LhoR?u5{SD7JEun@R9Ak(IM2sO~gs2fb$L0Oj{d{ntiOR}K z4jw#6R#w)CK$a|7Ld#z-Gd=bqy@><~t0b(&SH%x3{Wghj{ro$E>8w7|8!?eI&lp@s zaK#WcLS%r`jo>*Bw)ZCgII)AS>wjbG)~z%&G>ix$H+M2U56vZe;WP9n69iWA)shSX z`fak)9$cP#M-^Drp9UIWRk0R)RT8QshN)UI2q2optfzJ|r}}xe?|y;IjENjOcI+Mi z7cX9-`|VS7cbpDGkWxfn15~wP#HQ4&KGGL8Zqzd_CM6=?Fb}vQxI!o{fa9gn`BpRU zy|It{{Ct|4nwT|f*5LO}o;*oeSs7W&e}iV^hCM-${BO{>Jm(%YOnIR)X)V55tW|8v z^2ET^D*YDvtkSPaPoj^^$IF?s{&lVgQFL zf4TNCRPNcLzb)TB`ne$0!%HlF+%?X3TygP?!H8f?C?W&GVvG#277}_4P&Z27wKi^_ z`UMY9O6QgM5f&|4M0R!--M6}buJEI=4km*jh{gB1;;i$G!4U@|f*8RtASQ%eXNt)N z2*#qQRjl#oYmeiff0@FG0rvrUs1Grl_V)4yJq|S&*HyA`hPcY4iwPqM T`!Z{P00000NkvXXu0mjf{kVU6 literal 0 HcmV?d00001 diff --git a/TestesRealizados1/QA&Full/QA&Full.html b/TestesRealizados1/QA&Full/QA&Full.html new file mode 100644 index 0000000..881c153 --- /dev/null +++ b/TestesRealizados1/QA&Full/QA&Full.html @@ -0,0 +1,2609 @@ + + + + + +ZAP by Checkmarx Scanning Report + + + + + +
+

ZAP by Checkmarx Scanning Report

+

+ Generated with ZAP + on Thu 28 May 2026, at 10:12:22 +

+

ZAP Version: 2.17.0

+

+ ZAP by Checkmarx +

+
+ +
+ +
+

Contents

+ +
+ +
+

About This Report

+ + + +
+

Report Parameters

+
+

Contexts

+ + +

No contexts were selected, so all contexts were included by default.

+ + +

Sites

+ +

The following sites were included:

+
    +
  • http://20.60.0.1:3000
    • +
+ +

(If no sites were selected, all sites were included by default.)

+

An included site must also be within one of the included contexts for its data to be included in the report.

+ +

Risk levels

+

+ Included: + + High, Medium, Low, Informational +

+

+ Excluded: + None + +

+ +

Confidence levels

+

+ Included: + + + User Confirmed, High, Medium, Low +

+

+ Excluded: + + + User Confirmed, High, Medium, Low, False Positive +

+
+
+
+ + +
+ +
+ +
+

Summaries

+ +
+

Alert Counts by Risk and Confidence

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts for each level of risk and confidence included in the report.

+

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)

+
Confidence
User ConfirmedHighMediumLowTotal
RiskHigh0
(0.0%)		0
(0.0%)		0
(0.0%)		1
(11.1%)		1
(11.1%)
Medium0
(0.0%)		2
(22.2%)		2
(22.2%)		0
(0.0%)		4
(44.4%)
Low0
(0.0%)		0
(0.0%)		2
(22.2%)		1
(11.1%)		3
(33.3%)
Informational0
(0.0%)		0
(0.0%)		1
(11.1%)		0
(0.0%)		1
(11.1%)
Total0
(0.0%)		2
(22.2%)		5
(55.6%)		2
(22.2%)		9
(100%)
+
+ +
+

Alert Counts by Site and Risk

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

+

Alerts with a confidence level of "False Positive" have been excluded from these counts.

+

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)

+
Risk
+ High
(= High) + 		+ Medium
(>= Medium) + 		+ Low
(>= Low) + 		+ Informational
(>= Informational) +
Sitehttp://20.60.0.1:30001
(1)		4
(5)		3
(8)		1
(9)
+
+ +
+

Alert Counts by Alert Type

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts of each alert type, together with the alert type's risk level.

+

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)

+
Alert typeRiskCount
SQL InjectionHigh1
(11.1%)
Content Security Policy (CSP) Header Not SetMedium5
(55.6%)
Cross-Domain MisconfigurationMedium5
(55.6%)
Missing Anti-clickjacking HeaderMedium3
(33.3%)
Session ID in URL RewriteMedium5
(55.6%)
Private IP DisclosureLow1
(11.1%)
Timestamp Disclosure - UnixLow5
(55.6%)
X-Content-Type-Options Header MissingLow5
(55.6%)
Modern Web ApplicationInformational5
(55.6%)
Total9
+
+ +
+

Insights

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows information that is likely to be very relevant to you, but which is not related to vulnerabilities, or potentially even related to the application in question.

+
LevelReasonSiteDescriptionStatistic
+
Medium
+ 		+
Exceeded Low
+ 		+
+ 		+
Percentage of memory used
+ 		+
83
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP errors logged - see the zap.log file for details
+ 		+
256
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP warnings logged - see the zap.log file for details
+ 		+
105
+
+
Info
+ 		+
Informational
+ 		+
+ 		+
Percentage of network failures
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 1xx
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 2xx
+ 		+
68 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 3xx
+ 		+
28 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 4xx
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/javascript
+ 		+
9 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/json
+ 		+
4 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/octet-stream
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/jpeg
+ 		+
6 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/png
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/x-icon
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/css
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/html
+ 		+
66 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/markdown
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/plain
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method GET
+ 		+
98 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method POST
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Count of total endpoints
+ 		+
171
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of slow responses
+ 		+
42 %
+
+
+
+ +
+

Alerts

+
    + + + + + + + + +
  1. +

    + Risk=High, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + SQL Injection (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/products/search?q=%27%28 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          SQL injection may be possible.

          +
          Request
          + Request line and header section (307 bytes) + + 
          GET http://20.60.0.1:3000/rest/products/search?q=%27%28 HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (362 bytes) + + 
          HTTP/1.1 500 Internal Server Error
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 13:54:48 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+content-length: 309
+
+
          + + +
          + Response body (309 bytes) + + 
          {
+  "error": {
+    "message": "SQLITE_ERROR: near \"(\": syntax error",
+    "stack": "Error: SQLITE_ERROR: near \"(\": syntax error",
+    "errno": 1,
+    "code": "SQLITE_ERROR",
+    "sql": "SELECT * FROM Products WHERE ((name LIKE '%'(%' OR description LIKE '%'(%') AND deletedAt IS NULL) ORDER BY name"
+  }
+}
          + + +
          Parameter
          q
          Attack
          '(
          Evidence
          HTTP/1.1 500 Internal Server Error
          Solution +

          Do not trust client side input, even if there is client side validation in place.

          + +

          In general, type check all data on the server side.

          + +

          If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

          + +

          If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

          + +

          If database Stored Procedures can be used, use them.

          + +

          Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

          + +

          Do not create dynamic SQL queries using simple string concatenation.

          + +

          Escape all data received from the client.

          + +

          Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.

          + +

          Apply the principle of least privilege by using the least privileged database user possible.

          + +

          In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

          + +

          Grant the minimum database access that is necessary for the application.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    2. + + + + +
  2. +

    + Risk=Medium, Confidence=High (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Content Security Policy (CSP) Header Not Set (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 13:41:08 GMT
+ETag: W/"26af-19e6ed14201"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 13:50:29 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Solution +

          Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + Session ID in URL Rewrite (1) +
        +
          +
        1. + + POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvksdH8&sid=DDmfHO9swhgnxBKzAAAA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

          +
          Request
          + Request line and header section (408 bytes) + + 
          POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvksdH8&sid=DDmfHO9swhgnxBKzAAAA HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Content-type: text/plain;charset=UTF-8
+Content-Length: 2
+Origin: http://20.60.0.1:3000
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (2 bytes) + + 
          40
          + + +
          Response
          + Status line and header section (213 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/html
+Content-Length: 2
+Date: Thu, 28 May 2026 13:51:12 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (2 bytes) + + 
          ok
          + + +
          Parameter
          sid
          Evidence
          DDmfHO9swhgnxBKzAAAA
          Solution +

          For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    3. + +
  3. +

    + Risk=Medium, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Cross-Domain Misconfiguration (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/robots.txt + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

          +
          Other info +

          The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

          +
          Request
          + Request line and header section (239 bytes) + + 
          GET http://20.60.0.1:3000/robots.txt HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (378 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: text/plain; charset=utf-8
+Content-Length: 28
+ETag: W/"1c-8HgF6mNyhsSFK0pascC9uB0wjX0"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 13:50:30 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (28 bytes) + + 
          User-agent: *
+Disallow: /ftp
          + + +
          Evidence
          Access-Control-Allow-Origin: *
          Solution +

          Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).

          + +

          Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + Missing Anti-clickjacking Header (1) +
        +
          +
        1. + + POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvksdH8&sid=DDmfHO9swhgnxBKzAAAA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The response does not protect against 'ClickJacking' attacks. It should include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options.

          +
          Request
          + Request line and header section (408 bytes) + + 
          POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvksdH8&sid=DDmfHO9swhgnxBKzAAAA HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Content-type: text/plain;charset=UTF-8
+Content-Length: 2
+Origin: http://20.60.0.1:3000
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (2 bytes) + + 
          40
          + + +
          Response
          + Status line and header section (213 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/html
+Content-Length: 2
+Date: Thu, 28 May 2026 13:51:12 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (2 bytes) + + 
          ok
          + + +
          Parameter
          x-frame-options
          Solution +

          Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.

          + +

          If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    4. + + + + + + + + +
  4. +

    + Risk=Low, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Private IP Disclosure (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/admin/application-configuration + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

          +
          Other info +

          192.168.99.100:3000

          + +

          192.168.99.100:4200

          +
          Request
          + Request line and header section (314 bytes) + + 
          GET http://20.60.0.1:3000/rest/admin/application-configuration HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (389 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Content-Length: 23513
+ETag: W/"5bd9-reVonwE2GOcMzw2LpzIkSqyB2OE"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 13:51:11 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (23513 bytes) + + 
          {"config":{"server":{"port":3000,"basePath":"","baseUrl":"http://localhost:3000"},"application":{"domain":"juice-sh.op","name":"OWASP Juice Shop","logo":"JuiceShop_Logo.png","favicon":"favicon_js.ico","theme":"bluegrey-lightgreen","showVersionNumber":true,"showGitHubLinks":true,"localBackupEnabled":true,"numberOfRandomFakeUsers":0,"altcoinName":"Juicycoin","privacyContactEmail":"donotreply@owasp-juice.shop","customMetricsPrefix":"juiceshop","chatBot":{"name":"Juicy the Smart Assistant","avatar":"JuicyChatBot.png","model":"gemma4:e4b","llmMaxRetries":2,"sampleQuestions":["CHATBOT_PROMPT_RECOMMENDATION_SUMMER_PARTY","CHATBOT_PROMPT_RECOMMENDATION_POPULAR","CHATBOT_PROMPT_RECOMMENDATION_SUGAR_FREE","CHATBOT_PROMPT_RECOMMENDATION_START_DAY","CHATBOT_PROMPT_RECOMMENDATION_SEASONAL"]},"social":{"blueSkyUrl":"https://bsky.app/profile/owasp-juice.shop","mastodonUrl":"https://fosstodon.org/@owasp_juiceshop","twitterUrl":"https://twitter.com/owasp_juiceshop","facebookUrl":"https://www.facebook.com/owasp.juiceshop","slackUrl":"https://owasp.org/slack/invite","redditUrl":"https://www.reddit.com/r/owasp_juiceshop","pressKitUrl":"https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop","nftUrl":"https://opensea.io/collection/juice-shop","questionnaireUrl":null},"recyclePage":{"topProductImage":"fruit_press.jpg","bottomProductImage":"apple_pressings.jpg"},"welcomeBanner":{"showOnFirstStart":true,"title":"Welcome to OWASP Juice Shop!","message":"<p>Being a web application with a vast number of intended security vulnerabilities, the <strong>OWASP Juice Shop</strong> is supposed to be the opposite of a best practice or template application for web developers: It is an awareness, training, demonstration and exercise tool for security risks in modern web applications. The <strong>OWASP Juice Shop</strong> is an open-source project hosted by the non-profit <a href='https://owasp.org' target='_blank'>Open Worldwide Application Security Project (OWASP)</a> and is developed and maintained by volunteers. Check out the link below for more information and documentation on the project.</p><h1><a href='https://owasp-juice.shop' target='_blank'>https://owasp-juice.shop</a></h1>"},"cookieConsent":{"message":"This website uses fruit cookies to ensure you get the juiciest tracking experience.","dismissText":"Me want it!","linkText":"But me wait!","linkUrl":"https://www.youtube.com/watch?v=9PnbKL3wuH4"},"securityTxt":{"contact":"mailto:donotreply@owasp-juice.shop","encryption":"https://keybase.io/bkimminich/pgp_keys.asc?fingerprint=19c01cb7157e4645e9e2c863062a85a8cbfbdcda","acknowledgements":"/#/score-board","hiring":"/#/jobs","csaf":"/.well-known/csaf/provider-metadata.json"},"promotion":{"video":"owasp_promo.mp4","subtitles":"owasp_promo.vtt"},"easterEggPlanet":{"name":"Orangeuze","overlayMap":"orangemap2k.avif"},"googleOauth":{"clientId":"1005568560502-6hm16lef8oh46hr2d98vf2ohlnj4nfhq.apps.googleusercontent.com","authorizedRedirects":[{"uri":"https://demo.owasp-juice.shop"},{"uri":"https://juice-shop.herokuapp.com"},{"uri":"https://preview.owasp-juice.shop"},{"uri":"https://juice-shop-staging.herokuapp.com"},{"uri":"https://juice-shop.wtf"},{"uri":"http://localhost:3000","proxy":"https://local3000.owasp-juice.shop"},{"uri":"http://127.0.0.1:3000","proxy":"https://local3000.owasp-juice.shop"},{"uri":"http://localhost:4200","proxy":"https://local4200.owasp-juice.shop"},{"uri":"http://127.0.0.1:4200","proxy":"https://local4200.owasp-juice.shop"},{"uri":"http://192.168.99.100:3000","proxy":"https://localmac.owasp-juice.shop"},{"uri":"http://192.168.99.100:4200","proxy":"https://localmac.owasp-juice.shop"},{"uri":"http://penguin.termina.linux.test:3000","proxy":"https://localchromeos.owasp-juice.shop"},{"uri":"http://penguin.termina.linux.test:4200","proxy":"https://localchromeos.owasp-juice.shop"}]}},"challenges":{"showSolvedNotifications":true,"showHints":true,"showMitigations":true,"codingChallengesEnabled":"solved","restrictToTutorialsFirst":false,"overwriteUrlForProductTamperingChallenge":"https://owasp.slack.com","xssBonusPayload":"<iframe width=\"100%\" height=\"166\" scrolling=\"no\" frameborder=\"no\" allow=\"autoplay\" src=\"https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true\"></iframe>","safetyMode":"auto","csafHashValue":"7e7ce7c65db3bf0625fcea4573d25cff41f2f7e3474f2c74334b14fc65bb4fd26af802ad17a3a03bf0eee6827a00fb8f7905f338c31b5e6ea9cb31620242e843","metricsIgnoredUserAgents":["Prometheus","Alloy","promscrape","otelcol"]},"hackingInstructor":{"isEnabled":true,"avatarImage":"JuicyBot.png","hintPlaybackSpeed":"normal"},"products":[{"name":"Apple Juice (1000ml)","price":1.99,"deluxePrice":0.99,"limitPerUser":5,"description":"The all-time classic.","image":"apple_juice.jpg","reviews":[{"text":"One of my favorites!","author":"admin"},{"text":"Great! We'll have an apple party. Everyone brings an apple and - STUFFS IT DOWN EACH OTHER'S THROAT!","author":"basil"}]},{"name":"Orange Juice (1000ml)","description":"Made from oranges hand-picked by Uncle Dittmeyer.","price":2.99,"deluxePrice":2.49,"image":"orange_juice.jpg","reviews":[{"text":"y0ur f1r3wall needs m0r3 musc13","author":"uvogin"}]},{"name":"Eggfruit Juice (500ml)","description":"Now with even more exotic flavour.","price":8.99,"image":"eggfruit_juice.jpg","reviews":[{"text":"I bought it, would buy again. 5/7","author":"admin"}]},{"name":"Raspberry Juice (1000ml)","description":"Made from blended Raspberry Pi, water and sugar.","price":4.99,"image":"raspberry_juice.jpg"},{"name":"Lemon Juice (500ml)","description":"Sour but full of vitamins.","price":2.99,"deluxePrice":1.99,"limitPerUser":5,"image":"lemon_juice.jpg"},{"name":"Banana Juice (1000ml)","description":"Monkeys love it the most.","price":1.99,"image":"banana_juice.jpg","reviews":[{"text":"Fry liked it too.","author":"bender"}]},{"name":"OWASP Juice Shop T-Shirt","description":"Real fans wear it 24/7!","price":22.49,"limitPerUser":5,"image":"fan_shirt.jpg"},{"name":"OWASP Juice Shop CTF Girlie-Shirt","description":"For serious Capture-the-Flag heroines only!","price":22.49,"image":"fan_girlie.jpg"},{"name":"OWASP SSL Advanced Forensic Tool (O-Saft)","description":"O-Saft is an easy to use tool to show information about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.","price":0.01,"image":"orange_juice.jpg","urlForProductTamperingChallenge":"https://www.owasp.org/index.php/O-Saft"},{"name":"Christmas Super-Surprise-Box (2014 Edition)","description":"Contains a random selection of 10 bottles (each 500ml) of our tastiest juices and an extra fan shirt for an unbeatable price!","price":29.99,"image":"undefined.jpg","useForChristmasSpecialChallenge":true},{"name":"Rippertuer Special Juice","description":"Contains a magical collection of the rarest fruits gathered from all around the world, like Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos... and others, at an unbelievable price! <br/><span style=\"color:red;\">This item has been made unavailable because of lack of safety standards.</span>","price":16.99,"image":"undefined.jpg","keywordsForPastebinDataLeakChallenge":["hueteroneel","eurogium edule"]},{"name":"OWASP Juice Shop Sticker (2015/2016 design)","description":"Die-cut sticker with the official 2015/2016 logo. By now this is a rare collectors item. <em>Out of stock!</em>","price":999.99,"image":"sticker.png","deletedDate":"2017-04-28"},{"name":"OWASP Juice Shop Iron-Ons (16pcs)","description":"Upgrade your clothes with washer safe <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">iron-ons</a> of the OWASP Juice Shop or CTF Extension logo!","price":14.99,"image":"iron-on.jpg"},{"name":"OWASP Juice Shop Magnets (16pcs)","description":"Your fridge will be even cooler with these OWASP Juice Shop or CTF Extension logo <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">magnets</a>!","price":15.99,"image":"magnets.jpg"},{"name":"OWASP Juice Shop Sticker Page","description":"Massive decoration opportunities with these OWASP Juice Shop or CTF Extension <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker pages</a>! Each page has 16 stickers on it.","price":9.99,"image":"sticker_page.jpg"},{"name":"OWASP Juice Shop Sticker Single","description":"Super high-quality vinyl <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker single</a> with the OWASP Juice Shop or CTF Extension logo! The ultimate laptop decal!","price":4.99,"image":"sticker_single.jpg"},{"name":"OWASP Juice Shop Temporary Tattoos (16pcs)","description":"Get one of these <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">temporary tattoos</a> to proudly wear the OWASP Juice Shop or CTF Extension logo on your skin! If you tweet a photo of yourself with the tattoo, you get a couple of our stickers for free! Please mention <a href=\"https://twitter.com/owasp_juiceshop\" target=\"_blank\"><code>@owasp_juiceshop</code></a> in your tweet!","price":14.99,"image":"tattoo.jpg","reviews":[{"text":"I straight-up gots nuff props fo'these tattoos!","author":"rapper"}]},{"name":"OWASP Juice Shop Mug","description":"Black mug with regular logo on one side and CTF logo on the other! Your colleagues will envy you!","price":21.99,"image":"fan_mug.jpg"},{"name":"OWASP Juice Shop Hoodie","description":"Mr. Robot-style apparel. But in black. And with logo.","price":49.99,"image":"fan_hoodie.jpg"},{"name":"OWASP Juice Shop-CTF Velcro Patch","description":"4x3.5\" embroidered patch with velcro backside. The ultimate decal for every tactical bag or backpack!","price":2.92,"quantity":5,"limitPerUser":5,"image":"velcro-patch.jpg","reviews":[{"text":"This thang would look phat on Bobby's jacked fur coat!","author":"rapper"},{"text":"Looks so much better on my uniform than the boring Starfleet symbol.","author":"jim"}]},{"name":"Woodruff Syrup \"Forest Master X-Treme\"","description":"Harvested and manufactured in the Black Forest, Germany. Can cause hyperactive behavior in children. Can cause permanent green tongue when consumed undiluted.","price":6.99,"image":"woodruff_syrup.jpg"},{"name":"Green Smoothie","description":"Looks poisonous but is actually very good for your health! Made from green cabbage, spinach, kiwi and grass.","price":1.99,"image":"green_smoothie.jpg","reviews":[{"text":"Fresh out of a replicator.","author":"jim"}]},{"name":"Quince Juice (1000ml)","description":"Juice of the <em>Cydonia oblonga</em> fruit. Not exactly sweet but rich in Vitamin C.","price":4.99,"image":"quince.jpg"},{"name":"Apple Pomace","description":"Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be <a href=\"/#recycle\">sent back to us</a> for recycling.","price":0.89,"limitPerUser":5,"image":"apple_pressings.jpg"},{"name":"Fruit Press","description":"Fruits go in. Juice comes out. Pomace you can send back to us for recycling purposes.","price":89.99,"image":"fruit_press.jpg"},{"name":"OWASP Juice Shop Logo (3D-printed)","description":"This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.","price":99.99,"image":"3d_keychain.jpg","fileForRetrieveBlueprintChallenge":"JuiceShop.stl","exifForBlueprintChallenge":["OpenSCAD"]},{"name":"Juice Shop Artwork","description":"Unique masterpiece painted with different kinds of juice on 90g/m² lined paper.","price":278.74,"quantity":0,"image":"artwork.jpg","deletedDate":"2020-12-24"},{"name":"Global OWASP WASPY Award 2017 Nomination","description":"Your chance to nominate up to three quiet pillars of the OWASP community ends 2017-06-30! <a href=\"https://www.owasp.org/index.php/WASPY_Awards_2017\">Nominate now!</a>","price":0.03,"image":"waspy.png","deletedDate":"2017-07-01"},{"name":"Strawberry Juice (500ml)","description":"Sweet & tasty!","price":3.99,"image":"strawberry_juice.jpeg"},{"name":"Carrot Juice (1000ml)","description":"As the old German saying goes: \"Carrots are good for the eyes. Or has anyone ever seen a rabbit with glasses?\"","price":2.99,"image":"carrot_juice.jpeg","reviews":[{"text":"0 st4rs f0r 7h3 h0rr1bl3 s3cur17y","author":"uvogin"}]},{"name":"OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition)","description":"10 sheets of Sweden-themed stickers with 15 stickers on each.","price":19.1,"image":"stickersheet_se.png","deletedDate":"2017-09-20"},{"name":"Pwning OWASP Juice Shop","description":"<em>The official Companion Guide</em> by Björn Kimminich available <a href=\"https://leanpub.com/juice-shop\">for free on LeanPub</a> and also <a href=\"https://pwning.owasp-juice.shop\">readable online</a>!","price":5.99,"image":"cover_small.jpg","reviews":[{"text":"Even more interesting than watching Interdimensional Cable!","author":"morty"}]},{"name":"Melon Bike (Comeback-Product 2018 Edition)","description":"The wheels of this bicycle are made from real water melons. You might not want to ride it up/down the curb too hard.","price":2999,"quantity":3,"limitPerUser":1,"image":"melon_bike.jpeg"},{"name":"OWASP Juice Shop Coaster (10pcs)","description":"Our 95mm circle coasters are printed in full color and made from thick, premium coaster board.","price":19.99,"quantity":0,"image":"coaster.jpg"},{"name":"OWASP Snakes and Ladders - Web Applications","description":"This amazing web application security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1969196030\">available for Tabletop Simulator on Steam Workshop</a> now!","price":0.01,"quantity":8,"image":"snakes_ladders.jpg","reviews":[{"text":"Wait for a 10$ Steam sale of Tabletop Simulator!","author":"bjoernOwasp"}]},{"name":"OWASP Snakes and Ladders - Mobile Apps","description":"This amazing mobile app security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1970691216\">available for Tabletop Simulator on Steam Workshop</a> now!","price":0.01,"quantity":0,"image":"snakes_ladders_m.jpg","reviews":[{"text":"Here yo' learn how tha fuck ta not show yo' goddamn phone on camera!","author":"rapper"}]},{"name":"OWASP Juice Shop Holographic Sticker","description":"Die-cut holographic sticker. Stand out from those 08/15-sticker-covered laptops with this shiny beacon of 80's coolness!","price":2,"quantity":0,"image":"holo_sticker.png","reviews":[{"text":"Rad, dude!","author":"rapper"},{"text":"Looks spacy on Bones' new tricorder!","author":"jim"},{"text":"Will put one on the Planet Express ship's bumper!","author":"bender"}]},{"name":"OWASP Juice Shop \"King of the Hill\" Facemask","description":"Facemask with compartment for filter from 50% cotton and 50% polyester.","price":13.49,"quantity":0,"limitPerUser":1,"image":"fan_facemask.jpg","reviews":[{"text":"K33p5 y0ur ju1cy 5plu773r 70 y0ur53lf!","author":"uvogin"},{"text":"Puny mask for puny human weaklings!","author":"bender"}]},{"name":"Juice Shop Adversary Trading Card (Common)","description":"Common rarity \"Juice Shop\" card for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.","price":2.99,"deluxePrice":0.99,"deletedDate":"2020-11-30","limitPerUser":5,"image":"ccg_common.png","reviews":[{"text":"Ooooh, puny human playing Mau Mau, now?","author":"bender"}]},{"name":"Juice Shop Adversary Trading Card (Super Rare)","description":"Super rare \"Juice Shop\" card with holographic foil-coating for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.","price":99.99,"deluxePrice":69.99,"deletedDate":"2020-11-30","quantity":2,"limitPerUser":1,"image":"ccg_foil.png","reviews":[{"text":"Mau Mau with bling-bling? Humans are so pathetic!","author":"bender"}]},{"name":"Juice Shop \"Permafrost\" 2020 Edition","description":"Exact version of <a href=\"https://github.com/juice-shop/juice-shop/releases/tag/v9.3.1-PERMAFROST\">OWASP Juice Shop that was archived on 02/02/2020</a> by the GitHub Archive Program and ultimately went into the <a href=\"https://github.blog/2020-07-16-github-archive-program-the-journey-of-the-worlds-open-source-code-to-the-arctic\">Arctic Code Vault</a> on July 8. 2020 where it will be safely stored for at least 1000 years.","price":9999.99,"quantity":1,"limitPerUser":1,"image":"permafrost.jpg","reviews":[{"text":"🧊 Let it go, let it go 🎶 Can't hold it back anymore 🎶 Let it go, let it go 🎶 Turn away and slam the door ❄️","author":"rapper"}]},{"name":"Best Juice Shop Salesman Artwork","description":"Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before <em>finally</em> adding his expertise to the Juice Shop marketing team.","price":5000,"quantity":1,"image":"artwork2.jpg","reviews":[{"text":"I'd stand on my head to make you a deal for this piece of art.","author":"stan"},{"text":"Just when my opinion of humans couldn't get any lower, along comes Stan...","author":"bender"}]},{"name":"OWASP Juice Shop Card (non-foil)","description":"Mythic rare <small><em>(obviously...)</em></small> card \"OWASP Juice Shop\" with three distinctly useful abilities. Alpha printing, mint condition. A true collectors piece to own!","price":1000,"quantity":3,"limitPerUser":1,"image":"card_alpha.jpg","reviews":[{"text":"DO NOT PLAY WITH THIS! Double-sleeve, then put it in the GitHub Arctic Vault for perfect preservation and boost of secondary market value!","author":"accountant"}]},{"name":"20th Anniversary Celebration Ticket","description":"Get your <a href=\"https://20thanniversary.owasp.org/\" target=\"_blank\">free 🎫 for OWASP 20th Anniversary Celebration</a> online conference! Hear from world renowned keynotes and special speakers, network with your peers and interact with our event sponsors. With an anticipated 10k+ attendees from around the world, you will not want to miss this live on-line event!","price":1e-20,"deletedDate":"2021-09-25","limitPerUser":1,"image":"20th.jpeg","reviews":[{"text":"I'll be there! Will you, too?","author":"bjoernOwasp"}]},{"name":"OWASP Juice Shop LEGO™ Tower","description":"Want to host a Juice Shop CTF in style? Build <a href=\"https://github.com/OWASP/owasp-swag/blob/master/projects/juice-shop/lego/OWASP%20JuiceShop%20Pi-server%201.2.pdf\" target=\"_blank\">your own LEGO™ tower</a> which holds four Raspberry Pi 4 models with PoE HAT modules <a href=\"https://github.com/juice-shop/multi-juicer/blob/main/guides/raspberry-pi/raspberry-pi.md\" target=\"_blank\">running a MultiJuicer Kubernetes cluster</a>! Wire to a switch and connect to your network to have an out-of-the-box ready CTF up in no time!","price":799,"quantity":3,"limitPerUser":1,"image":"lego_case.jpg","reviews":[{"text":"Check out the /#/photo-wall for some impressions of the assembly process!","author":"bjoernOwasp"}]},{"name":"DSOMM & Juice Shop User Day Ticket","description":"You are going to the OWASP Global AppSec San Francisco 2024? <a href=\"https://www.eventbrite.com/e/owasp-global-appsec-san-francisco-2024-tickets-723699172707\" target=\"_blank\">Get a ticket<sup>*</sup></a> for this amazing side event as well! Check the juice-packed agenda <a href=\"https://owasp.org/www-project-juice-shop/#div-userday2024\" target=\"_blank\">here</a> for all the details!<br><br><small><small><sup>*</sup>=scroll down to <strong>Elevate: DSOMM and Juice Shop User Day (Sept. 25)</strong> after clicking <em>Get Tickets</em> on Eventbrite. Ticket price set to only covers fees for room, AV, and catering throughout the day.</small></small>","price":55.2,"deletedDate":"2024-09-26","limitPerUser":1,"image":"user_day_ticket.png","reviews":[{"text":"The DSOMM Live Assessment session will even use Juice Shop as its \"real-world\" example!","author":"timo"},{"text":"We will showcase the amazing MultiJuicer Lego Tower at this event!","author":"jannik"}]},{"name":"Pineapple Juice (1000ml)","description":"Tropical refreshment from the finest sun-ripened pineapples.","price":2.99,"image":"pineapple_juice.png"},{"name":"Melon Juice (1000ml)","description":"Refreshing and sweet juice made from ripe melons.","price":2.49,"image":"melon_juice.png"},{"name":"Grape Juice (1000ml)","description":"Deep purple and full of antioxidants from selected grapes.","price":2.99,"image":"grape_juice.png"},{"name":"Dragonfruit Juice (500ml)","description":"Exotic and vibrant juice made from dragonfruit.","price":3.99,"image":"dragonfruit_juice.png"},{"name":"Berry Juice (1000ml)","description":"A delicious blend of fresh forest berries.","price":3.49,"image":"berry_juice.png"},{"name":"Basil Smoothie","description":"A unique blend of fresh basil and ginger for a healthy kick.","price":2.99,"image":"basil_smoothie.png","reviews":[{"text":"(ง'̀-'́)ง","author":"basil"}]},{"name":"Bragă (500ml)","description":"Traditional Balkan drink made from fermented millet. Lightly sweet-sour, refreshing, and naturally energizing.","price":2.49,"image":"braga.jpg"},{"name":"Elderflower Cordial (500ml)","description":"Floral and fragrant soft drink made from elderflowers. Traditionally enjoyed chilled.","price":3.29,"image":"elderflower_cordial.jpg"},{"name":"Sea Buckthorn Juice (500ml)","description":"Tangy and slightly sour juice, extremely rich in Vitamin C and antioxidants.","price":3.99,"image":"sea_buckthorn_juice.jpg"},{"name":"Pomegranate Drink (500ml)","description":"A sweet and tart refreshment inspired by classic grenadine flavors.","price":4.49,"image":"pomegranate_drink.jpg"}],"memories":[{"image":"magn(et)ificent!-1571814229653.jpg","caption":"Magn(et)ificent!","user":"bjoernGoogle"},{"image":"my-rare-collectors-item!-[̲̅$̲̅(̲̅-͡°-͜ʖ-͡°̲̅)̲̅$̲̅]-1572603645543.jpg","caption":"My rare collectors item! [̲̅$̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅$̲̅]","user":"bjoernGoogle"},{"image":"favorite-hiking-place.png","caption":"I love going hiking here...","geoStalkingMetaSecurityQuestion":14,"geoStalkingMetaSecurityAnswer":"Daniel Boone National Forest"},{"image":"IMG_4253.jpg","caption":"My old workplace...","geoStalkingVisualSecurityQuestion":10,"geoStalkingVisualSecurityAnswer":"ITsec"},{"image":"BeeHaven.png","caption":"Welcome to the Bee Haven (/#/bee-haven)🐝","user":"evm"},{"image":"sorted-the-pieces,-starting-assembly-process-1721152307290.jpg","caption":"Sorted the pieces, starting assembly process...","user":"bjoernOwasp"},{"image":"building-something-literally-bottom-up-1721152342603.jpg","caption":"Building something literally bottom up...","user":"bjoernOwasp"},{"image":"putting-in-the-hardware-1721152366854.jpg","caption":"Putting in the hardware...","user":"bjoernOwasp"},{"image":"everything-up-and-running!-1721152385146.jpg","caption":"Everything up and running!","user":"bjoernOwasp"}],"ctf":{"showFlagsInNotifications":false,"showCountryDetailsInNotifications":"none","countryMapping":null,"systemWideNotifications":{"url":null,"pollFrequencySeconds":null}}}}
          + + +
          Evidence
          192.168.99.100:3000
          Solution +

          Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + X-Content-Type-Options Header Missing (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvksd6e + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

          +
          Other info +

          This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

          + +

          At "High" threshold this scan rule will not alert on client or server error responses.

          +
          Request
          + Request line and header section (292 bytes) + + 
          GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvksd6e HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (230 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/plain; charset=UTF-8
+Content-Length: 96
+Date: Thu, 28 May 2026 13:51:11 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (96 bytes) + + 
          0{"sid":"DDmfHO9swhgnxBKzAAAA","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000}
          + + +
          Parameter
          x-content-type-options
          Solution +

          Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

          + +

          If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    5. + +
  5. +

    + Risk=Low, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Timestamp Disclosure - Unix (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A timestamp was disclosed by the application/web server. - Unix

          +
          Other info +

          1666666667, which evaluates to: 2022-10-24 22:57:47.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 13:41:08 GMT
+ETag: W/"26af-19e6ed14201"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 13:50:30 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          1666666667
          Solution +

          Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    6. + + + + + + +
  6. +

    + Risk=Informational, Confidence=Medium (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Modern Web Application (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

          +
          Other info +

          No links have been found while there are scripts, which is an indication that this is a modern web application.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 13:41:08 GMT
+ETag: W/"26af-19e6ed14201"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 13:50:29 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
          Solution +

          This is an informational alert and so no changes are required.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    7. + + + +
+
+ +
+

Appendix

+ +
+

Alert Types

+

This section contains additional information on the types of alerts in the report.

+
    +
  1. +

    SQL Injection

    + + + + + + + + + + + + + + + + + +
    Source + + raised by an active scanner (SQL Injection) + +
    CWE ID89
    WASC ID19
    Reference +
      +
    1. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
      2. +
    +
    +
    2. +
  2. +

    Content Security Policy (CSP) Header Not Set

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Content Security Policy (CSP) Header Not Set) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
      2. +
    2. https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
      3. +
    3. https://www.w3.org/TR/CSP/
      4. +
    4. https://w3c.github.io/webappsec-csp/
      5. +
    5. https://web.dev/articles/csp
      6. +
    6. https://caniuse.com/#feat=contentsecuritypolicy
      7. +
    7. https://content-security-policy.com/
      8. +
    +
    +
    3. +
  3. +

    Cross-Domain Misconfiguration

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Cross-Domain Misconfiguration) + +
    CWE ID264
    WASC ID14
    Reference +
      +
    1. https://vulncat.fortify.com/en/detail?category=HTML5&subcategory=Overly%20Permissive%20CORS%20Policy
      2. +
    +
    +
    4. +
  4. +

    Missing Anti-clickjacking Header

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Anti-clickjacking Header) + +
    CWE ID1021
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
      2. +
    +
    +
    5. +
  5. +

    Session ID in URL Rewrite

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Session ID in URL Rewrite) + +
    CWE ID598
    WASC ID13
    Reference +
      +
    1. https://seclists.org/webappsec/2002/q4/111
      2. +
    +
    +
    6. +
  6. +

    Private IP Disclosure

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Private IP Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://datatracker.ietf.org/doc/html/rfc1918
      2. +
    +
    +
    7. +
  7. +

    Timestamp Disclosure - Unix

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Timestamp Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://cwe.mitre.org/data/definitions/200.html
      2. +
    +
    +
    8. +
  8. +

    X-Content-Type-Options Header Missing

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (X-Content-Type-Options Header Missing) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
      2. +
    2. https://owasp.org/www-community/Security_Headers
      3. +
    +
    +
    9. +
  9. +

    Modern Web Application

    + + + + + + + + +
    Source + + raised by a passive scanner (Modern Web Application) + +
    +
    10. +
+
+
+ +
+ + + + + diff --git a/TestesRealizados1/QA&Full/normalize/LICENSE.md b/TestesRealizados1/QA&Full/normalize/LICENSE.md new file mode 100644 index 0000000..43b5ddc --- /dev/null +++ b/TestesRealizados1/QA&Full/normalize/LICENSE.md @@ -0,0 +1,21 @@ +# The MIT License (MIT) + +Copyright © Nicolas Gallagher and Jonathan Neal + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/TestesRealizados1/QA&Full/normalize/normalize.css b/TestesRealizados1/QA&Full/normalize/normalize.css new file mode 100644 index 0000000..192eb9c --- /dev/null +++ b/TestesRealizados1/QA&Full/normalize/normalize.css @@ -0,0 +1,349 @@ +/*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */ + +/* Document + ========================================================================== */ + +/** + * 1. Correct the line height in all browsers. + * 2. Prevent adjustments of font size after orientation changes in iOS. + */ + +html { + line-height: 1.15; /* 1 */ + -webkit-text-size-adjust: 100%; /* 2 */ +} + +/* Sections + ========================================================================== */ + +/** + * Remove the margin in all browsers. + */ + +body { + margin: 0; +} + +/** + * Render the `main` element consistently in IE. + */ + +main { + display: block; +} + +/** + * Correct the font size and margin on `h1` elements within `section` and + * `article` contexts in Chrome, Firefox, and Safari. + */ + +h1 { + font-size: 2em; + margin: 0.67em 0; +} + +/* Grouping content + ========================================================================== */ + +/** + * 1. Add the correct box sizing in Firefox. + * 2. Show the overflow in Edge and IE. + */ + +hr { + box-sizing: content-box; /* 1 */ + height: 0; /* 1 */ + overflow: visible; /* 2 */ +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +pre { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/* Text-level semantics + ========================================================================== */ + +/** + * Remove the gray background on active links in IE 10. + */ + +a { + background-color: transparent; +} + +/** + * 1. Remove the bottom border in Chrome 57- + * 2. Add the correct text decoration in Chrome, Edge, IE, Opera, and Safari. + */ + +abbr[title] { + border-bottom: none; /* 1 */ + text-decoration: underline; /* 2 */ + text-decoration: underline dotted; /* 2 */ +} + +/** + * Add the correct font weight in Chrome, Edge, and Safari. + */ + +b, +strong { + font-weight: bolder; +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +code, +kbd, +samp { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/** + * Add the correct font size in all browsers. + */ + +small { + font-size: 80%; +} + +/** + * Prevent `sub` and `sup` elements from affecting the line height in + * all browsers. + */ + +sub, +sup { + font-size: 75%; + line-height: 0; + position: relative; + vertical-align: baseline; +} + +sub { + bottom: -0.25em; +} + +sup { + top: -0.5em; +} + +/* Embedded content + ========================================================================== */ + +/** + * Remove the border on images inside links in IE 10. + */ + +img { + border-style: none; +} + +/* Forms + ========================================================================== */ + +/** + * 1. Change the font styles in all browsers. + * 2. Remove the margin in Firefox and Safari. + */ + +button, +input, +optgroup, +select, +textarea { + font-family: inherit; /* 1 */ + font-size: 100%; /* 1 */ + line-height: 1.15; /* 1 */ + margin: 0; /* 2 */ +} + +/** + * Show the overflow in IE. + * 1. Show the overflow in Edge. + */ + +button, +input { /* 1 */ + overflow: visible; +} + +/** + * Remove the inheritance of text transform in Edge, Firefox, and IE. + * 1. Remove the inheritance of text transform in Firefox. + */ + +button, +select { /* 1 */ + text-transform: none; +} + +/** + * Correct the inability to style clickable types in iOS and Safari. + */ + +button, +[type="button"], +[type="reset"], +[type="submit"] { + -webkit-appearance: button; +} + +/** + * Remove the inner border and padding in Firefox. + */ + +button::-moz-focus-inner, +[type="button"]::-moz-focus-inner, +[type="reset"]::-moz-focus-inner, +[type="submit"]::-moz-focus-inner { + border-style: none; + padding: 0; +} + +/** + * Restore the focus styles unset by the previous rule. + */ + +button:-moz-focusring, +[type="button"]:-moz-focusring, +[type="reset"]:-moz-focusring, +[type="submit"]:-moz-focusring { + outline: 1px dotted ButtonText; +} + +/** + * Correct the padding in Firefox. + */ + +fieldset { + padding: 0.35em 0.75em 0.625em; +} + +/** + * 1. Correct the text wrapping in Edge and IE. + * 2. Correct the color inheritance from `fieldset` elements in IE. + * 3. Remove the padding so developers are not caught out when they zero out + * `fieldset` elements in all browsers. + */ + +legend { + box-sizing: border-box; /* 1 */ + color: inherit; /* 2 */ + display: table; /* 1 */ + max-width: 100%; /* 1 */ + padding: 0; /* 3 */ + white-space: normal; /* 1 */ +} + +/** + * Add the correct vertical alignment in Chrome, Firefox, and Opera. + */ + +progress { + vertical-align: baseline; +} + +/** + * Remove the default vertical scrollbar in IE 10+. + */ + +textarea { + overflow: auto; +} + +/** + * 1. Add the correct box sizing in IE 10. + * 2. Remove the padding in IE 10. + */ + +[type="checkbox"], +[type="radio"] { + box-sizing: border-box; /* 1 */ + padding: 0; /* 2 */ +} + +/** + * Correct the cursor style of increment and decrement buttons in Chrome. + */ + +[type="number"]::-webkit-inner-spin-button, +[type="number"]::-webkit-outer-spin-button { + height: auto; +} + +/** + * 1. Correct the odd appearance in Chrome and Safari. + * 2. Correct the outline style in Safari. + */ + +[type="search"] { + -webkit-appearance: textfield; /* 1 */ + outline-offset: -2px; /* 2 */ +} + +/** + * Remove the inner padding in Chrome and Safari on macOS. + */ + +[type="search"]::-webkit-search-decoration { + -webkit-appearance: none; +} + +/** + * 1. Correct the inability to style clickable types in iOS and Safari. + * 2. Change font properties to `inherit` in Safari. + */ + +::-webkit-file-upload-button { + -webkit-appearance: button; /* 1 */ + font: inherit; /* 2 */ +} + +/* Interactive + ========================================================================== */ + +/* + * Add the correct display in Edge, IE 10+, and Firefox. + */ + +details { + display: block; +} + +/* + * Add the correct display in all browsers. + */ + +summary { + display: list-item; +} + +/* Misc + ========================================================================== */ + +/** + * Add the correct display in IE 10+. + */ + +template { + display: none; +} + +/** + * Add the correct display in IE 10. + */ + +[hidden] { + display: none; +} diff --git a/TestesRealizados1/QA&Full/themes/original/colors.css b/TestesRealizados1/QA&Full/themes/original/colors.css new file mode 100644 index 0000000..fd3b963 --- /dev/null +++ b/TestesRealizados1/QA&Full/themes/original/colors.css @@ -0,0 +1,139 @@ +body { + background-color: #306aa0; + background-image: radial-gradient(circle at top left, #fff 0%, #8ce1d6 15em, #306aa0 100em, #386095 100%); +} + +main, footer { + background-color: #fff; +} + +header { + background-color: #00549e; + color: #fff; +} + +a:link { + color: #004380; +} + +a:visited { + color: #770d67; +} + +a:focus { + background-color: #ffd54d; +} + +a:hover { + background-color: #ffd54d; +} + +a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +header a:link { + color: #f2f7fd; +} + +header a:visited { + color: #f2b5e9; +} + +header a:focus { + background-color: #ffd54d; + color: #004380; +} + +header a:hover { + background-color: #ffd54d; + color: #004380; +} + +header a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #fff6db; +} + +summary:focus { + background-color: #ffd54d; +} + +summary:hover { + background-color: #ffd54d; +} + +summary:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +h2, h3, h4, h5, h6 { + color: #00549e; +} + +.risk-level, .confidence-level { + color: #00549e; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + color: #00549e; +} + +.risk-confidence-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + color: #00549e; +} + +.site-risk-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.alert-type-counts-table > tbody > tr { + border-bottom-color: #00549e; +} + +.alert-type-counts-table th[scope="col"] { + background-color: #00549e; + color: #fff; +} + +.alert-type-counts-table th[scope="col"] { + border-left-color: #fff; +} + +.alerts-table th, .alert-types-table th { + background-color: #306aa0; + color: #fff; +} + +.additional-info-percentages { + color: #00549e; +} + +.insights-table > tbody > tr { + border-bottom-color: #00549e; +} + +.insights-table th[scope="col"] { + background-color: #00549e; + border-left-color: #fff; + color: #fff; +} diff --git a/TestesRealizados1/QA&Full/themes/original/main.css b/TestesRealizados1/QA&Full/themes/original/main.css new file mode 100644 index 0000000..050bd3f --- /dev/null +++ b/TestesRealizados1/QA&Full/themes/original/main.css @@ -0,0 +1,417 @@ +*, *::after, *::before { + box-sizing: border-box; +} + +h1, h2, h3, h4, h5, h6 { + margin: 0; + padding: 0; +} + +pre, ul { + margin: 0; +} + +ol { + list-style-type: none; +} + +h1 { + font-size: 3em; +} + +h2 { + font-size: 2em; +} + +h3, h4, h5, h6 { + font-size: 1em; +} + +html { + box-sizing: border-box; + font-family: Verdana, sans-serif; + line-height: 1.5; +} + +body { + margin: 1.5em 0; +} + +@media screen and (min-width: 50em) { + body { + margin: 1.5em 2ch; + padding: 1.5em 2ch; + } +} + +a:active, header a:active { + outline-style: solid; +} + +header, main { + margin: 0 auto; + max-width: 90ch; + padding: 1.5em 4ch; +} + +header { + border-radius: .25em .25em 0 0; +} + +main { + border-radius: 0 0 .25em .25em; +} + +summary { + cursor: pointer; +} + +.contents { + margin-top: 1.5em; +} + +main > section { + margin-bottom: 4.5em; +} + +.about-this-report > section { + margin-bottom: 3em; +} + +.summaries section { + margin-bottom: 3em; +} + +h2 { + margin-bottom: .75em; +} + +h3 { + margin-bottom: 1.5em; +} + +h4 { + margin-bottom: 1.5em; +} + +.report-parameters--container h4 { + margin-top: 1.5em; +} + +p { + margin: 1.5em 0; +} + +p:first-of-type { + margin-top: 0; +} + +p:last-of-type { + margin-bottom: 0; +} + +.contents li, .alerts li, .alert-types > ol > li { + margin-top: 1.5em; +} + +.alert-types h4 { + margin-bottom: 0; +} + +a { + border-radius: .125em; +} + +caption { + margin-bottom: 1.5em; + text-align: left; +} + +code, .request-method-n-url { + overflow-wrap: anywhere; + white-space: break-spaces; +} + +table { + border-collapse: collapse; +} + +.report-description--container, .report-parameters--container { + margin-left: 2ch; + padding: 0 2ch; +} + +.about-this-report h3, .summaries h3, .appendix h3 { + border-bottom: .05em solid; +} + +.alerts h4 { + text-align: center; +} + +.alerts ol { + padding-left: 0; +} + +.alerts--site-li { + border: .05em solid; + border-radius: .25em; + margin-left: 2ch; + padding: 1.5em 3ch; +} + +.contents ol { + list-style-position: inside; + list-style-type: square; + padding-left: 4ch; +} + +.contexts-list, .sites-list { + list-style-type: square; +} + +.risk-confidence-counts-table { + width: 100%; +} + +.risk-confidence-counts-table tr { + height: 4.5em; +} + +.risk-confidence-counts-table thead > tr { + height: 3em; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table th[scope="rowgroup"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.risk-confidence-counts-table th[scope="row"] { + padding-right: 5%; +} + +@media screen and (max-width: 50em) { + .risk-confidence-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.risk-confidence-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.risk-confidence-counts-table > tbody > tr { + border-top: .05em solid; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table td { + vertical-align: top; +} + +.risk-confidence-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.risk-confidence-counts-table td, .risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + text-align: right; +} + +.site-risk-counts-table { + width: 100%; +} + +.site-risk-counts-table tr { + height: 4.5em; +} + +.site-risk-counts-table thead > tr:first-of-type { + height: 3em; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table th[scope="col"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.site-risk-counts-table th[scope="row"] { + padding-right: 1%; +} + +@media screen and (max-width: 50em) { + .site-risk-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.site-risk-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.site-risk-counts-table > tbody > tr { + border-top: .05em solid; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table td { + vertical-align: top; +} + +.site-risk-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.site-risk-counts-table td, .site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + text-align: right; +} + +.alert-type-counts-table { + width: 100%; +} + +.alert-type-counts-table th, .alert-type-counts-table td { + padding: 0 1rem; + text-align: left; + vertical-align: top; +} + +.alert-type-counts-table td:nth-last-of-type(2) { + padding-left: 1.5rem; +} + +.alert-type-counts-table > tbody > tr { + border-bottom: 0.05em dotted; +} + +.alert-type-counts-table th[scope="col"] { + border-left: 1rem solid; +} + +.alert-type-counts-table th[scope="col"]:first-of-type { + border-left: 0; +} + +.alert-type-counts-table th[scope="col"]:last-of-type, .alert-type-counts-table td:last-of-type { + text-align: right; +} + +.alert-type-counts-table th[scope="col"], .alert-type-counts-table th[scope="row"] { + font-weight: normal; +} + +.alert-type-counts-table th[scope="row"], .alert-type-counts-table td { + padding-bottom: 1.5em; +} + +.alert-type-counts-table thead > th:first-of-type { + width: 45%; +} + +.alerts-table, .alert-types-table, .insights-table { + border-collapse: separate; + border-spacing: 2ch 1.5em; + width: 100%; +} + +.alerts-table th, .alerts-table td, .alert-types-table th, .alert-types-table td, .insights-table td, .insights-table th { + vertical-align: top; +} + +.alerts-table td, .alert-types-table td, .insights-table td { + overflow-wrap: anywhere; +} + +.alerts-table th, .alert-types-table th, .insights-table th { + padding: 0 1ch; +} + +.alerts-table td, .alert-types-table td { + padding: 0 2ch; +} + +.insights-table td { + padding: 0 1ch; +} + +.alerts-table summary { + margin-bottom: 1.5em; +} + +.alert-tags-list { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-tags-list > li { + margin-top: 0; +} + +.request-body, .response-body { + margin-top: 1.5em; +} + +.request-method-n-url { + margin-bottom: 0; +} + +.alert-types-table { + padding-top: 0; +} + +.alert-types-table th { + width: 20%; +} + +.alert-types-table ol { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-types-table li:not(:first-of-type) { + margin-top: 1.5em; +} + +p.alert-types-intro { + margin-bottom: 3em; +} + +.zap-logo { + height: 1em; + margin-right: .25ch; + width: 1em; +} + +h1, h2 { + font-family: Georgia, serif; +} + +.risk-level, .confidence-level, .included-risk-codes, .included-confidence-codes, .additional-info-percentages { + font-family: monospace, monospace; +} + +.context, .site, .request-method-n-url { + font-family: monospace, monospace; +} diff --git a/TestesRealizados1/QA&Full/zap32x32.png b/TestesRealizados1/QA&Full/zap32x32.png new file mode 100644 index 0000000000000000000000000000000000000000..9c1019ffb2ad500434d78f20f5a624bd660e6735 GIT binary patch literal 1933 zcmV;82Xgp{P)LZ&X_*%IgUcU=kqE(b z4NRzXHHacGqA;V7EOd-rLRUsK6M0)>lNA+QA(1s>0WooNopVsi`f~3%&(A;3?F-PB zvOj!oo}80&pL3q?@9q2jJ@8;-E^rih7x)VQ$FTzF0Ce^0)w*%xMg@9CT^);$`@`-S z|D^%X0-G{2GScem>Zq-)#c><}&YnG+{?@;fz2@5u5&VQI{0HC&b5Eb8v=CMzq8Xh{uDUJ;6-8cvHPPw(V1AXlBMlio^B!;`1mR7lQz6stN1n` zVSRiJ3Jh}IHmwUh{p952jC=DbQ>IW{T+Bm{EyTg%86hH)s*G@RBZ6ZD zR~$s-xgh|tIK<*bMohZnrPKSTebm&{(An8JZUCD%Zw|w-XamM3aZ{E@QkJ_Sh=4&b zVlZMR6MN-LA+KI)MxOZY4_$EN7gpcl|GBy+*}SFI&@zE+1c5&ojb?% zH-610omUXmkc0pc4MCuY3JRI#ep;zPz!%CkF{7fMRjXD}R#rwLkr?x}`Sa(qYu7G1 z4zIhf6b}b*b0|Z?2bxNbAlb*&-!+hzmq$fKMaqhiM-T+Gw6t*h_U({ddb?6-2&w|A zpn{45bPqNps$5aDKvhCrw+1VURUz5a1;EaoJE^Lw8q=z_wl+#jOPTPwnarrD$C>b1 zeBZ~~fqr423P90ogC0=PH?8Vm*#v}(0|k?r!xzizShj2#GiT1Ey}f-@07XSb?AWn` zo)51w@$*j*Sf2pBs|*LhoR?u5{SD7JEun@R9Ak(IM2sO~gs2fb$L0Oj{d{ntiOR}K z4jw#6R#w)CK$a|7Ld#z-Gd=bqy@><~t0b(&SH%x3{Wghj{ro$E>8w7|8!?eI&lp@s zaK#WcLS%r`jo>*Bw)ZCgII)AS>wjbG)~z%&G>ix$H+M2U56vZe;WP9n69iWA)shSX z`fak)9$cP#M-^Drp9UIWRk0R)RT8QshN)UI2q2optfzJ|r}}xe?|y;IjENjOcI+Mi z7cX9-`|VS7cbpDGkWxfn15~wP#HQ4&KGGL8Zqzd_CM6=?Fb}vQxI!o{fa9gn`BpRU zy|It{{Ct|4nwT|f*5LO}o;*oeSs7W&e}iV^hCM-${BO{>Jm(%YOnIR)X)V55tW|8v z^2ET^D*YDvtkSPaPoj^^$IF?s{&lVgQFL zf4TNCRPNcLzb)TB`ne$0!%HlF+%?X3TygP?!H8f?C?W&GVvG#277}_4P&Z27wKi^_ z`UMY9O6QgM5f&|4M0R!--M6}buJEI=4km*jh{gB1;;i$G!4U@|f*8RtASQ%eXNt)N z2*#qQRjl#oYmeiff0@FG0rvrUs1Grl_V)4yJq|S&*HyA`hPcY4iwPqM T`!Z{P00000NkvXXu0mjf{kVU6 literal 0 HcmV?d00001 diff --git a/TestesRealizados1/QA&Standard/QA&Standard.html b/TestesRealizados1/QA&Standard/QA&Standard.html new file mode 100644 index 0000000..aaf3d1f --- /dev/null +++ b/TestesRealizados1/QA&Standard/QA&Standard.html @@ -0,0 +1,2768 @@ + + + + + +ZAP by Checkmarx Scanning Report + + + + + +
+

ZAP by Checkmarx Scanning Report

+

+ Generated with ZAP + on Thu 28 May 2026, at 10:52:40 +

+

ZAP Version: 2.17.0

+

+ ZAP by Checkmarx +

+
+ +
+ +
+

Contents

+ +
+ +
+

About This Report

+ + + +
+

Report Parameters

+
+

Contexts

+ + +

No contexts were selected, so all contexts were included by default.

+ + +

Sites

+ +

The following sites were included:

+
    +
  • http://20.60.0.1:3000
    • +
+ +

(If no sites were selected, all sites were included by default.)

+

An included site must also be within one of the included contexts for its data to be included in the report.

+ +

Risk levels

+

+ Included: + + High, Medium, Low, Informational +

+

+ Excluded: + None + +

+ +

Confidence levels

+

+ Included: + + + User Confirmed, High, Medium, Low +

+

+ Excluded: + + + User Confirmed, High, Medium, Low, False Positive +

+
+
+
+ + +
+ +
+ +
+

Summaries

+ +
+

Alert Counts by Risk and Confidence

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts for each level of risk and confidence included in the report.

+

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)

+
Confidence
User ConfirmedHighMediumLowTotal
RiskHigh0
(0.0%)		0
(0.0%)		0
(0.0%)		1
(10.0%)		1
(10.0%)
Medium0
(0.0%)		2
(20.0%)		2
(20.0%)		0
(0.0%)		4
(40.0%)
Low0
(0.0%)		0
(0.0%)		2
(20.0%)		1
(10.0%)		3
(30.0%)
Informational0
(0.0%)		1
(10.0%)		1
(10.0%)		0
(0.0%)		2
(20.0%)
Total0
(0.0%)		3
(30.0%)		5
(50.0%)		2
(20.0%)		10
(100%)
+
+ +
+

Alert Counts by Site and Risk

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

+

Alerts with a confidence level of "False Positive" have been excluded from these counts.

+

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)

+
Risk
+ High
(= High) + 		+ Medium
(>= Medium) + 		+ Low
(>= Low) + 		+ Informational
(>= Informational) +
Sitehttp://20.60.0.1:30001
(1)		4
(5)		3
(8)		2
(10)
+
+ +
+

Alert Counts by Alert Type

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts of each alert type, together with the alert type's risk level.

+

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)

+
Alert typeRiskCount
SQL InjectionHigh1
(10.0%)
Content Security Policy (CSP) Header Not SetMedium5
(50.0%)
Cross-Domain MisconfigurationMedium5
(50.0%)
Missing Anti-clickjacking HeaderMedium4
(40.0%)
Session ID in URL RewriteMedium5
(50.0%)
Private IP DisclosureLow1
(10.0%)
Timestamp Disclosure - UnixLow5
(50.0%)
X-Content-Type-Options Header MissingLow5
(50.0%)
Modern Web ApplicationInformational5
(50.0%)
Session Management Response IdentifiedInformational1
(10.0%)
Total10
+
+ +
+

Insights

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows information that is likely to be very relevant to you, but which is not related to vulnerabilities, or potentially even related to the application in question.

+
LevelReasonSiteDescriptionStatistic
+
Medium
+ 		+
Exceeded Low
+ 		+
+ 		+
Percentage of memory used
+ 		+
91
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP errors logged - see the zap.log file for details
+ 		+
262
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP warnings logged - see the zap.log file for details
+ 		+
95
+
+
Low
+ 		+
Exceeded Low
+ 		+
+ 		+
Percentage of network failures
+ 		+
5 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 1xx
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 2xx
+ 		+
78 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 3xx
+ 		+
17 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 4xx
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/javascript
+ 		+
9 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/json
+ 		+
5 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/octet-stream
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/jpeg
+ 		+
6 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/png
+ 		+
3 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/x-icon
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/css
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/html
+ 		+
66 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/markdown
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/plain
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method GET
+ 		+
97 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method POST
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Count of total endpoints
+ 		+
174
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of slow responses
+ 		+
83 %
+
+
+
+ +
+

Alerts

+
    + + + + + + + + +
  1. +

    + Risk=High, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + SQL Injection (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/products/search?q=%27%28 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          SQL injection may be possible.

          +
          Request
          + Request line and header section (403 bytes) + + 
          GET http://20.60.0.1:3000/rest/products/search?q=%27%28 HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+Cookie: language=en; continueCode=y1OzBZxNpnLrM5WmgEKv8XakQ7DA6LcQGJ6yOlV9Pow1jYqbz2eRB34oE5mM
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (362 bytes) + + 
          HTTP/1.1 500 Internal Server Error
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 14:42:26 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+content-length: 309
+
+
          + + +
          + Response body (309 bytes) + + 
          {
+  "error": {
+    "message": "SQLITE_ERROR: near \"(\": syntax error",
+    "stack": "Error: SQLITE_ERROR: near \"(\": syntax error",
+    "errno": 1,
+    "code": "SQLITE_ERROR",
+    "sql": "SELECT * FROM Products WHERE ((name LIKE '%'(%' OR description LIKE '%'(%') AND deletedAt IS NULL) ORDER BY name"
+  }
+}
          + + +
          Parameter
          q
          Attack
          '(
          Evidence
          HTTP/1.1 500 Internal Server Error
          Solution +

          Do not trust client side input, even if there is client side validation in place.

          + +

          In general, type check all data on the server side.

          + +

          If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

          + +

          If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

          + +

          If database Stored Procedures can be used, use them.

          + +

          Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

          + +

          Do not create dynamic SQL queries using simple string concatenation.

          + +

          Escape all data received from the client.

          + +

          Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.

          + +

          Apply the principle of least privilege by using the least privileged database user possible.

          + +

          In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

          + +

          Grant the minimum database access that is necessary for the application.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    2. + + + + +
  2. +

    + Risk=Medium, Confidence=High (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Content Security Policy (CSP) Header Not Set (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 14:15:52 GMT
+ETag: W/"26af-19e6ef1100f"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 14:29:22 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Solution +

          Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + Session ID in URL Rewrite (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvl01Q-&sid=90ylhU5mJ94Lfd2KAAAA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

          +
          Request
          + Request line and header section (317 bytes) + + 
          GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvl01Q-&sid=90ylhU5mJ94Lfd2KAAAA HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (231 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/plain; charset=UTF-8
+Content-Length: 612
+Date: Thu, 28 May 2026 14:32:20 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (612 bytes) + + 
          40{"sid":"Al2JOUif0zWAxvtPAAAB"}42["server started"]42["challenge solved",{"key":"errorHandlingChallenge","name":"Error Handling","challenge":"Error Handling (Provoke an error that is neither very gracefully nor consistently handled.)","flag":"9c297196ecf8890bc1e900fcf3aebae8c9f9880a","hidden":false,"isRestore":false,"codingChallenge":false}]42["challenge solved",{"key":"directoryListingChallenge","name":"Confidential Document","challenge":"Confidential Document (Access a confidential document.)","flag":"8d2072c6b0a455608ca1a293dc0c9579883fc6a5","hidden":false,"isRestore":false,"codingChallenge":true}]
          + + +
          Parameter
          sid
          Evidence
          90ylhU5mJ94Lfd2KAAAA
          Solution +

          For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    3. + +
  3. +

    + Risk=Medium, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Cross-Domain Misconfiguration (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/robots.txt + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

          +
          Other info +

          The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

          +
          Request
          + Request line and header section (239 bytes) + + 
          GET http://20.60.0.1:3000/robots.txt HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (378 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: text/plain; charset=utf-8
+Content-Length: 28
+ETag: W/"1c-8HgF6mNyhsSFK0pascC9uB0wjX0"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 14:29:23 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (28 bytes) + + 
          User-agent: *
+Disallow: /ftp
          + + +
          Evidence
          Access-Control-Allow-Origin: *
          Solution +

          Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).

          + +

          Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + Missing Anti-clickjacking Header (1) +
        +
          +
        1. + + POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvl01QL&sid=90ylhU5mJ94Lfd2KAAAA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The response does not protect against 'ClickJacking' attacks. It should include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options.

          +
          Request
          + Request line and header section (408 bytes) + + 
          POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvl01QL&sid=90ylhU5mJ94Lfd2KAAAA HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Content-type: text/plain;charset=UTF-8
+Content-Length: 2
+Origin: http://20.60.0.1:3000
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (2 bytes) + + 
          40
          + + +
          Response
          + Status line and header section (213 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/html
+Content-Length: 2
+Date: Thu, 28 May 2026 14:32:20 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (2 bytes) + + 
          ok
          + + +
          Parameter
          x-frame-options
          Solution +

          Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.

          + +

          If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    4. + + + + + + + + +
  4. +

    + Risk=Low, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Private IP Disclosure (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/admin/application-configuration + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

          +
          Other info +

          192.168.99.100:3000

          + +

          192.168.99.100:4200

          +
          Request
          + Request line and header section (314 bytes) + + 
          GET http://20.60.0.1:3000/rest/admin/application-configuration HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (389 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Content-Length: 23513
+ETag: W/"5bd9-reVonwE2GOcMzw2LpzIkSqyB2OE"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 14:32:16 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (23513 bytes) + + 
          {"config":{"server":{"port":3000,"basePath":"","baseUrl":"http://localhost:3000"},"application":{"domain":"juice-sh.op","name":"OWASP Juice Shop","logo":"JuiceShop_Logo.png","favicon":"favicon_js.ico","theme":"bluegrey-lightgreen","showVersionNumber":true,"showGitHubLinks":true,"localBackupEnabled":true,"numberOfRandomFakeUsers":0,"altcoinName":"Juicycoin","privacyContactEmail":"donotreply@owasp-juice.shop","customMetricsPrefix":"juiceshop","chatBot":{"name":"Juicy the Smart Assistant","avatar":"JuicyChatBot.png","model":"gemma4:e4b","llmMaxRetries":2,"sampleQuestions":["CHATBOT_PROMPT_RECOMMENDATION_SUMMER_PARTY","CHATBOT_PROMPT_RECOMMENDATION_POPULAR","CHATBOT_PROMPT_RECOMMENDATION_SUGAR_FREE","CHATBOT_PROMPT_RECOMMENDATION_START_DAY","CHATBOT_PROMPT_RECOMMENDATION_SEASONAL"]},"social":{"blueSkyUrl":"https://bsky.app/profile/owasp-juice.shop","mastodonUrl":"https://fosstodon.org/@owasp_juiceshop","twitterUrl":"https://twitter.com/owasp_juiceshop","facebookUrl":"https://www.facebook.com/owasp.juiceshop","slackUrl":"https://owasp.org/slack/invite","redditUrl":"https://www.reddit.com/r/owasp_juiceshop","pressKitUrl":"https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop","nftUrl":"https://opensea.io/collection/juice-shop","questionnaireUrl":null},"recyclePage":{"topProductImage":"fruit_press.jpg","bottomProductImage":"apple_pressings.jpg"},"welcomeBanner":{"showOnFirstStart":true,"title":"Welcome to OWASP Juice Shop!","message":"<p>Being a web application with a vast number of intended security vulnerabilities, the <strong>OWASP Juice Shop</strong> is supposed to be the opposite of a best practice or template application for web developers: It is an awareness, training, demonstration and exercise tool for security risks in modern web applications. The <strong>OWASP Juice Shop</strong> is an open-source project hosted by the non-profit <a href='https://owasp.org' target='_blank'>Open Worldwide Application Security Project (OWASP)</a> and is developed and maintained by volunteers. Check out the link below for more information and documentation on the project.</p><h1><a href='https://owasp-juice.shop' target='_blank'>https://owasp-juice.shop</a></h1>"},"cookieConsent":{"message":"This website uses fruit cookies to ensure you get the juiciest tracking experience.","dismissText":"Me want it!","linkText":"But me wait!","linkUrl":"https://www.youtube.com/watch?v=9PnbKL3wuH4"},"securityTxt":{"contact":"mailto:donotreply@owasp-juice.shop","encryption":"https://keybase.io/bkimminich/pgp_keys.asc?fingerprint=19c01cb7157e4645e9e2c863062a85a8cbfbdcda","acknowledgements":"/#/score-board","hiring":"/#/jobs","csaf":"/.well-known/csaf/provider-metadata.json"},"promotion":{"video":"owasp_promo.mp4","subtitles":"owasp_promo.vtt"},"easterEggPlanet":{"name":"Orangeuze","overlayMap":"orangemap2k.avif"},"googleOauth":{"clientId":"1005568560502-6hm16lef8oh46hr2d98vf2ohlnj4nfhq.apps.googleusercontent.com","authorizedRedirects":[{"uri":"https://demo.owasp-juice.shop"},{"uri":"https://juice-shop.herokuapp.com"},{"uri":"https://preview.owasp-juice.shop"},{"uri":"https://juice-shop-staging.herokuapp.com"},{"uri":"https://juice-shop.wtf"},{"uri":"http://localhost:3000","proxy":"https://local3000.owasp-juice.shop"},{"uri":"http://127.0.0.1:3000","proxy":"https://local3000.owasp-juice.shop"},{"uri":"http://localhost:4200","proxy":"https://local4200.owasp-juice.shop"},{"uri":"http://127.0.0.1:4200","proxy":"https://local4200.owasp-juice.shop"},{"uri":"http://192.168.99.100:3000","proxy":"https://localmac.owasp-juice.shop"},{"uri":"http://192.168.99.100:4200","proxy":"https://localmac.owasp-juice.shop"},{"uri":"http://penguin.termina.linux.test:3000","proxy":"https://localchromeos.owasp-juice.shop"},{"uri":"http://penguin.termina.linux.test:4200","proxy":"https://localchromeos.owasp-juice.shop"}]}},"challenges":{"showSolvedNotifications":true,"showHints":true,"showMitigations":true,"codingChallengesEnabled":"solved","restrictToTutorialsFirst":false,"overwriteUrlForProductTamperingChallenge":"https://owasp.slack.com","xssBonusPayload":"<iframe width=\"100%\" height=\"166\" scrolling=\"no\" frameborder=\"no\" allow=\"autoplay\" src=\"https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true\"></iframe>","safetyMode":"auto","csafHashValue":"7e7ce7c65db3bf0625fcea4573d25cff41f2f7e3474f2c74334b14fc65bb4fd26af802ad17a3a03bf0eee6827a00fb8f7905f338c31b5e6ea9cb31620242e843","metricsIgnoredUserAgents":["Prometheus","Alloy","promscrape","otelcol"]},"hackingInstructor":{"isEnabled":true,"avatarImage":"JuicyBot.png","hintPlaybackSpeed":"normal"},"products":[{"name":"Apple Juice (1000ml)","price":1.99,"deluxePrice":0.99,"limitPerUser":5,"description":"The all-time classic.","image":"apple_juice.jpg","reviews":[{"text":"One of my favorites!","author":"admin"},{"text":"Great! We'll have an apple party. Everyone brings an apple and - STUFFS IT DOWN EACH OTHER'S THROAT!","author":"basil"}]},{"name":"Orange Juice (1000ml)","description":"Made from oranges hand-picked by Uncle Dittmeyer.","price":2.99,"deluxePrice":2.49,"image":"orange_juice.jpg","reviews":[{"text":"y0ur f1r3wall needs m0r3 musc13","author":"uvogin"}]},{"name":"Eggfruit Juice (500ml)","description":"Now with even more exotic flavour.","price":8.99,"image":"eggfruit_juice.jpg","reviews":[{"text":"I bought it, would buy again. 5/7","author":"admin"}]},{"name":"Raspberry Juice (1000ml)","description":"Made from blended Raspberry Pi, water and sugar.","price":4.99,"image":"raspberry_juice.jpg"},{"name":"Lemon Juice (500ml)","description":"Sour but full of vitamins.","price":2.99,"deluxePrice":1.99,"limitPerUser":5,"image":"lemon_juice.jpg"},{"name":"Banana Juice (1000ml)","description":"Monkeys love it the most.","price":1.99,"image":"banana_juice.jpg","reviews":[{"text":"Fry liked it too.","author":"bender"}]},{"name":"OWASP Juice Shop T-Shirt","description":"Real fans wear it 24/7!","price":22.49,"limitPerUser":5,"image":"fan_shirt.jpg"},{"name":"OWASP Juice Shop CTF Girlie-Shirt","description":"For serious Capture-the-Flag heroines only!","price":22.49,"image":"fan_girlie.jpg"},{"name":"OWASP SSL Advanced Forensic Tool (O-Saft)","description":"O-Saft is an easy to use tool to show information about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.","price":0.01,"image":"orange_juice.jpg","urlForProductTamperingChallenge":"https://www.owasp.org/index.php/O-Saft"},{"name":"Christmas Super-Surprise-Box (2014 Edition)","description":"Contains a random selection of 10 bottles (each 500ml) of our tastiest juices and an extra fan shirt for an unbeatable price!","price":29.99,"image":"undefined.jpg","useForChristmasSpecialChallenge":true},{"name":"Rippertuer Special Juice","description":"Contains a magical collection of the rarest fruits gathered from all around the world, like Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos... and others, at an unbelievable price! <br/><span style=\"color:red;\">This item has been made unavailable because of lack of safety standards.</span>","price":16.99,"image":"undefined.jpg","keywordsForPastebinDataLeakChallenge":["hueteroneel","eurogium edule"]},{"name":"OWASP Juice Shop Sticker (2015/2016 design)","description":"Die-cut sticker with the official 2015/2016 logo. By now this is a rare collectors item. <em>Out of stock!</em>","price":999.99,"image":"sticker.png","deletedDate":"2017-04-28"},{"name":"OWASP Juice Shop Iron-Ons (16pcs)","description":"Upgrade your clothes with washer safe <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">iron-ons</a> of the OWASP Juice Shop or CTF Extension logo!","price":14.99,"image":"iron-on.jpg"},{"name":"OWASP Juice Shop Magnets (16pcs)","description":"Your fridge will be even cooler with these OWASP Juice Shop or CTF Extension logo <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">magnets</a>!","price":15.99,"image":"magnets.jpg"},{"name":"OWASP Juice Shop Sticker Page","description":"Massive decoration opportunities with these OWASP Juice Shop or CTF Extension <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker pages</a>! Each page has 16 stickers on it.","price":9.99,"image":"sticker_page.jpg"},{"name":"OWASP Juice Shop Sticker Single","description":"Super high-quality vinyl <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker single</a> with the OWASP Juice Shop or CTF Extension logo! The ultimate laptop decal!","price":4.99,"image":"sticker_single.jpg"},{"name":"OWASP Juice Shop Temporary Tattoos (16pcs)","description":"Get one of these <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">temporary tattoos</a> to proudly wear the OWASP Juice Shop or CTF Extension logo on your skin! If you tweet a photo of yourself with the tattoo, you get a couple of our stickers for free! Please mention <a href=\"https://twitter.com/owasp_juiceshop\" target=\"_blank\"><code>@owasp_juiceshop</code></a> in your tweet!","price":14.99,"image":"tattoo.jpg","reviews":[{"text":"I straight-up gots nuff props fo'these tattoos!","author":"rapper"}]},{"name":"OWASP Juice Shop Mug","description":"Black mug with regular logo on one side and CTF logo on the other! Your colleagues will envy you!","price":21.99,"image":"fan_mug.jpg"},{"name":"OWASP Juice Shop Hoodie","description":"Mr. Robot-style apparel. But in black. And with logo.","price":49.99,"image":"fan_hoodie.jpg"},{"name":"OWASP Juice Shop-CTF Velcro Patch","description":"4x3.5\" embroidered patch with velcro backside. The ultimate decal for every tactical bag or backpack!","price":2.92,"quantity":5,"limitPerUser":5,"image":"velcro-patch.jpg","reviews":[{"text":"This thang would look phat on Bobby's jacked fur coat!","author":"rapper"},{"text":"Looks so much better on my uniform than the boring Starfleet symbol.","author":"jim"}]},{"name":"Woodruff Syrup \"Forest Master X-Treme\"","description":"Harvested and manufactured in the Black Forest, Germany. Can cause hyperactive behavior in children. Can cause permanent green tongue when consumed undiluted.","price":6.99,"image":"woodruff_syrup.jpg"},{"name":"Green Smoothie","description":"Looks poisonous but is actually very good for your health! Made from green cabbage, spinach, kiwi and grass.","price":1.99,"image":"green_smoothie.jpg","reviews":[{"text":"Fresh out of a replicator.","author":"jim"}]},{"name":"Quince Juice (1000ml)","description":"Juice of the <em>Cydonia oblonga</em> fruit. Not exactly sweet but rich in Vitamin C.","price":4.99,"image":"quince.jpg"},{"name":"Apple Pomace","description":"Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be <a href=\"/#recycle\">sent back to us</a> for recycling.","price":0.89,"limitPerUser":5,"image":"apple_pressings.jpg"},{"name":"Fruit Press","description":"Fruits go in. Juice comes out. Pomace you can send back to us for recycling purposes.","price":89.99,"image":"fruit_press.jpg"},{"name":"OWASP Juice Shop Logo (3D-printed)","description":"This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.","price":99.99,"image":"3d_keychain.jpg","fileForRetrieveBlueprintChallenge":"JuiceShop.stl","exifForBlueprintChallenge":["OpenSCAD"]},{"name":"Juice Shop Artwork","description":"Unique masterpiece painted with different kinds of juice on 90g/m² lined paper.","price":278.74,"quantity":0,"image":"artwork.jpg","deletedDate":"2020-12-24"},{"name":"Global OWASP WASPY Award 2017 Nomination","description":"Your chance to nominate up to three quiet pillars of the OWASP community ends 2017-06-30! <a href=\"https://www.owasp.org/index.php/WASPY_Awards_2017\">Nominate now!</a>","price":0.03,"image":"waspy.png","deletedDate":"2017-07-01"},{"name":"Strawberry Juice (500ml)","description":"Sweet & tasty!","price":3.99,"image":"strawberry_juice.jpeg"},{"name":"Carrot Juice (1000ml)","description":"As the old German saying goes: \"Carrots are good for the eyes. Or has anyone ever seen a rabbit with glasses?\"","price":2.99,"image":"carrot_juice.jpeg","reviews":[{"text":"0 st4rs f0r 7h3 h0rr1bl3 s3cur17y","author":"uvogin"}]},{"name":"OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition)","description":"10 sheets of Sweden-themed stickers with 15 stickers on each.","price":19.1,"image":"stickersheet_se.png","deletedDate":"2017-09-20"},{"name":"Pwning OWASP Juice Shop","description":"<em>The official Companion Guide</em> by Björn Kimminich available <a href=\"https://leanpub.com/juice-shop\">for free on LeanPub</a> and also <a href=\"https://pwning.owasp-juice.shop\">readable online</a>!","price":5.99,"image":"cover_small.jpg","reviews":[{"text":"Even more interesting than watching Interdimensional Cable!","author":"morty"}]},{"name":"Melon Bike (Comeback-Product 2018 Edition)","description":"The wheels of this bicycle are made from real water melons. You might not want to ride it up/down the curb too hard.","price":2999,"quantity":3,"limitPerUser":1,"image":"melon_bike.jpeg"},{"name":"OWASP Juice Shop Coaster (10pcs)","description":"Our 95mm circle coasters are printed in full color and made from thick, premium coaster board.","price":19.99,"quantity":0,"image":"coaster.jpg"},{"name":"OWASP Snakes and Ladders - Web Applications","description":"This amazing web application security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1969196030\">available for Tabletop Simulator on Steam Workshop</a> now!","price":0.01,"quantity":8,"image":"snakes_ladders.jpg","reviews":[{"text":"Wait for a 10$ Steam sale of Tabletop Simulator!","author":"bjoernOwasp"}]},{"name":"OWASP Snakes and Ladders - Mobile Apps","description":"This amazing mobile app security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1970691216\">available for Tabletop Simulator on Steam Workshop</a> now!","price":0.01,"quantity":0,"image":"snakes_ladders_m.jpg","reviews":[{"text":"Here yo' learn how tha fuck ta not show yo' goddamn phone on camera!","author":"rapper"}]},{"name":"OWASP Juice Shop Holographic Sticker","description":"Die-cut holographic sticker. Stand out from those 08/15-sticker-covered laptops with this shiny beacon of 80's coolness!","price":2,"quantity":0,"image":"holo_sticker.png","reviews":[{"text":"Rad, dude!","author":"rapper"},{"text":"Looks spacy on Bones' new tricorder!","author":"jim"},{"text":"Will put one on the Planet Express ship's bumper!","author":"bender"}]},{"name":"OWASP Juice Shop \"King of the Hill\" Facemask","description":"Facemask with compartment for filter from 50% cotton and 50% polyester.","price":13.49,"quantity":0,"limitPerUser":1,"image":"fan_facemask.jpg","reviews":[{"text":"K33p5 y0ur ju1cy 5plu773r 70 y0ur53lf!","author":"uvogin"},{"text":"Puny mask for puny human weaklings!","author":"bender"}]},{"name":"Juice Shop Adversary Trading Card (Common)","description":"Common rarity \"Juice Shop\" card for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.","price":2.99,"deluxePrice":0.99,"deletedDate":"2020-11-30","limitPerUser":5,"image":"ccg_common.png","reviews":[{"text":"Ooooh, puny human playing Mau Mau, now?","author":"bender"}]},{"name":"Juice Shop Adversary Trading Card (Super Rare)","description":"Super rare \"Juice Shop\" card with holographic foil-coating for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.","price":99.99,"deluxePrice":69.99,"deletedDate":"2020-11-30","quantity":2,"limitPerUser":1,"image":"ccg_foil.png","reviews":[{"text":"Mau Mau with bling-bling? Humans are so pathetic!","author":"bender"}]},{"name":"Juice Shop \"Permafrost\" 2020 Edition","description":"Exact version of <a href=\"https://github.com/juice-shop/juice-shop/releases/tag/v9.3.1-PERMAFROST\">OWASP Juice Shop that was archived on 02/02/2020</a> by the GitHub Archive Program and ultimately went into the <a href=\"https://github.blog/2020-07-16-github-archive-program-the-journey-of-the-worlds-open-source-code-to-the-arctic\">Arctic Code Vault</a> on July 8. 2020 where it will be safely stored for at least 1000 years.","price":9999.99,"quantity":1,"limitPerUser":1,"image":"permafrost.jpg","reviews":[{"text":"🧊 Let it go, let it go 🎶 Can't hold it back anymore 🎶 Let it go, let it go 🎶 Turn away and slam the door ❄️","author":"rapper"}]},{"name":"Best Juice Shop Salesman Artwork","description":"Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before <em>finally</em> adding his expertise to the Juice Shop marketing team.","price":5000,"quantity":1,"image":"artwork2.jpg","reviews":[{"text":"I'd stand on my head to make you a deal for this piece of art.","author":"stan"},{"text":"Just when my opinion of humans couldn't get any lower, along comes Stan...","author":"bender"}]},{"name":"OWASP Juice Shop Card (non-foil)","description":"Mythic rare <small><em>(obviously...)</em></small> card \"OWASP Juice Shop\" with three distinctly useful abilities. Alpha printing, mint condition. A true collectors piece to own!","price":1000,"quantity":3,"limitPerUser":1,"image":"card_alpha.jpg","reviews":[{"text":"DO NOT PLAY WITH THIS! Double-sleeve, then put it in the GitHub Arctic Vault for perfect preservation and boost of secondary market value!","author":"accountant"}]},{"name":"20th Anniversary Celebration Ticket","description":"Get your <a href=\"https://20thanniversary.owasp.org/\" target=\"_blank\">free 🎫 for OWASP 20th Anniversary Celebration</a> online conference! Hear from world renowned keynotes and special speakers, network with your peers and interact with our event sponsors. With an anticipated 10k+ attendees from around the world, you will not want to miss this live on-line event!","price":1e-20,"deletedDate":"2021-09-25","limitPerUser":1,"image":"20th.jpeg","reviews":[{"text":"I'll be there! Will you, too?","author":"bjoernOwasp"}]},{"name":"OWASP Juice Shop LEGO™ Tower","description":"Want to host a Juice Shop CTF in style? Build <a href=\"https://github.com/OWASP/owasp-swag/blob/master/projects/juice-shop/lego/OWASP%20JuiceShop%20Pi-server%201.2.pdf\" target=\"_blank\">your own LEGO™ tower</a> which holds four Raspberry Pi 4 models with PoE HAT modules <a href=\"https://github.com/juice-shop/multi-juicer/blob/main/guides/raspberry-pi/raspberry-pi.md\" target=\"_blank\">running a MultiJuicer Kubernetes cluster</a>! Wire to a switch and connect to your network to have an out-of-the-box ready CTF up in no time!","price":799,"quantity":3,"limitPerUser":1,"image":"lego_case.jpg","reviews":[{"text":"Check out the /#/photo-wall for some impressions of the assembly process!","author":"bjoernOwasp"}]},{"name":"DSOMM & Juice Shop User Day Ticket","description":"You are going to the OWASP Global AppSec San Francisco 2024? <a href=\"https://www.eventbrite.com/e/owasp-global-appsec-san-francisco-2024-tickets-723699172707\" target=\"_blank\">Get a ticket<sup>*</sup></a> for this amazing side event as well! Check the juice-packed agenda <a href=\"https://owasp.org/www-project-juice-shop/#div-userday2024\" target=\"_blank\">here</a> for all the details!<br><br><small><small><sup>*</sup>=scroll down to <strong>Elevate: DSOMM and Juice Shop User Day (Sept. 25)</strong> after clicking <em>Get Tickets</em> on Eventbrite. Ticket price set to only covers fees for room, AV, and catering throughout the day.</small></small>","price":55.2,"deletedDate":"2024-09-26","limitPerUser":1,"image":"user_day_ticket.png","reviews":[{"text":"The DSOMM Live Assessment session will even use Juice Shop as its \"real-world\" example!","author":"timo"},{"text":"We will showcase the amazing MultiJuicer Lego Tower at this event!","author":"jannik"}]},{"name":"Pineapple Juice (1000ml)","description":"Tropical refreshment from the finest sun-ripened pineapples.","price":2.99,"image":"pineapple_juice.png"},{"name":"Melon Juice (1000ml)","description":"Refreshing and sweet juice made from ripe melons.","price":2.49,"image":"melon_juice.png"},{"name":"Grape Juice (1000ml)","description":"Deep purple and full of antioxidants from selected grapes.","price":2.99,"image":"grape_juice.png"},{"name":"Dragonfruit Juice (500ml)","description":"Exotic and vibrant juice made from dragonfruit.","price":3.99,"image":"dragonfruit_juice.png"},{"name":"Berry Juice (1000ml)","description":"A delicious blend of fresh forest berries.","price":3.49,"image":"berry_juice.png"},{"name":"Basil Smoothie","description":"A unique blend of fresh basil and ginger for a healthy kick.","price":2.99,"image":"basil_smoothie.png","reviews":[{"text":"(ง'̀-'́)ง","author":"basil"}]},{"name":"Bragă (500ml)","description":"Traditional Balkan drink made from fermented millet. Lightly sweet-sour, refreshing, and naturally energizing.","price":2.49,"image":"braga.jpg"},{"name":"Elderflower Cordial (500ml)","description":"Floral and fragrant soft drink made from elderflowers. Traditionally enjoyed chilled.","price":3.29,"image":"elderflower_cordial.jpg"},{"name":"Sea Buckthorn Juice (500ml)","description":"Tangy and slightly sour juice, extremely rich in Vitamin C and antioxidants.","price":3.99,"image":"sea_buckthorn_juice.jpg"},{"name":"Pomegranate Drink (500ml)","description":"A sweet and tart refreshment inspired by classic grenadine flavors.","price":4.49,"image":"pomegranate_drink.jpg"}],"memories":[{"image":"magn(et)ificent!-1571814229653.jpg","caption":"Magn(et)ificent!","user":"bjoernGoogle"},{"image":"my-rare-collectors-item!-[̲̅$̲̅(̲̅-͡°-͜ʖ-͡°̲̅)̲̅$̲̅]-1572603645543.jpg","caption":"My rare collectors item! [̲̅$̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅$̲̅]","user":"bjoernGoogle"},{"image":"favorite-hiking-place.png","caption":"I love going hiking here...","geoStalkingMetaSecurityQuestion":14,"geoStalkingMetaSecurityAnswer":"Daniel Boone National Forest"},{"image":"IMG_4253.jpg","caption":"My old workplace...","geoStalkingVisualSecurityQuestion":10,"geoStalkingVisualSecurityAnswer":"ITsec"},{"image":"BeeHaven.png","caption":"Welcome to the Bee Haven (/#/bee-haven)🐝","user":"evm"},{"image":"sorted-the-pieces,-starting-assembly-process-1721152307290.jpg","caption":"Sorted the pieces, starting assembly process...","user":"bjoernOwasp"},{"image":"building-something-literally-bottom-up-1721152342603.jpg","caption":"Building something literally bottom up...","user":"bjoernOwasp"},{"image":"putting-in-the-hardware-1721152366854.jpg","caption":"Putting in the hardware...","user":"bjoernOwasp"},{"image":"everything-up-and-running!-1721152385146.jpg","caption":"Everything up and running!","user":"bjoernOwasp"}],"ctf":{"showFlagsInNotifications":false,"showCountryDetailsInNotifications":"none","countryMapping":null,"systemWideNotifications":{"url":null,"pollFrequencySeconds":null}}}}
          + + +
          Evidence
          192.168.99.100:3000
          Solution +

          Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + X-Content-Type-Options Header Missing (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvl00cO + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

          +
          Other info +

          This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

          + +

          At "High" threshold this scan rule will not alert on client or server error responses.

          +
          Request
          + Request line and header section (292 bytes) + + 
          GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=Pvl00cO HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (230 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/plain; charset=UTF-8
+Content-Length: 96
+Date: Thu, 28 May 2026 14:32:14 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (96 bytes) + + 
          0{"sid":"90ylhU5mJ94Lfd2KAAAA","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000}
          + + +
          Parameter
          x-content-type-options
          Solution +

          Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

          + +

          If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    5. + +
  5. +

    + Risk=Low, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Timestamp Disclosure - Unix (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A timestamp was disclosed by the application/web server. - Unix

          +
          Other info +

          1666666667, which evaluates to: 2022-10-24 22:57:47.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 14:15:52 GMT
+ETag: W/"26af-19e6ef1100f"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 14:29:23 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          1666666667
          Solution +

          Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    6. + + + + +
  6. +

    + Risk=Informational, Confidence=High (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Session Management Response Identified (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/continue-code/ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags +
            + +
          +
          Alert description +

          The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to "Auto-Detect" then this rule will change the session management to use the tokens identified.

          +
          Other info +

          json:continueCode

          +
          Request
          + Request line and header section (297 bytes) + + 
          GET http://20.60.0.1:3000/rest/continue-code/ HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (384 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Content-Length: 79
+ETag: W/"4f-uLu5Lde8X4OncOnJeidFijss6vg"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 14:49:57 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (79 bytes) + + 
          {"continueCode":"y1OzBZxNpnLrM5WmgEKv8XakQ7DA6LcQGJ6yOlV9Pow1jYqbz2eRB34oE5mM"}
          + + +
          Parameter
          continueCode
          Evidence
          continueCode
          Solution +

          This is an informational alert rather than a vulnerability and so there is nothing to fix.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    7. + +
  7. +

    + Risk=Informational, Confidence=Medium (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Modern Web Application (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

          +
          Other info +

          No links have been found while there are scripts, which is an indication that this is a modern web application.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 14:15:52 GMT
+ETag: W/"26af-19e6ef1100f"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 14:29:23 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
          Solution +

          This is an informational alert and so no changes are required.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    8. + + + +
+
+ +
+

Appendix

+ +
+

Alert Types

+

This section contains additional information on the types of alerts in the report.

+
    +
  1. +

    SQL Injection

    + + + + + + + + + + + + + + + + + +
    Source + + raised by an active scanner (SQL Injection) + +
    CWE ID89
    WASC ID19
    Reference +
      +
    1. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
      2. +
    +
    +
    2. +
  2. +

    Content Security Policy (CSP) Header Not Set

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Content Security Policy (CSP) Header Not Set) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
      2. +
    2. https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
      3. +
    3. https://www.w3.org/TR/CSP/
      4. +
    4. https://w3c.github.io/webappsec-csp/
      5. +
    5. https://web.dev/articles/csp
      6. +
    6. https://caniuse.com/#feat=contentsecuritypolicy
      7. +
    7. https://content-security-policy.com/
      8. +
    +
    +
    3. +
  3. +

    Cross-Domain Misconfiguration

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Cross-Domain Misconfiguration) + +
    CWE ID264
    WASC ID14
    Reference +
      +
    1. https://vulncat.fortify.com/en/detail?category=HTML5&subcategory=Overly%20Permissive%20CORS%20Policy
      2. +
    +
    +
    4. +
  4. +

    Missing Anti-clickjacking Header

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Anti-clickjacking Header) + +
    CWE ID1021
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
      2. +
    +
    +
    5. +
  5. +

    Session ID in URL Rewrite

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Session ID in URL Rewrite) + +
    CWE ID598
    WASC ID13
    Reference +
      +
    1. https://seclists.org/webappsec/2002/q4/111
      2. +
    +
    +
    6. +
  6. +

    Private IP Disclosure

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Private IP Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://datatracker.ietf.org/doc/html/rfc1918
      2. +
    +
    +
    7. +
  7. +

    Timestamp Disclosure - Unix

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Timestamp Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://cwe.mitre.org/data/definitions/200.html
      2. +
    +
    +
    8. +
  8. +

    X-Content-Type-Options Header Missing

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (X-Content-Type-Options Header Missing) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
      2. +
    2. https://owasp.org/www-community/Security_Headers
      3. +
    +
    +
    9. +
  9. +

    Modern Web Application

    + + + + + + + + +
    Source + + raised by a passive scanner (Modern Web Application) + +
    +
    10. +
  10. +

    Session Management Response Identified

    + + + + + + + + + + + +
    Source + + raised by a passive scanner (Session Management Response Identified) + +
    Reference +
      +
    1. https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id/
      2. +
    +
    +
    11. +
+
+
+ +
+ + + + + diff --git a/TestesRealizados1/QA&Standard/normalize/LICENSE.md b/TestesRealizados1/QA&Standard/normalize/LICENSE.md new file mode 100644 index 0000000..43b5ddc --- /dev/null +++ b/TestesRealizados1/QA&Standard/normalize/LICENSE.md @@ -0,0 +1,21 @@ +# The MIT License (MIT) + +Copyright © Nicolas Gallagher and Jonathan Neal + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/TestesRealizados1/QA&Standard/normalize/normalize.css b/TestesRealizados1/QA&Standard/normalize/normalize.css new file mode 100644 index 0000000..192eb9c --- /dev/null +++ b/TestesRealizados1/QA&Standard/normalize/normalize.css @@ -0,0 +1,349 @@ +/*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */ + +/* Document + ========================================================================== */ + +/** + * 1. Correct the line height in all browsers. + * 2. Prevent adjustments of font size after orientation changes in iOS. + */ + +html { + line-height: 1.15; /* 1 */ + -webkit-text-size-adjust: 100%; /* 2 */ +} + +/* Sections + ========================================================================== */ + +/** + * Remove the margin in all browsers. + */ + +body { + margin: 0; +} + +/** + * Render the `main` element consistently in IE. + */ + +main { + display: block; +} + +/** + * Correct the font size and margin on `h1` elements within `section` and + * `article` contexts in Chrome, Firefox, and Safari. + */ + +h1 { + font-size: 2em; + margin: 0.67em 0; +} + +/* Grouping content + ========================================================================== */ + +/** + * 1. Add the correct box sizing in Firefox. + * 2. Show the overflow in Edge and IE. + */ + +hr { + box-sizing: content-box; /* 1 */ + height: 0; /* 1 */ + overflow: visible; /* 2 */ +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +pre { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/* Text-level semantics + ========================================================================== */ + +/** + * Remove the gray background on active links in IE 10. + */ + +a { + background-color: transparent; +} + +/** + * 1. Remove the bottom border in Chrome 57- + * 2. Add the correct text decoration in Chrome, Edge, IE, Opera, and Safari. + */ + +abbr[title] { + border-bottom: none; /* 1 */ + text-decoration: underline; /* 2 */ + text-decoration: underline dotted; /* 2 */ +} + +/** + * Add the correct font weight in Chrome, Edge, and Safari. + */ + +b, +strong { + font-weight: bolder; +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +code, +kbd, +samp { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/** + * Add the correct font size in all browsers. + */ + +small { + font-size: 80%; +} + +/** + * Prevent `sub` and `sup` elements from affecting the line height in + * all browsers. + */ + +sub, +sup { + font-size: 75%; + line-height: 0; + position: relative; + vertical-align: baseline; +} + +sub { + bottom: -0.25em; +} + +sup { + top: -0.5em; +} + +/* Embedded content + ========================================================================== */ + +/** + * Remove the border on images inside links in IE 10. + */ + +img { + border-style: none; +} + +/* Forms + ========================================================================== */ + +/** + * 1. Change the font styles in all browsers. + * 2. Remove the margin in Firefox and Safari. + */ + +button, +input, +optgroup, +select, +textarea { + font-family: inherit; /* 1 */ + font-size: 100%; /* 1 */ + line-height: 1.15; /* 1 */ + margin: 0; /* 2 */ +} + +/** + * Show the overflow in IE. + * 1. Show the overflow in Edge. + */ + +button, +input { /* 1 */ + overflow: visible; +} + +/** + * Remove the inheritance of text transform in Edge, Firefox, and IE. + * 1. Remove the inheritance of text transform in Firefox. + */ + +button, +select { /* 1 */ + text-transform: none; +} + +/** + * Correct the inability to style clickable types in iOS and Safari. + */ + +button, +[type="button"], +[type="reset"], +[type="submit"] { + -webkit-appearance: button; +} + +/** + * Remove the inner border and padding in Firefox. + */ + +button::-moz-focus-inner, +[type="button"]::-moz-focus-inner, +[type="reset"]::-moz-focus-inner, +[type="submit"]::-moz-focus-inner { + border-style: none; + padding: 0; +} + +/** + * Restore the focus styles unset by the previous rule. + */ + +button:-moz-focusring, +[type="button"]:-moz-focusring, +[type="reset"]:-moz-focusring, +[type="submit"]:-moz-focusring { + outline: 1px dotted ButtonText; +} + +/** + * Correct the padding in Firefox. + */ + +fieldset { + padding: 0.35em 0.75em 0.625em; +} + +/** + * 1. Correct the text wrapping in Edge and IE. + * 2. Correct the color inheritance from `fieldset` elements in IE. + * 3. Remove the padding so developers are not caught out when they zero out + * `fieldset` elements in all browsers. + */ + +legend { + box-sizing: border-box; /* 1 */ + color: inherit; /* 2 */ + display: table; /* 1 */ + max-width: 100%; /* 1 */ + padding: 0; /* 3 */ + white-space: normal; /* 1 */ +} + +/** + * Add the correct vertical alignment in Chrome, Firefox, and Opera. + */ + +progress { + vertical-align: baseline; +} + +/** + * Remove the default vertical scrollbar in IE 10+. + */ + +textarea { + overflow: auto; +} + +/** + * 1. Add the correct box sizing in IE 10. + * 2. Remove the padding in IE 10. + */ + +[type="checkbox"], +[type="radio"] { + box-sizing: border-box; /* 1 */ + padding: 0; /* 2 */ +} + +/** + * Correct the cursor style of increment and decrement buttons in Chrome. + */ + +[type="number"]::-webkit-inner-spin-button, +[type="number"]::-webkit-outer-spin-button { + height: auto; +} + +/** + * 1. Correct the odd appearance in Chrome and Safari. + * 2. Correct the outline style in Safari. + */ + +[type="search"] { + -webkit-appearance: textfield; /* 1 */ + outline-offset: -2px; /* 2 */ +} + +/** + * Remove the inner padding in Chrome and Safari on macOS. + */ + +[type="search"]::-webkit-search-decoration { + -webkit-appearance: none; +} + +/** + * 1. Correct the inability to style clickable types in iOS and Safari. + * 2. Change font properties to `inherit` in Safari. + */ + +::-webkit-file-upload-button { + -webkit-appearance: button; /* 1 */ + font: inherit; /* 2 */ +} + +/* Interactive + ========================================================================== */ + +/* + * Add the correct display in Edge, IE 10+, and Firefox. + */ + +details { + display: block; +} + +/* + * Add the correct display in all browsers. + */ + +summary { + display: list-item; +} + +/* Misc + ========================================================================== */ + +/** + * Add the correct display in IE 10+. + */ + +template { + display: none; +} + +/** + * Add the correct display in IE 10. + */ + +[hidden] { + display: none; +} diff --git a/TestesRealizados1/QA&Standard/themes/original/colors.css b/TestesRealizados1/QA&Standard/themes/original/colors.css new file mode 100644 index 0000000..fd3b963 --- /dev/null +++ b/TestesRealizados1/QA&Standard/themes/original/colors.css @@ -0,0 +1,139 @@ +body { + background-color: #306aa0; + background-image: radial-gradient(circle at top left, #fff 0%, #8ce1d6 15em, #306aa0 100em, #386095 100%); +} + +main, footer { + background-color: #fff; +} + +header { + background-color: #00549e; + color: #fff; +} + +a:link { + color: #004380; +} + +a:visited { + color: #770d67; +} + +a:focus { + background-color: #ffd54d; +} + +a:hover { + background-color: #ffd54d; +} + +a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +header a:link { + color: #f2f7fd; +} + +header a:visited { + color: #f2b5e9; +} + +header a:focus { + background-color: #ffd54d; + color: #004380; +} + +header a:hover { + background-color: #ffd54d; + color: #004380; +} + +header a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #fff6db; +} + +summary:focus { + background-color: #ffd54d; +} + +summary:hover { + background-color: #ffd54d; +} + +summary:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +h2, h3, h4, h5, h6 { + color: #00549e; +} + +.risk-level, .confidence-level { + color: #00549e; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + color: #00549e; +} + +.risk-confidence-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + color: #00549e; +} + +.site-risk-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.alert-type-counts-table > tbody > tr { + border-bottom-color: #00549e; +} + +.alert-type-counts-table th[scope="col"] { + background-color: #00549e; + color: #fff; +} + +.alert-type-counts-table th[scope="col"] { + border-left-color: #fff; +} + +.alerts-table th, .alert-types-table th { + background-color: #306aa0; + color: #fff; +} + +.additional-info-percentages { + color: #00549e; +} + +.insights-table > tbody > tr { + border-bottom-color: #00549e; +} + +.insights-table th[scope="col"] { + background-color: #00549e; + border-left-color: #fff; + color: #fff; +} diff --git a/TestesRealizados1/QA&Standard/themes/original/main.css b/TestesRealizados1/QA&Standard/themes/original/main.css new file mode 100644 index 0000000..050bd3f --- /dev/null +++ b/TestesRealizados1/QA&Standard/themes/original/main.css @@ -0,0 +1,417 @@ +*, *::after, *::before { + box-sizing: border-box; +} + +h1, h2, h3, h4, h5, h6 { + margin: 0; + padding: 0; +} + +pre, ul { + margin: 0; +} + +ol { + list-style-type: none; +} + +h1 { + font-size: 3em; +} + +h2 { + font-size: 2em; +} + +h3, h4, h5, h6 { + font-size: 1em; +} + +html { + box-sizing: border-box; + font-family: Verdana, sans-serif; + line-height: 1.5; +} + +body { + margin: 1.5em 0; +} + +@media screen and (min-width: 50em) { + body { + margin: 1.5em 2ch; + padding: 1.5em 2ch; + } +} + +a:active, header a:active { + outline-style: solid; +} + +header, main { + margin: 0 auto; + max-width: 90ch; + padding: 1.5em 4ch; +} + +header { + border-radius: .25em .25em 0 0; +} + +main { + border-radius: 0 0 .25em .25em; +} + +summary { + cursor: pointer; +} + +.contents { + margin-top: 1.5em; +} + +main > section { + margin-bottom: 4.5em; +} + +.about-this-report > section { + margin-bottom: 3em; +} + +.summaries section { + margin-bottom: 3em; +} + +h2 { + margin-bottom: .75em; +} + +h3 { + margin-bottom: 1.5em; +} + +h4 { + margin-bottom: 1.5em; +} + +.report-parameters--container h4 { + margin-top: 1.5em; +} + +p { + margin: 1.5em 0; +} + +p:first-of-type { + margin-top: 0; +} + +p:last-of-type { + margin-bottom: 0; +} + +.contents li, .alerts li, .alert-types > ol > li { + margin-top: 1.5em; +} + +.alert-types h4 { + margin-bottom: 0; +} + +a { + border-radius: .125em; +} + +caption { + margin-bottom: 1.5em; + text-align: left; +} + +code, .request-method-n-url { + overflow-wrap: anywhere; + white-space: break-spaces; +} + +table { + border-collapse: collapse; +} + +.report-description--container, .report-parameters--container { + margin-left: 2ch; + padding: 0 2ch; +} + +.about-this-report h3, .summaries h3, .appendix h3 { + border-bottom: .05em solid; +} + +.alerts h4 { + text-align: center; +} + +.alerts ol { + padding-left: 0; +} + +.alerts--site-li { + border: .05em solid; + border-radius: .25em; + margin-left: 2ch; + padding: 1.5em 3ch; +} + +.contents ol { + list-style-position: inside; + list-style-type: square; + padding-left: 4ch; +} + +.contexts-list, .sites-list { + list-style-type: square; +} + +.risk-confidence-counts-table { + width: 100%; +} + +.risk-confidence-counts-table tr { + height: 4.5em; +} + +.risk-confidence-counts-table thead > tr { + height: 3em; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table th[scope="rowgroup"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.risk-confidence-counts-table th[scope="row"] { + padding-right: 5%; +} + +@media screen and (max-width: 50em) { + .risk-confidence-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.risk-confidence-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.risk-confidence-counts-table > tbody > tr { + border-top: .05em solid; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table td { + vertical-align: top; +} + +.risk-confidence-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.risk-confidence-counts-table td, .risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + text-align: right; +} + +.site-risk-counts-table { + width: 100%; +} + +.site-risk-counts-table tr { + height: 4.5em; +} + +.site-risk-counts-table thead > tr:first-of-type { + height: 3em; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table th[scope="col"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.site-risk-counts-table th[scope="row"] { + padding-right: 1%; +} + +@media screen and (max-width: 50em) { + .site-risk-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.site-risk-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.site-risk-counts-table > tbody > tr { + border-top: .05em solid; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table td { + vertical-align: top; +} + +.site-risk-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.site-risk-counts-table td, .site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + text-align: right; +} + +.alert-type-counts-table { + width: 100%; +} + +.alert-type-counts-table th, .alert-type-counts-table td { + padding: 0 1rem; + text-align: left; + vertical-align: top; +} + +.alert-type-counts-table td:nth-last-of-type(2) { + padding-left: 1.5rem; +} + +.alert-type-counts-table > tbody > tr { + border-bottom: 0.05em dotted; +} + +.alert-type-counts-table th[scope="col"] { + border-left: 1rem solid; +} + +.alert-type-counts-table th[scope="col"]:first-of-type { + border-left: 0; +} + +.alert-type-counts-table th[scope="col"]:last-of-type, .alert-type-counts-table td:last-of-type { + text-align: right; +} + +.alert-type-counts-table th[scope="col"], .alert-type-counts-table th[scope="row"] { + font-weight: normal; +} + +.alert-type-counts-table th[scope="row"], .alert-type-counts-table td { + padding-bottom: 1.5em; +} + +.alert-type-counts-table thead > th:first-of-type { + width: 45%; +} + +.alerts-table, .alert-types-table, .insights-table { + border-collapse: separate; + border-spacing: 2ch 1.5em; + width: 100%; +} + +.alerts-table th, .alerts-table td, .alert-types-table th, .alert-types-table td, .insights-table td, .insights-table th { + vertical-align: top; +} + +.alerts-table td, .alert-types-table td, .insights-table td { + overflow-wrap: anywhere; +} + +.alerts-table th, .alert-types-table th, .insights-table th { + padding: 0 1ch; +} + +.alerts-table td, .alert-types-table td { + padding: 0 2ch; +} + +.insights-table td { + padding: 0 1ch; +} + +.alerts-table summary { + margin-bottom: 1.5em; +} + +.alert-tags-list { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-tags-list > li { + margin-top: 0; +} + +.request-body, .response-body { + margin-top: 1.5em; +} + +.request-method-n-url { + margin-bottom: 0; +} + +.alert-types-table { + padding-top: 0; +} + +.alert-types-table th { + width: 20%; +} + +.alert-types-table ol { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-types-table li:not(:first-of-type) { + margin-top: 1.5em; +} + +p.alert-types-intro { + margin-bottom: 3em; +} + +.zap-logo { + height: 1em; + margin-right: .25ch; + width: 1em; +} + +h1, h2 { + font-family: Georgia, serif; +} + +.risk-level, .confidence-level, .included-risk-codes, .included-confidence-codes, .additional-info-percentages { + font-family: monospace, monospace; +} + +.context, .site, .request-method-n-url { + font-family: monospace, monospace; +} diff --git a/TestesRealizados1/QA&Standard/zap32x32.png b/TestesRealizados1/QA&Standard/zap32x32.png new file mode 100644 index 0000000000000000000000000000000000000000..9c1019ffb2ad500434d78f20f5a624bd660e6735 GIT binary patch literal 1933 zcmV;82Xgp{P)LZ&X_*%IgUcU=kqE(b z4NRzXHHacGqA;V7EOd-rLRUsK6M0)>lNA+QA(1s>0WooNopVsi`f~3%&(A;3?F-PB zvOj!oo}80&pL3q?@9q2jJ@8;-E^rih7x)VQ$FTzF0Ce^0)w*%xMg@9CT^);$`@`-S z|D^%X0-G{2GScem>Zq-)#c><}&YnG+{?@;fz2@5u5&VQI{0HC&b5Eb8v=CMzq8Xh{uDUJ;6-8cvHPPw(V1AXlBMlio^B!;`1mR7lQz6stN1n` zVSRiJ3Jh}IHmwUh{p952jC=DbQ>IW{T+Bm{EyTg%86hH)s*G@RBZ6ZD zR~$s-xgh|tIK<*bMohZnrPKSTebm&{(An8JZUCD%Zw|w-XamM3aZ{E@QkJ_Sh=4&b zVlZMR6MN-LA+KI)MxOZY4_$EN7gpcl|GBy+*}SFI&@zE+1c5&ojb?% zH-610omUXmkc0pc4MCuY3JRI#ep;zPz!%CkF{7fMRjXD}R#rwLkr?x}`Sa(qYu7G1 z4zIhf6b}b*b0|Z?2bxNbAlb*&-!+hzmq$fKMaqhiM-T+Gw6t*h_U({ddb?6-2&w|A zpn{45bPqNps$5aDKvhCrw+1VURUz5a1;EaoJE^Lw8q=z_wl+#jOPTPwnarrD$C>b1 zeBZ~~fqr423P90ogC0=PH?8Vm*#v}(0|k?r!xzizShj2#GiT1Ey}f-@07XSb?AWn` zo)51w@$*j*Sf2pBs|*LhoR?u5{SD7JEun@R9Ak(IM2sO~gs2fb$L0Oj{d{ntiOR}K z4jw#6R#w)CK$a|7Ld#z-Gd=bqy@><~t0b(&SH%x3{Wghj{ro$E>8w7|8!?eI&lp@s zaK#WcLS%r`jo>*Bw)ZCgII)AS>wjbG)~z%&G>ix$H+M2U56vZe;WP9n69iWA)shSX z`fak)9$cP#M-^Drp9UIWRk0R)RT8QshN)UI2q2optfzJ|r}}xe?|y;IjENjOcI+Mi z7cX9-`|VS7cbpDGkWxfn15~wP#HQ4&KGGL8Zqzd_CM6=?Fb}vQxI!o{fa9gn`BpRU zy|It{{Ct|4nwT|f*5LO}o;*oeSs7W&e}iV^hCM-${BO{>Jm(%YOnIR)X)V55tW|8v z^2ET^D*YDvtkSPaPoj^^$IF?s{&lVgQFL zf4TNCRPNcLzb)TB`ne$0!%HlF+%?X3TygP?!H8f?C?W&GVvG#277}_4P&Z27wKi^_ z`UMY9O6QgM5f&|4M0R!--M6}buJEI=4km*jh{gB1;;i$G!4U@|f*8RtASQ%eXNt)N z2*#qQRjl#oYmeiff0@FG0rvrUs1Grl_V)4yJq|S&*HyA`hPcY4iwPqM T`!Z{P00000NkvXXu0mjf{kVU6 literal 0 HcmV?d00001 diff --git a/TestesRealizados1/Squeence/Squeence.html b/TestesRealizados1/Squeence/Squeence.html new file mode 100644 index 0000000..f248e5d --- /dev/null +++ b/TestesRealizados1/Squeence/Squeence.html @@ -0,0 +1,2624 @@ + + + + + +ZAP by Checkmarx Scanning Report + + + + + +
+

ZAP by Checkmarx Scanning Report

+

+ Generated with ZAP + on Thu 28 May 2026, at 12:27:52 +

+

ZAP Version: 2.17.0

+

+ ZAP by Checkmarx +

+
+ +
+ +
+

Contents

+ +
+ +
+

About This Report

+ + + +
+

Report Parameters

+
+

Contexts

+ + +

No contexts were selected, so all contexts were included by default.

+ + +

Sites

+ +

The following sites were included:

+
    +
  • http://20.60.0.1:3000
    • +
+ +

(If no sites were selected, all sites were included by default.)

+

An included site must also be within one of the included contexts for its data to be included in the report.

+ +

Risk levels

+

+ Included: + + High, Medium, Low, Informational +

+

+ Excluded: + None + +

+ +

Confidence levels

+

+ Included: + + + User Confirmed, High, Medium, Low +

+

+ Excluded: + + + User Confirmed, High, Medium, Low, False Positive +

+
+
+
+ + +
+ +
+ +
+

Summaries

+ +
+

Alert Counts by Risk and Confidence

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts for each level of risk and confidence included in the report.

+

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)

+
Confidence
User ConfirmedHighMediumLowTotal
RiskHigh0
(0.0%)		0
(0.0%)		0
(0.0%)		1
(11.1%)		1
(11.1%)
Medium0
(0.0%)		2
(22.2%)		2
(22.2%)		0
(0.0%)		4
(44.4%)
Low0
(0.0%)		0
(0.0%)		2
(22.2%)		1
(11.1%)		3
(33.3%)
Informational0
(0.0%)		0
(0.0%)		1
(11.1%)		0
(0.0%)		1
(11.1%)
Total0
(0.0%)		2
(22.2%)		5
(55.6%)		2
(22.2%)		9
(100%)
+
+ +
+

Alert Counts by Site and Risk

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

+

Alerts with a confidence level of "False Positive" have been excluded from these counts.

+

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)

+
Risk
+ High
(= High) + 		+ Medium
(>= Medium) + 		+ Low
(>= Low) + 		+ Informational
(>= Informational) +
Sitehttp://20.60.0.1:30001
(1)		4
(5)		3
(8)		1
(9)
+
+ +
+

Alert Counts by Alert Type

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows the number of alerts of each alert type, together with the alert type's risk level.

+

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)

+
Alert typeRiskCount
SQL InjectionHigh1
(11.1%)
Content Security Policy (CSP) Header Not SetMedium5
(55.6%)
Cross-Domain MisconfigurationMedium5
(55.6%)
Missing Anti-clickjacking HeaderMedium4
(44.4%)
Session ID in URL RewriteMedium5
(55.6%)
Private IP DisclosureLow1
(11.1%)
Timestamp Disclosure - UnixLow5
(55.6%)
X-Content-Type-Options Header MissingLow5
(55.6%)
Modern Web ApplicationInformational5
(55.6%)
Total9
+
+ +
+

Insights

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+

This table shows information that is likely to be very relevant to you, but which is not related to vulnerabilities, or potentially even related to the application in question.

+
LevelReasonSiteDescriptionStatistic
+
Medium
+ 		+
Exceeded Low
+ 		+
+ 		+
Percentage of memory used
+ 		+
87
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP errors logged - see the zap.log file for details
+ 		+
292
+
+
Low
+ 		+
Warning
+ 		+
+ 		+
ZAP warnings logged - see the zap.log file for details
+ 		+
103
+
+
Low
+ 		+
Exceeded Low
+ 		+
+ 		+
Percentage of network failures
+ 		+
5 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 1xx
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 2xx
+ 		+
65 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 3xx
+ 		+
30 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of responses with status code 4xx
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/javascript
+ 		+
7 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/json
+ 		+
7 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type application/octet-stream
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/jpeg
+ 		+
4 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/png
+ 		+
2 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/svg+xml
+ 		+
19 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type image/x-icon
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/css
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/html
+ 		+
51 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/markdown
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with content type text/plain
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method GET
+ 		+
98 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of endpoints with method POST
+ 		+
1 %
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Count of total endpoints
+ 		+
224
+
+
Info
+ 		+
Informational
+ 		+
http://20.60.0.1:3000
+ 		+
Percentage of slow responses
+ 		+
77 %
+
+
+
+ +
+

Alerts

+
    + + + + + + + + +
  1. +

    + Risk=High, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + SQL Injection (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/products/search?q=%27%28 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          SQL injection may be possible.

          +
          Request
          + Request line and header section (307 bytes) + + 
          GET http://20.60.0.1:3000/rest/products/search?q=%27%28 HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (362 bytes) + + 
          HTTP/1.1 500 Internal Server Error
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 16:17:47 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+content-length: 309
+
+
          + + +
          + Response body (309 bytes) + + 
          {
+  "error": {
+    "message": "SQLITE_ERROR: near \"(\": syntax error",
+    "stack": "Error: SQLITE_ERROR: near \"(\": syntax error",
+    "errno": 1,
+    "code": "SQLITE_ERROR",
+    "sql": "SELECT * FROM Products WHERE ((name LIKE '%'(%' OR description LIKE '%'(%') AND deletedAt IS NULL) ORDER BY name"
+  }
+}
          + + +
          Parameter
          q
          Attack
          '(
          Evidence
          HTTP/1.1 500 Internal Server Error
          Solution +

          Do not trust client side input, even if there is client side validation in place.

          + +

          In general, type check all data on the server side.

          + +

          If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?'

          + +

          If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.

          + +

          If database Stored Procedures can be used, use them.

          + +

          Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality!

          + +

          Do not create dynamic SQL queries using simple string concatenation.

          + +

          Escape all data received from the client.

          + +

          Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input.

          + +

          Apply the principle of least privilege by using the least privileged database user possible.

          + +

          In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact.

          + +

          Grant the minimum database access that is necessary for the application.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    2. + + + + +
  2. +

    + Risk=Medium, Confidence=High (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Content Security Policy (CSP) Header Not Set (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 15:56:09 GMT
+ETag: W/"26af-19e6f4cdf8f"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 16:06:03 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Solution +

          Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + Session ID in URL Rewrite (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvlLzJv&sid=oJPnb_nhYFl02uUXAAAA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.

          +
          Request
          + Request line and header section (317 bytes) + + 
          GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvlLzJv&sid=oJPnb_nhYFl02uUXAAAA HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (230 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/plain; charset=UTF-8
+Content-Length: 32
+Date: Thu, 28 May 2026 16:08:09 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (32 bytes) + + 
          40{"sid":"o1TVUG0ig5BwWsRfAAAB"}
          + + +
          Parameter
          sid
          Evidence
          oJPnb_nhYFl02uUXAAAA
          Solution +

          For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    3. + +
  3. +

    + Risk=Medium, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Cross-Domain Misconfiguration (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/robots.txt + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

          +
          Other info +

          The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.

          +
          Request
          + Request line and header section (239 bytes) + + 
          GET http://20.60.0.1:3000/robots.txt HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (378 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: text/plain; charset=utf-8
+Content-Length: 28
+ETag: W/"1c-8HgF6mNyhsSFK0pascC9uB0wjX0"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 16:06:03 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (28 bytes) + + 
          User-agent: *
+Disallow: /ftp
          + + +
          Evidence
          Access-Control-Allow-Origin: *
          Solution +

          Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).

          + +

          Configure the "Access-Control-Allow-Origin" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + Missing Anti-clickjacking Header (1) +
        +
          +
        1. + + POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvlLzJn&sid=oJPnb_nhYFl02uUXAAAA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The response does not protect against 'ClickJacking' attacks. It should include either Content-Security-Policy with 'frame-ancestors' directive or X-Frame-Options.

          +
          Request
          + Request line and header section (408 bytes) + + 
          POST http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvlLzJn&sid=oJPnb_nhYFl02uUXAAAA HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Content-type: text/plain;charset=UTF-8
+Content-Length: 2
+Origin: http://20.60.0.1:3000
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (2 bytes) + + 
          40
          + + +
          Response
          + Status line and header section (213 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/html
+Content-Length: 2
+Date: Thu, 28 May 2026 16:08:09 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (2 bytes) + + 
          ok
          + + +
          Parameter
          x-frame-options
          Solution +

          Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.

          + +

          If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    4. + + + + + + + + +
  4. +

    + Risk=Low, Confidence=Medium (2) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (2) +

      +
        + +
      1. +
        + Private IP Disclosure (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/rest/admin/application-configuration + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.

          +
          Other info +

          192.168.99.100:3000

          + +

          192.168.99.100:4200

          +
          Request
          + Request line and header section (314 bytes) + + 
          GET http://20.60.0.1:3000/rest/admin/application-configuration HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: application/json, text/plain, */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (389 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Content-Type: application/json; charset=utf-8
+Content-Length: 23513
+ETag: W/"5bd9-reVonwE2GOcMzw2LpzIkSqyB2OE"
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 16:08:06 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (23513 bytes) + + 
          {"config":{"server":{"port":3000,"basePath":"","baseUrl":"http://localhost:3000"},"application":{"domain":"juice-sh.op","name":"OWASP Juice Shop","logo":"JuiceShop_Logo.png","favicon":"favicon_js.ico","theme":"bluegrey-lightgreen","showVersionNumber":true,"showGitHubLinks":true,"localBackupEnabled":true,"numberOfRandomFakeUsers":0,"altcoinName":"Juicycoin","privacyContactEmail":"donotreply@owasp-juice.shop","customMetricsPrefix":"juiceshop","chatBot":{"name":"Juicy the Smart Assistant","avatar":"JuicyChatBot.png","model":"gemma4:e4b","llmMaxRetries":2,"sampleQuestions":["CHATBOT_PROMPT_RECOMMENDATION_SUMMER_PARTY","CHATBOT_PROMPT_RECOMMENDATION_POPULAR","CHATBOT_PROMPT_RECOMMENDATION_SUGAR_FREE","CHATBOT_PROMPT_RECOMMENDATION_START_DAY","CHATBOT_PROMPT_RECOMMENDATION_SEASONAL"]},"social":{"blueSkyUrl":"https://bsky.app/profile/owasp-juice.shop","mastodonUrl":"https://fosstodon.org/@owasp_juiceshop","twitterUrl":"https://twitter.com/owasp_juiceshop","facebookUrl":"https://www.facebook.com/owasp.juiceshop","slackUrl":"https://owasp.org/slack/invite","redditUrl":"https://www.reddit.com/r/owasp_juiceshop","pressKitUrl":"https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop","nftUrl":"https://opensea.io/collection/juice-shop","questionnaireUrl":null},"recyclePage":{"topProductImage":"fruit_press.jpg","bottomProductImage":"apple_pressings.jpg"},"welcomeBanner":{"showOnFirstStart":true,"title":"Welcome to OWASP Juice Shop!","message":"<p>Being a web application with a vast number of intended security vulnerabilities, the <strong>OWASP Juice Shop</strong> is supposed to be the opposite of a best practice or template application for web developers: It is an awareness, training, demonstration and exercise tool for security risks in modern web applications. The <strong>OWASP Juice Shop</strong> is an open-source project hosted by the non-profit <a href='https://owasp.org' target='_blank'>Open Worldwide Application Security Project (OWASP)</a> and is developed and maintained by volunteers. Check out the link below for more information and documentation on the project.</p><h1><a href='https://owasp-juice.shop' target='_blank'>https://owasp-juice.shop</a></h1>"},"cookieConsent":{"message":"This website uses fruit cookies to ensure you get the juiciest tracking experience.","dismissText":"Me want it!","linkText":"But me wait!","linkUrl":"https://www.youtube.com/watch?v=9PnbKL3wuH4"},"securityTxt":{"contact":"mailto:donotreply@owasp-juice.shop","encryption":"https://keybase.io/bkimminich/pgp_keys.asc?fingerprint=19c01cb7157e4645e9e2c863062a85a8cbfbdcda","acknowledgements":"/#/score-board","hiring":"/#/jobs","csaf":"/.well-known/csaf/provider-metadata.json"},"promotion":{"video":"owasp_promo.mp4","subtitles":"owasp_promo.vtt"},"easterEggPlanet":{"name":"Orangeuze","overlayMap":"orangemap2k.avif"},"googleOauth":{"clientId":"1005568560502-6hm16lef8oh46hr2d98vf2ohlnj4nfhq.apps.googleusercontent.com","authorizedRedirects":[{"uri":"https://demo.owasp-juice.shop"},{"uri":"https://juice-shop.herokuapp.com"},{"uri":"https://preview.owasp-juice.shop"},{"uri":"https://juice-shop-staging.herokuapp.com"},{"uri":"https://juice-shop.wtf"},{"uri":"http://localhost:3000","proxy":"https://local3000.owasp-juice.shop"},{"uri":"http://127.0.0.1:3000","proxy":"https://local3000.owasp-juice.shop"},{"uri":"http://localhost:4200","proxy":"https://local4200.owasp-juice.shop"},{"uri":"http://127.0.0.1:4200","proxy":"https://local4200.owasp-juice.shop"},{"uri":"http://192.168.99.100:3000","proxy":"https://localmac.owasp-juice.shop"},{"uri":"http://192.168.99.100:4200","proxy":"https://localmac.owasp-juice.shop"},{"uri":"http://penguin.termina.linux.test:3000","proxy":"https://localchromeos.owasp-juice.shop"},{"uri":"http://penguin.termina.linux.test:4200","proxy":"https://localchromeos.owasp-juice.shop"}]}},"challenges":{"showSolvedNotifications":true,"showHints":true,"showMitigations":true,"codingChallengesEnabled":"solved","restrictToTutorialsFirst":false,"overwriteUrlForProductTamperingChallenge":"https://owasp.slack.com","xssBonusPayload":"<iframe width=\"100%\" height=\"166\" scrolling=\"no\" frameborder=\"no\" allow=\"autoplay\" src=\"https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&color=%23ff5500&auto_play=true&hide_related=false&show_comments=true&show_user=true&show_reposts=false&show_teaser=true\"></iframe>","safetyMode":"auto","csafHashValue":"7e7ce7c65db3bf0625fcea4573d25cff41f2f7e3474f2c74334b14fc65bb4fd26af802ad17a3a03bf0eee6827a00fb8f7905f338c31b5e6ea9cb31620242e843","metricsIgnoredUserAgents":["Prometheus","Alloy","promscrape","otelcol"]},"hackingInstructor":{"isEnabled":true,"avatarImage":"JuicyBot.png","hintPlaybackSpeed":"normal"},"products":[{"name":"Apple Juice (1000ml)","price":1.99,"deluxePrice":0.99,"limitPerUser":5,"description":"The all-time classic.","image":"apple_juice.jpg","reviews":[{"text":"One of my favorites!","author":"admin"},{"text":"Great! We'll have an apple party. Everyone brings an apple and - STUFFS IT DOWN EACH OTHER'S THROAT!","author":"basil"}]},{"name":"Orange Juice (1000ml)","description":"Made from oranges hand-picked by Uncle Dittmeyer.","price":2.99,"deluxePrice":2.49,"image":"orange_juice.jpg","reviews":[{"text":"y0ur f1r3wall needs m0r3 musc13","author":"uvogin"}]},{"name":"Eggfruit Juice (500ml)","description":"Now with even more exotic flavour.","price":8.99,"image":"eggfruit_juice.jpg","reviews":[{"text":"I bought it, would buy again. 5/7","author":"admin"}]},{"name":"Raspberry Juice (1000ml)","description":"Made from blended Raspberry Pi, water and sugar.","price":4.99,"image":"raspberry_juice.jpg"},{"name":"Lemon Juice (500ml)","description":"Sour but full of vitamins.","price":2.99,"deluxePrice":1.99,"limitPerUser":5,"image":"lemon_juice.jpg"},{"name":"Banana Juice (1000ml)","description":"Monkeys love it the most.","price":1.99,"image":"banana_juice.jpg","reviews":[{"text":"Fry liked it too.","author":"bender"}]},{"name":"OWASP Juice Shop T-Shirt","description":"Real fans wear it 24/7!","price":22.49,"limitPerUser":5,"image":"fan_shirt.jpg"},{"name":"OWASP Juice Shop CTF Girlie-Shirt","description":"For serious Capture-the-Flag heroines only!","price":22.49,"image":"fan_girlie.jpg"},{"name":"OWASP SSL Advanced Forensic Tool (O-Saft)","description":"O-Saft is an easy to use tool to show information about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.","price":0.01,"image":"orange_juice.jpg","urlForProductTamperingChallenge":"https://www.owasp.org/index.php/O-Saft"},{"name":"Christmas Super-Surprise-Box (2014 Edition)","description":"Contains a random selection of 10 bottles (each 500ml) of our tastiest juices and an extra fan shirt for an unbeatable price!","price":29.99,"image":"undefined.jpg","useForChristmasSpecialChallenge":true},{"name":"Rippertuer Special Juice","description":"Contains a magical collection of the rarest fruits gathered from all around the world, like Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos... and others, at an unbelievable price! <br/><span style=\"color:red;\">This item has been made unavailable because of lack of safety standards.</span>","price":16.99,"image":"undefined.jpg","keywordsForPastebinDataLeakChallenge":["hueteroneel","eurogium edule"]},{"name":"OWASP Juice Shop Sticker (2015/2016 design)","description":"Die-cut sticker with the official 2015/2016 logo. By now this is a rare collectors item. <em>Out of stock!</em>","price":999.99,"image":"sticker.png","deletedDate":"2017-04-28"},{"name":"OWASP Juice Shop Iron-Ons (16pcs)","description":"Upgrade your clothes with washer safe <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">iron-ons</a> of the OWASP Juice Shop or CTF Extension logo!","price":14.99,"image":"iron-on.jpg"},{"name":"OWASP Juice Shop Magnets (16pcs)","description":"Your fridge will be even cooler with these OWASP Juice Shop or CTF Extension logo <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">magnets</a>!","price":15.99,"image":"magnets.jpg"},{"name":"OWASP Juice Shop Sticker Page","description":"Massive decoration opportunities with these OWASP Juice Shop or CTF Extension <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker pages</a>! Each page has 16 stickers on it.","price":9.99,"image":"sticker_page.jpg"},{"name":"OWASP Juice Shop Sticker Single","description":"Super high-quality vinyl <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">sticker single</a> with the OWASP Juice Shop or CTF Extension logo! The ultimate laptop decal!","price":4.99,"image":"sticker_single.jpg"},{"name":"OWASP Juice Shop Temporary Tattoos (16pcs)","description":"Get one of these <a href=\"https://www.stickeryou.com/products/owasp-juice-shop/794\" target=\"_blank\">temporary tattoos</a> to proudly wear the OWASP Juice Shop or CTF Extension logo on your skin! If you tweet a photo of yourself with the tattoo, you get a couple of our stickers for free! Please mention <a href=\"https://twitter.com/owasp_juiceshop\" target=\"_blank\"><code>@owasp_juiceshop</code></a> in your tweet!","price":14.99,"image":"tattoo.jpg","reviews":[{"text":"I straight-up gots nuff props fo'these tattoos!","author":"rapper"}]},{"name":"OWASP Juice Shop Mug","description":"Black mug with regular logo on one side and CTF logo on the other! Your colleagues will envy you!","price":21.99,"image":"fan_mug.jpg"},{"name":"OWASP Juice Shop Hoodie","description":"Mr. Robot-style apparel. But in black. And with logo.","price":49.99,"image":"fan_hoodie.jpg"},{"name":"OWASP Juice Shop-CTF Velcro Patch","description":"4x3.5\" embroidered patch with velcro backside. The ultimate decal for every tactical bag or backpack!","price":2.92,"quantity":5,"limitPerUser":5,"image":"velcro-patch.jpg","reviews":[{"text":"This thang would look phat on Bobby's jacked fur coat!","author":"rapper"},{"text":"Looks so much better on my uniform than the boring Starfleet symbol.","author":"jim"}]},{"name":"Woodruff Syrup \"Forest Master X-Treme\"","description":"Harvested and manufactured in the Black Forest, Germany. Can cause hyperactive behavior in children. Can cause permanent green tongue when consumed undiluted.","price":6.99,"image":"woodruff_syrup.jpg"},{"name":"Green Smoothie","description":"Looks poisonous but is actually very good for your health! Made from green cabbage, spinach, kiwi and grass.","price":1.99,"image":"green_smoothie.jpg","reviews":[{"text":"Fresh out of a replicator.","author":"jim"}]},{"name":"Quince Juice (1000ml)","description":"Juice of the <em>Cydonia oblonga</em> fruit. Not exactly sweet but rich in Vitamin C.","price":4.99,"image":"quince.jpg"},{"name":"Apple Pomace","description":"Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be <a href=\"/#recycle\">sent back to us</a> for recycling.","price":0.89,"limitPerUser":5,"image":"apple_pressings.jpg"},{"name":"Fruit Press","description":"Fruits go in. Juice comes out. Pomace you can send back to us for recycling purposes.","price":89.99,"image":"fruit_press.jpg"},{"name":"OWASP Juice Shop Logo (3D-printed)","description":"This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.","price":99.99,"image":"3d_keychain.jpg","fileForRetrieveBlueprintChallenge":"JuiceShop.stl","exifForBlueprintChallenge":["OpenSCAD"]},{"name":"Juice Shop Artwork","description":"Unique masterpiece painted with different kinds of juice on 90g/m² lined paper.","price":278.74,"quantity":0,"image":"artwork.jpg","deletedDate":"2020-12-24"},{"name":"Global OWASP WASPY Award 2017 Nomination","description":"Your chance to nominate up to three quiet pillars of the OWASP community ends 2017-06-30! <a href=\"https://www.owasp.org/index.php/WASPY_Awards_2017\">Nominate now!</a>","price":0.03,"image":"waspy.png","deletedDate":"2017-07-01"},{"name":"Strawberry Juice (500ml)","description":"Sweet & tasty!","price":3.99,"image":"strawberry_juice.jpeg"},{"name":"Carrot Juice (1000ml)","description":"As the old German saying goes: \"Carrots are good for the eyes. Or has anyone ever seen a rabbit with glasses?\"","price":2.99,"image":"carrot_juice.jpeg","reviews":[{"text":"0 st4rs f0r 7h3 h0rr1bl3 s3cur17y","author":"uvogin"}]},{"name":"OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition)","description":"10 sheets of Sweden-themed stickers with 15 stickers on each.","price":19.1,"image":"stickersheet_se.png","deletedDate":"2017-09-20"},{"name":"Pwning OWASP Juice Shop","description":"<em>The official Companion Guide</em> by Björn Kimminich available <a href=\"https://leanpub.com/juice-shop\">for free on LeanPub</a> and also <a href=\"https://pwning.owasp-juice.shop\">readable online</a>!","price":5.99,"image":"cover_small.jpg","reviews":[{"text":"Even more interesting than watching Interdimensional Cable!","author":"morty"}]},{"name":"Melon Bike (Comeback-Product 2018 Edition)","description":"The wheels of this bicycle are made from real water melons. You might not want to ride it up/down the curb too hard.","price":2999,"quantity":3,"limitPerUser":1,"image":"melon_bike.jpeg"},{"name":"OWASP Juice Shop Coaster (10pcs)","description":"Our 95mm circle coasters are printed in full color and made from thick, premium coaster board.","price":19.99,"quantity":0,"image":"coaster.jpg"},{"name":"OWASP Snakes and Ladders - Web Applications","description":"This amazing web application security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1969196030\">available for Tabletop Simulator on Steam Workshop</a> now!","price":0.01,"quantity":8,"image":"snakes_ladders.jpg","reviews":[{"text":"Wait for a 10$ Steam sale of Tabletop Simulator!","author":"bjoernOwasp"}]},{"name":"OWASP Snakes and Ladders - Mobile Apps","description":"This amazing mobile app security awareness board game is <a href=\"https://steamcommunity.com/sharedfiles/filedetails/?id=1970691216\">available for Tabletop Simulator on Steam Workshop</a> now!","price":0.01,"quantity":0,"image":"snakes_ladders_m.jpg","reviews":[{"text":"Here yo' learn how tha fuck ta not show yo' goddamn phone on camera!","author":"rapper"}]},{"name":"OWASP Juice Shop Holographic Sticker","description":"Die-cut holographic sticker. Stand out from those 08/15-sticker-covered laptops with this shiny beacon of 80's coolness!","price":2,"quantity":0,"image":"holo_sticker.png","reviews":[{"text":"Rad, dude!","author":"rapper"},{"text":"Looks spacy on Bones' new tricorder!","author":"jim"},{"text":"Will put one on the Planet Express ship's bumper!","author":"bender"}]},{"name":"OWASP Juice Shop \"King of the Hill\" Facemask","description":"Facemask with compartment for filter from 50% cotton and 50% polyester.","price":13.49,"quantity":0,"limitPerUser":1,"image":"fan_facemask.jpg","reviews":[{"text":"K33p5 y0ur ju1cy 5plu773r 70 y0ur53lf!","author":"uvogin"},{"text":"Puny mask for puny human weaklings!","author":"bender"}]},{"name":"Juice Shop Adversary Trading Card (Common)","description":"Common rarity \"Juice Shop\" card for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.","price":2.99,"deluxePrice":0.99,"deletedDate":"2020-11-30","limitPerUser":5,"image":"ccg_common.png","reviews":[{"text":"Ooooh, puny human playing Mau Mau, now?","author":"bender"}]},{"name":"Juice Shop Adversary Trading Card (Super Rare)","description":"Super rare \"Juice Shop\" card with holographic foil-coating for the <a href=\"https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\">Adversary Trading Cards</a> CCG.","price":99.99,"deluxePrice":69.99,"deletedDate":"2020-11-30","quantity":2,"limitPerUser":1,"image":"ccg_foil.png","reviews":[{"text":"Mau Mau with bling-bling? Humans are so pathetic!","author":"bender"}]},{"name":"Juice Shop \"Permafrost\" 2020 Edition","description":"Exact version of <a href=\"https://github.com/juice-shop/juice-shop/releases/tag/v9.3.1-PERMAFROST\">OWASP Juice Shop that was archived on 02/02/2020</a> by the GitHub Archive Program and ultimately went into the <a href=\"https://github.blog/2020-07-16-github-archive-program-the-journey-of-the-worlds-open-source-code-to-the-arctic\">Arctic Code Vault</a> on July 8. 2020 where it will be safely stored for at least 1000 years.","price":9999.99,"quantity":1,"limitPerUser":1,"image":"permafrost.jpg","reviews":[{"text":"🧊 Let it go, let it go 🎶 Can't hold it back anymore 🎶 Let it go, let it go 🎶 Turn away and slam the door ❄️","author":"rapper"}]},{"name":"Best Juice Shop Salesman Artwork","description":"Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before <em>finally</em> adding his expertise to the Juice Shop marketing team.","price":5000,"quantity":1,"image":"artwork2.jpg","reviews":[{"text":"I'd stand on my head to make you a deal for this piece of art.","author":"stan"},{"text":"Just when my opinion of humans couldn't get any lower, along comes Stan...","author":"bender"}]},{"name":"OWASP Juice Shop Card (non-foil)","description":"Mythic rare <small><em>(obviously...)</em></small> card \"OWASP Juice Shop\" with three distinctly useful abilities. Alpha printing, mint condition. A true collectors piece to own!","price":1000,"quantity":3,"limitPerUser":1,"image":"card_alpha.jpg","reviews":[{"text":"DO NOT PLAY WITH THIS! Double-sleeve, then put it in the GitHub Arctic Vault for perfect preservation and boost of secondary market value!","author":"accountant"}]},{"name":"20th Anniversary Celebration Ticket","description":"Get your <a href=\"https://20thanniversary.owasp.org/\" target=\"_blank\">free 🎫 for OWASP 20th Anniversary Celebration</a> online conference! Hear from world renowned keynotes and special speakers, network with your peers and interact with our event sponsors. With an anticipated 10k+ attendees from around the world, you will not want to miss this live on-line event!","price":1e-20,"deletedDate":"2021-09-25","limitPerUser":1,"image":"20th.jpeg","reviews":[{"text":"I'll be there! Will you, too?","author":"bjoernOwasp"}]},{"name":"OWASP Juice Shop LEGO™ Tower","description":"Want to host a Juice Shop CTF in style? Build <a href=\"https://github.com/OWASP/owasp-swag/blob/master/projects/juice-shop/lego/OWASP%20JuiceShop%20Pi-server%201.2.pdf\" target=\"_blank\">your own LEGO™ tower</a> which holds four Raspberry Pi 4 models with PoE HAT modules <a href=\"https://github.com/juice-shop/multi-juicer/blob/main/guides/raspberry-pi/raspberry-pi.md\" target=\"_blank\">running a MultiJuicer Kubernetes cluster</a>! Wire to a switch and connect to your network to have an out-of-the-box ready CTF up in no time!","price":799,"quantity":3,"limitPerUser":1,"image":"lego_case.jpg","reviews":[{"text":"Check out the /#/photo-wall for some impressions of the assembly process!","author":"bjoernOwasp"}]},{"name":"DSOMM & Juice Shop User Day Ticket","description":"You are going to the OWASP Global AppSec San Francisco 2024? <a href=\"https://www.eventbrite.com/e/owasp-global-appsec-san-francisco-2024-tickets-723699172707\" target=\"_blank\">Get a ticket<sup>*</sup></a> for this amazing side event as well! Check the juice-packed agenda <a href=\"https://owasp.org/www-project-juice-shop/#div-userday2024\" target=\"_blank\">here</a> for all the details!<br><br><small><small><sup>*</sup>=scroll down to <strong>Elevate: DSOMM and Juice Shop User Day (Sept. 25)</strong> after clicking <em>Get Tickets</em> on Eventbrite. Ticket price set to only covers fees for room, AV, and catering throughout the day.</small></small>","price":55.2,"deletedDate":"2024-09-26","limitPerUser":1,"image":"user_day_ticket.png","reviews":[{"text":"The DSOMM Live Assessment session will even use Juice Shop as its \"real-world\" example!","author":"timo"},{"text":"We will showcase the amazing MultiJuicer Lego Tower at this event!","author":"jannik"}]},{"name":"Pineapple Juice (1000ml)","description":"Tropical refreshment from the finest sun-ripened pineapples.","price":2.99,"image":"pineapple_juice.png"},{"name":"Melon Juice (1000ml)","description":"Refreshing and sweet juice made from ripe melons.","price":2.49,"image":"melon_juice.png"},{"name":"Grape Juice (1000ml)","description":"Deep purple and full of antioxidants from selected grapes.","price":2.99,"image":"grape_juice.png"},{"name":"Dragonfruit Juice (500ml)","description":"Exotic and vibrant juice made from dragonfruit.","price":3.99,"image":"dragonfruit_juice.png"},{"name":"Berry Juice (1000ml)","description":"A delicious blend of fresh forest berries.","price":3.49,"image":"berry_juice.png"},{"name":"Basil Smoothie","description":"A unique blend of fresh basil and ginger for a healthy kick.","price":2.99,"image":"basil_smoothie.png","reviews":[{"text":"(ง'̀-'́)ง","author":"basil"}]},{"name":"Bragă (500ml)","description":"Traditional Balkan drink made from fermented millet. Lightly sweet-sour, refreshing, and naturally energizing.","price":2.49,"image":"braga.jpg"},{"name":"Elderflower Cordial (500ml)","description":"Floral and fragrant soft drink made from elderflowers. Traditionally enjoyed chilled.","price":3.29,"image":"elderflower_cordial.jpg"},{"name":"Sea Buckthorn Juice (500ml)","description":"Tangy and slightly sour juice, extremely rich in Vitamin C and antioxidants.","price":3.99,"image":"sea_buckthorn_juice.jpg"},{"name":"Pomegranate Drink (500ml)","description":"A sweet and tart refreshment inspired by classic grenadine flavors.","price":4.49,"image":"pomegranate_drink.jpg"}],"memories":[{"image":"magn(et)ificent!-1571814229653.jpg","caption":"Magn(et)ificent!","user":"bjoernGoogle"},{"image":"my-rare-collectors-item!-[̲̅$̲̅(̲̅-͡°-͜ʖ-͡°̲̅)̲̅$̲̅]-1572603645543.jpg","caption":"My rare collectors item! [̲̅$̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅$̲̅]","user":"bjoernGoogle"},{"image":"favorite-hiking-place.png","caption":"I love going hiking here...","geoStalkingMetaSecurityQuestion":14,"geoStalkingMetaSecurityAnswer":"Daniel Boone National Forest"},{"image":"IMG_4253.jpg","caption":"My old workplace...","geoStalkingVisualSecurityQuestion":10,"geoStalkingVisualSecurityAnswer":"ITsec"},{"image":"BeeHaven.png","caption":"Welcome to the Bee Haven (/#/bee-haven)🐝","user":"evm"},{"image":"sorted-the-pieces,-starting-assembly-process-1721152307290.jpg","caption":"Sorted the pieces, starting assembly process...","user":"bjoernOwasp"},{"image":"building-something-literally-bottom-up-1721152342603.jpg","caption":"Building something literally bottom up...","user":"bjoernOwasp"},{"image":"putting-in-the-hardware-1721152366854.jpg","caption":"Putting in the hardware...","user":"bjoernOwasp"},{"image":"everything-up-and-running!-1721152385146.jpg","caption":"Everything up and running!","user":"bjoernOwasp"}],"ctf":{"showFlagsInNotifications":false,"showCountryDetailsInNotifications":"none","countryMapping":null,"systemWideNotifications":{"url":null,"pollFrequencySeconds":null}}}}
          + + +
          Evidence
          192.168.99.100:3000
          Solution +

          Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.

          +
          + +
          2. +
        +
        2. + +
      2. +
        + X-Content-Type-Options Header Missing (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvlLyr- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

          +
          Other info +

          This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

          + +

          At "High" threshold this scan rule will not alert on client or server error responses.

          +
          Request
          + Request line and header section (292 bytes) + + 
          GET http://20.60.0.1:3000/socket.io/?EIO=4&transport=polling&t=PvlLyr- HTTP/1.1
+host: 20.60.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Connection: keep-alive
+Referer: http://20.60.0.1:3000/
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (230 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: http://localhost:4200
+Vary: Origin
+Content-Type: text/plain; charset=UTF-8
+Content-Length: 96
+Date: Thu, 28 May 2026 16:08:05 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (96 bytes) + + 
          0{"sid":"oJPnb_nhYFl02uUXAAAA","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":5000}
          + + +
          Parameter
          x-content-type-options
          Solution +

          Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

          + +

          If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

          +
          + +
          2. +
        +
        3. + +
      +
      2. + +
    +
    5. + +
  5. +

    + Risk=Low, Confidence=Low (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Timestamp Disclosure - Unix (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          A timestamp was disclosed by the application/web server. - Unix

          +
          Other info +

          1666666667, which evaluates to: 2022-10-24 22:57:47.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 15:56:09 GMT
+ETag: W/"26af-19e6f4cdf8f"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 16:06:02 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          1666666667
          Solution +

          Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    6. + + + + + + +
  6. +

    + Risk=Informational, Confidence=Medium (1) +

    +
      + +
    1. +

      + http://20.60.0.1:3000 (1) +

      +
        + +
      1. +
        + Modern Web Application (1) +
        +
          +
        1. + + GET http://20.60.0.1:3000 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Alert tags + +
          Alert description +

          The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.

          +
          Other info +

          No links have been found while there are scripts, which is an indication that this is a modern web application.

          +
          Request
          + Request line and header section (228 bytes) + + 
          GET http://20.60.0.1:3000 HTTP/1.1
+host: 20.60.0.1:3000
+user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
+pragma: no-cache
+cache-control: no-cache
+
+
          + + +
          + Request body (0 bytes) + +
          + + +
          Response
          + Status line and header section (467 bytes) + + 
          HTTP/1.1 200 OK
+Access-Control-Allow-Origin: *
+X-Content-Type-Options: nosniff
+X-Frame-Options: SAMEORIGIN
+Feature-Policy: payment 'self'
+X-Recruiting: /#/jobs
+Accept-Ranges: bytes
+Cache-Control: public, max-age=0
+Last-Modified: Thu, 28 May 2026 15:56:09 GMT
+ETag: W/"26af-19e6f4cdf8f"
+Content-Type: text/html; charset=UTF-8
+Content-Length: 9903
+Vary: Accept-Encoding
+Date: Thu, 28 May 2026 16:06:03 GMT
+Connection: keep-alive
+Keep-Alive: timeout=5
+
+
          + + +
          + Response body (9903 bytes) + + 
          <!--
+  ~ Copyright (c) 2014-2026 Bjoern Kimminich & the OWASP Juice Shop contributors.
+  ~ SPDX-License-Identifier: MIT
+  -->
+
+<!doctype html>
+<html lang="en" data-beasties-container>
+<head>
+  <meta charset="utf-8">
+  <title>OWASP Juice Shop</title>
+  <meta name="description" content="Probably the most modern and sophisticated insecure web application">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <style>@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format('woff2');unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format('woff2');unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:'VT323';font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}</style>
+  <link id="favicon" rel="icon" type="image/x-icon" href="assets/public/favicon_js.ico">
+  <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
+<style>.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, "Helvetica Neue", sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}</style><link rel="stylesheet" href="styles.css" media="print" onload="this.media='all'"><noscript><link rel="stylesheet" href="styles.css"></noscript></head>
+<body class="bluegrey-lightgreen-theme">
+  <app-root></app-root>
+<link rel="modulepreload" href="chunk-SCY7YOCS.js"><link rel="modulepreload" href="chunk-PX7UKXVL.js"><link rel="modulepreload" href="chunk-GNBEOV4E.js"><link rel="modulepreload" href="chunk-7O3TTE7G.js"><link rel="modulepreload" href="chunk-JCQ5N7PA.js"><link rel="modulepreload" href="chunk-UNFVUBM2.js"><link rel="modulepreload" href="chunk-524KQQJQ.js"><link rel="modulepreload" href="chunk-SI2GTEZM.js"><link rel="modulepreload" href="chunk-ZO2KHBRB.js"><link rel="modulepreload" href="chunk-7AKA75AX.js"><script src="polyfills.js" type="module"></script><script src="scripts.js" defer></script><script src="main.js" type="module"></script></body>
+</html>
+
          + + +
          Evidence
          <script>
+    window.addEventListener("load", function(){
+      window.cookieconsent.initialise({
+        "palette": {
+          "popup": { "background": "var(--theme-primary)", "text": "var(--theme-text)" },
+          "button": { "background": "var(--theme-accent)", "text": "var(--theme-text)" }
+        },
+        "theme": "classic",
+        "position": "bottom-right",
+        "content": { "message": "This website uses fruit cookies to ensure you get the juiciest tracking experience.", "dismiss": "Me want it!", "link": "But me wait!", "href": "https://www.youtube.com/watch?v=9PnbKL3wuH4" }
+      })});
+  </script>
          Solution +

          This is an informational alert and so no changes are required.

          +
          + +
          2. +
        +
        2. + +
      +
      2. + +
    +
    7. + + + +
+
+ +
+

Appendix

+ +
+

Alert Types

+

This section contains additional information on the types of alerts in the report.

+
    +
  1. +

    SQL Injection

    + + + + + + + + + + + + + + + + + +
    Source + + raised by an active scanner (SQL Injection) + +
    CWE ID89
    WASC ID19
    Reference +
      +
    1. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
      2. +
    +
    +
    2. +
  2. +

    Content Security Policy (CSP) Header Not Set

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Content Security Policy (CSP) Header Not Set) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
      2. +
    2. https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
      3. +
    3. https://www.w3.org/TR/CSP/
      4. +
    4. https://w3c.github.io/webappsec-csp/
      5. +
    5. https://web.dev/articles/csp
      6. +
    6. https://caniuse.com/#feat=contentsecuritypolicy
      7. +
    7. https://content-security-policy.com/
      8. +
    +
    +
    3. +
  3. +

    Cross-Domain Misconfiguration

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Cross-Domain Misconfiguration) + +
    CWE ID264
    WASC ID14
    Reference +
      +
    1. https://vulncat.fortify.com/en/detail?category=HTML5&subcategory=Overly%20Permissive%20CORS%20Policy
      2. +
    +
    +
    4. +
  4. +

    Missing Anti-clickjacking Header

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Anti-clickjacking Header) + +
    CWE ID1021
    WASC ID15
    Reference +
      +
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options
      2. +
    +
    +
    5. +
  5. +

    Session ID in URL Rewrite

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Session ID in URL Rewrite) + +
    CWE ID598
    WASC ID13
    Reference +
      +
    1. https://seclists.org/webappsec/2002/q4/111
      2. +
    +
    +
    6. +
  6. +

    Private IP Disclosure

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Private IP Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://datatracker.ietf.org/doc/html/rfc1918
      2. +
    +
    +
    7. +
  7. +

    Timestamp Disclosure - Unix

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (Timestamp Disclosure) + +
    CWE ID497
    WASC ID13
    Reference +
      +
    1. https://cwe.mitre.org/data/definitions/200.html
      2. +
    +
    +
    8. +
  8. +

    X-Content-Type-Options Header Missing

    + + + + + + + + + + + + + + + + + +
    Source + + raised by a passive scanner (X-Content-Type-Options Header Missing) + +
    CWE ID693
    WASC ID15
    Reference +
      +
    1. https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
      2. +
    2. https://owasp.org/www-community/Security_Headers
      3. +
    +
    +
    9. +
  9. +

    Modern Web Application

    + + + + + + + + +
    Source + + raised by a passive scanner (Modern Web Application) + +
    +
    10. +
+
+
+ +
+ + + + + diff --git a/TestesRealizados1/Squeence/normalize/LICENSE.md b/TestesRealizados1/Squeence/normalize/LICENSE.md new file mode 100644 index 0000000..43b5ddc --- /dev/null +++ b/TestesRealizados1/Squeence/normalize/LICENSE.md @@ -0,0 +1,21 @@ +# The MIT License (MIT) + +Copyright © Nicolas Gallagher and Jonathan Neal + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/TestesRealizados1/Squeence/normalize/normalize.css b/TestesRealizados1/Squeence/normalize/normalize.css new file mode 100644 index 0000000..192eb9c --- /dev/null +++ b/TestesRealizados1/Squeence/normalize/normalize.css @@ -0,0 +1,349 @@ +/*! normalize.css v8.0.1 | MIT License | github.com/necolas/normalize.css */ + +/* Document + ========================================================================== */ + +/** + * 1. Correct the line height in all browsers. + * 2. Prevent adjustments of font size after orientation changes in iOS. + */ + +html { + line-height: 1.15; /* 1 */ + -webkit-text-size-adjust: 100%; /* 2 */ +} + +/* Sections + ========================================================================== */ + +/** + * Remove the margin in all browsers. + */ + +body { + margin: 0; +} + +/** + * Render the `main` element consistently in IE. + */ + +main { + display: block; +} + +/** + * Correct the font size and margin on `h1` elements within `section` and + * `article` contexts in Chrome, Firefox, and Safari. + */ + +h1 { + font-size: 2em; + margin: 0.67em 0; +} + +/* Grouping content + ========================================================================== */ + +/** + * 1. Add the correct box sizing in Firefox. + * 2. Show the overflow in Edge and IE. + */ + +hr { + box-sizing: content-box; /* 1 */ + height: 0; /* 1 */ + overflow: visible; /* 2 */ +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +pre { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/* Text-level semantics + ========================================================================== */ + +/** + * Remove the gray background on active links in IE 10. + */ + +a { + background-color: transparent; +} + +/** + * 1. Remove the bottom border in Chrome 57- + * 2. Add the correct text decoration in Chrome, Edge, IE, Opera, and Safari. + */ + +abbr[title] { + border-bottom: none; /* 1 */ + text-decoration: underline; /* 2 */ + text-decoration: underline dotted; /* 2 */ +} + +/** + * Add the correct font weight in Chrome, Edge, and Safari. + */ + +b, +strong { + font-weight: bolder; +} + +/** + * 1. Correct the inheritance and scaling of font size in all browsers. + * 2. Correct the odd `em` font sizing in all browsers. + */ + +code, +kbd, +samp { + font-family: monospace, monospace; /* 1 */ + font-size: 1em; /* 2 */ +} + +/** + * Add the correct font size in all browsers. + */ + +small { + font-size: 80%; +} + +/** + * Prevent `sub` and `sup` elements from affecting the line height in + * all browsers. + */ + +sub, +sup { + font-size: 75%; + line-height: 0; + position: relative; + vertical-align: baseline; +} + +sub { + bottom: -0.25em; +} + +sup { + top: -0.5em; +} + +/* Embedded content + ========================================================================== */ + +/** + * Remove the border on images inside links in IE 10. + */ + +img { + border-style: none; +} + +/* Forms + ========================================================================== */ + +/** + * 1. Change the font styles in all browsers. + * 2. Remove the margin in Firefox and Safari. + */ + +button, +input, +optgroup, +select, +textarea { + font-family: inherit; /* 1 */ + font-size: 100%; /* 1 */ + line-height: 1.15; /* 1 */ + margin: 0; /* 2 */ +} + +/** + * Show the overflow in IE. + * 1. Show the overflow in Edge. + */ + +button, +input { /* 1 */ + overflow: visible; +} + +/** + * Remove the inheritance of text transform in Edge, Firefox, and IE. + * 1. Remove the inheritance of text transform in Firefox. + */ + +button, +select { /* 1 */ + text-transform: none; +} + +/** + * Correct the inability to style clickable types in iOS and Safari. + */ + +button, +[type="button"], +[type="reset"], +[type="submit"] { + -webkit-appearance: button; +} + +/** + * Remove the inner border and padding in Firefox. + */ + +button::-moz-focus-inner, +[type="button"]::-moz-focus-inner, +[type="reset"]::-moz-focus-inner, +[type="submit"]::-moz-focus-inner { + border-style: none; + padding: 0; +} + +/** + * Restore the focus styles unset by the previous rule. + */ + +button:-moz-focusring, +[type="button"]:-moz-focusring, +[type="reset"]:-moz-focusring, +[type="submit"]:-moz-focusring { + outline: 1px dotted ButtonText; +} + +/** + * Correct the padding in Firefox. + */ + +fieldset { + padding: 0.35em 0.75em 0.625em; +} + +/** + * 1. Correct the text wrapping in Edge and IE. + * 2. Correct the color inheritance from `fieldset` elements in IE. + * 3. Remove the padding so developers are not caught out when they zero out + * `fieldset` elements in all browsers. + */ + +legend { + box-sizing: border-box; /* 1 */ + color: inherit; /* 2 */ + display: table; /* 1 */ + max-width: 100%; /* 1 */ + padding: 0; /* 3 */ + white-space: normal; /* 1 */ +} + +/** + * Add the correct vertical alignment in Chrome, Firefox, and Opera. + */ + +progress { + vertical-align: baseline; +} + +/** + * Remove the default vertical scrollbar in IE 10+. + */ + +textarea { + overflow: auto; +} + +/** + * 1. Add the correct box sizing in IE 10. + * 2. Remove the padding in IE 10. + */ + +[type="checkbox"], +[type="radio"] { + box-sizing: border-box; /* 1 */ + padding: 0; /* 2 */ +} + +/** + * Correct the cursor style of increment and decrement buttons in Chrome. + */ + +[type="number"]::-webkit-inner-spin-button, +[type="number"]::-webkit-outer-spin-button { + height: auto; +} + +/** + * 1. Correct the odd appearance in Chrome and Safari. + * 2. Correct the outline style in Safari. + */ + +[type="search"] { + -webkit-appearance: textfield; /* 1 */ + outline-offset: -2px; /* 2 */ +} + +/** + * Remove the inner padding in Chrome and Safari on macOS. + */ + +[type="search"]::-webkit-search-decoration { + -webkit-appearance: none; +} + +/** + * 1. Correct the inability to style clickable types in iOS and Safari. + * 2. Change font properties to `inherit` in Safari. + */ + +::-webkit-file-upload-button { + -webkit-appearance: button; /* 1 */ + font: inherit; /* 2 */ +} + +/* Interactive + ========================================================================== */ + +/* + * Add the correct display in Edge, IE 10+, and Firefox. + */ + +details { + display: block; +} + +/* + * Add the correct display in all browsers. + */ + +summary { + display: list-item; +} + +/* Misc + ========================================================================== */ + +/** + * Add the correct display in IE 10+. + */ + +template { + display: none; +} + +/** + * Add the correct display in IE 10. + */ + +[hidden] { + display: none; +} diff --git a/TestesRealizados1/Squeence/themes/original/colors.css b/TestesRealizados1/Squeence/themes/original/colors.css new file mode 100644 index 0000000..fd3b963 --- /dev/null +++ b/TestesRealizados1/Squeence/themes/original/colors.css @@ -0,0 +1,139 @@ +body { + background-color: #306aa0; + background-image: radial-gradient(circle at top left, #fff 0%, #8ce1d6 15em, #306aa0 100em, #386095 100%); +} + +main, footer { + background-color: #fff; +} + +header { + background-color: #00549e; + color: #fff; +} + +a:link { + color: #004380; +} + +a:visited { + color: #770d67; +} + +a:focus { + background-color: #ffd54d; +} + +a:hover { + background-color: #ffd54d; +} + +a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +header a:link { + color: #f2f7fd; +} + +header a:visited { + color: #f2b5e9; +} + +header a:focus { + background-color: #ffd54d; + color: #004380; +} + +header a:hover { + background-color: #ffd54d; + color: #004380; +} + +header a:active { + background-color: #ffd54d; + color: #003261; + outline-color: #fff6db; +} + +summary:focus { + background-color: #ffd54d; +} + +summary:hover { + background-color: #ffd54d; +} + +summary:active { + background-color: #ffd54d; + color: #003261; + outline-color: #f4ba00; +} + +h2, h3, h4, h5, h6 { + color: #00549e; +} + +.risk-level, .confidence-level { + color: #00549e; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + color: #00549e; +} + +.risk-confidence-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + background-color: #00549e; + color: #fff; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + color: #00549e; +} + +.site-risk-counts-table > tbody > tr { + border-top-color: #00549e; +} + +.alert-type-counts-table > tbody > tr { + border-bottom-color: #00549e; +} + +.alert-type-counts-table th[scope="col"] { + background-color: #00549e; + color: #fff; +} + +.alert-type-counts-table th[scope="col"] { + border-left-color: #fff; +} + +.alerts-table th, .alert-types-table th { + background-color: #306aa0; + color: #fff; +} + +.additional-info-percentages { + color: #00549e; +} + +.insights-table > tbody > tr { + border-bottom-color: #00549e; +} + +.insights-table th[scope="col"] { + background-color: #00549e; + border-left-color: #fff; + color: #fff; +} diff --git a/TestesRealizados1/Squeence/themes/original/main.css b/TestesRealizados1/Squeence/themes/original/main.css new file mode 100644 index 0000000..050bd3f --- /dev/null +++ b/TestesRealizados1/Squeence/themes/original/main.css @@ -0,0 +1,417 @@ +*, *::after, *::before { + box-sizing: border-box; +} + +h1, h2, h3, h4, h5, h6 { + margin: 0; + padding: 0; +} + +pre, ul { + margin: 0; +} + +ol { + list-style-type: none; +} + +h1 { + font-size: 3em; +} + +h2 { + font-size: 2em; +} + +h3, h4, h5, h6 { + font-size: 1em; +} + +html { + box-sizing: border-box; + font-family: Verdana, sans-serif; + line-height: 1.5; +} + +body { + margin: 1.5em 0; +} + +@media screen and (min-width: 50em) { + body { + margin: 1.5em 2ch; + padding: 1.5em 2ch; + } +} + +a:active, header a:active { + outline-style: solid; +} + +header, main { + margin: 0 auto; + max-width: 90ch; + padding: 1.5em 4ch; +} + +header { + border-radius: .25em .25em 0 0; +} + +main { + border-radius: 0 0 .25em .25em; +} + +summary { + cursor: pointer; +} + +.contents { + margin-top: 1.5em; +} + +main > section { + margin-bottom: 4.5em; +} + +.about-this-report > section { + margin-bottom: 3em; +} + +.summaries section { + margin-bottom: 3em; +} + +h2 { + margin-bottom: .75em; +} + +h3 { + margin-bottom: 1.5em; +} + +h4 { + margin-bottom: 1.5em; +} + +.report-parameters--container h4 { + margin-top: 1.5em; +} + +p { + margin: 1.5em 0; +} + +p:first-of-type { + margin-top: 0; +} + +p:last-of-type { + margin-bottom: 0; +} + +.contents li, .alerts li, .alert-types > ol > li { + margin-top: 1.5em; +} + +.alert-types h4 { + margin-bottom: 0; +} + +a { + border-radius: .125em; +} + +caption { + margin-bottom: 1.5em; + text-align: left; +} + +code, .request-method-n-url { + overflow-wrap: anywhere; + white-space: break-spaces; +} + +table { + border-collapse: collapse; +} + +.report-description--container, .report-parameters--container { + margin-left: 2ch; + padding: 0 2ch; +} + +.about-this-report h3, .summaries h3, .appendix h3 { + border-bottom: .05em solid; +} + +.alerts h4 { + text-align: center; +} + +.alerts ol { + padding-left: 0; +} + +.alerts--site-li { + border: .05em solid; + border-radius: .25em; + margin-left: 2ch; + padding: 1.5em 3ch; +} + +.contents ol { + list-style-position: inside; + list-style-type: square; + padding-left: 4ch; +} + +.contexts-list, .sites-list { + list-style-type: square; +} + +.risk-confidence-counts-table { + width: 100%; +} + +.risk-confidence-counts-table tr { + height: 4.5em; +} + +.risk-confidence-counts-table thead > tr { + height: 3em; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table th[scope="rowgroup"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.risk-confidence-counts-table th[scope="row"] { + padding-right: 5%; +} + +@media screen and (max-width: 50em) { + .risk-confidence-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.risk-confidence-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.risk-confidence-counts-table > tbody > tr { + border-top: .05em solid; +} + +.risk-confidence-counts-table th[scope="row"], .risk-confidence-counts-table td { + vertical-align: top; +} + +.risk-confidence-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.risk-confidence-counts-table th[scope="colgroup"], .risk-confidence-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.risk-confidence-counts-table td, .risk-confidence-counts-table th[scope="col"], .risk-confidence-counts-table th[scope="row"] { + text-align: right; +} + +.site-risk-counts-table { + width: 100%; +} + +.site-risk-counts-table tr { + height: 4.5em; +} + +.site-risk-counts-table thead > tr:first-of-type { + height: 3em; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table th[scope="col"] { + hyphens: auto; + overflow-wrap: anywhere; + word-break: break-all; +} + +.site-risk-counts-table th[scope="row"] { + padding-right: 1%; +} + +@media screen and (max-width: 50em) { + .site-risk-counts-table th[scope="row"] { + padding-right: 1ch; + } +} + +.site-risk-counts-table th[scope="rowgroup"] { + padding: 0 .5ch; + vertical-align: middle; +} + +.site-risk-counts-table > tbody > tr { + border-top: .05em solid; +} + +.site-risk-counts-table th[scope="row"], .site-risk-counts-table td { + vertical-align: top; +} + +.site-risk-counts-table th[scope="col"] { + vertical-align: bottom; +} + +.site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + font-family: monospace, monospace; + font-weight: bold; +} + +.site-risk-counts-table th[scope="colgroup"], .site-risk-counts-table th[scope="rowgroup"] { + font-weight: normal; +} + +.site-risk-counts-table td, .site-risk-counts-table th[scope="col"], .site-risk-counts-table th[scope="row"] { + text-align: right; +} + +.alert-type-counts-table { + width: 100%; +} + +.alert-type-counts-table th, .alert-type-counts-table td { + padding: 0 1rem; + text-align: left; + vertical-align: top; +} + +.alert-type-counts-table td:nth-last-of-type(2) { + padding-left: 1.5rem; +} + +.alert-type-counts-table > tbody > tr { + border-bottom: 0.05em dotted; +} + +.alert-type-counts-table th[scope="col"] { + border-left: 1rem solid; +} + +.alert-type-counts-table th[scope="col"]:first-of-type { + border-left: 0; +} + +.alert-type-counts-table th[scope="col"]:last-of-type, .alert-type-counts-table td:last-of-type { + text-align: right; +} + +.alert-type-counts-table th[scope="col"], .alert-type-counts-table th[scope="row"] { + font-weight: normal; +} + +.alert-type-counts-table th[scope="row"], .alert-type-counts-table td { + padding-bottom: 1.5em; +} + +.alert-type-counts-table thead > th:first-of-type { + width: 45%; +} + +.alerts-table, .alert-types-table, .insights-table { + border-collapse: separate; + border-spacing: 2ch 1.5em; + width: 100%; +} + +.alerts-table th, .alerts-table td, .alert-types-table th, .alert-types-table td, .insights-table td, .insights-table th { + vertical-align: top; +} + +.alerts-table td, .alert-types-table td, .insights-table td { + overflow-wrap: anywhere; +} + +.alerts-table th, .alert-types-table th, .insights-table th { + padding: 0 1ch; +} + +.alerts-table td, .alert-types-table td { + padding: 0 2ch; +} + +.insights-table td { + padding: 0 1ch; +} + +.alerts-table summary { + margin-bottom: 1.5em; +} + +.alert-tags-list { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-tags-list > li { + margin-top: 0; +} + +.request-body, .response-body { + margin-top: 1.5em; +} + +.request-method-n-url { + margin-bottom: 0; +} + +.alert-types-table { + padding-top: 0; +} + +.alert-types-table th { + width: 20%; +} + +.alert-types-table ol { + list-style-position: inside; + list-style-type: square; + padding-left: 0; +} + +.alert-types-table li:not(:first-of-type) { + margin-top: 1.5em; +} + +p.alert-types-intro { + margin-bottom: 3em; +} + +.zap-logo { + height: 1em; + margin-right: .25ch; + width: 1em; +} + +h1, h2 { + font-family: Georgia, serif; +} + +.risk-level, .confidence-level, .included-risk-codes, .included-confidence-codes, .additional-info-percentages { + font-family: monospace, monospace; +} + +.context, .site, .request-method-n-url { + font-family: monospace, monospace; +} diff --git a/TestesRealizados1/Squeence/zap32x32.png b/TestesRealizados1/Squeence/zap32x32.png new file mode 100644 index 0000000000000000000000000000000000000000..9c1019ffb2ad500434d78f20f5a624bd660e6735 GIT binary patch literal 1933 zcmV;82Xgp{P)LZ&X_*%IgUcU=kqE(b z4NRzXHHacGqA;V7EOd-rLRUsK6M0)>lNA+QA(1s>0WooNopVsi`f~3%&(A;3?F-PB zvOj!oo}80&pL3q?@9q2jJ@8;-E^rih7x)VQ$FTzF0Ce^0)w*%xMg@9CT^);$`@`-S z|D^%X0-G{2GScem>Zq-)#c><}&YnG+{?@;fz2@5u5&VQI{0HC&b5Eb8v=CMzq8Xh{uDUJ;6-8cvHPPw(V1AXlBMlio^B!;`1mR7lQz6stN1n` zVSRiJ3Jh}IHmwUh{p952jC=DbQ>IW{T+Bm{EyTg%86hH)s*G@RBZ6ZD zR~$s-xgh|tIK<*bMohZnrPKSTebm&{(An8JZUCD%Zw|w-XamM3aZ{E@QkJ_Sh=4&b zVlZMR6MN-LA+KI)MxOZY4_$EN7gpcl|GBy+*}SFI&@zE+1c5&ojb?% zH-610omUXmkc0pc4MCuY3JRI#ep;zPz!%CkF{7fMRjXD}R#rwLkr?x}`Sa(qYu7G1 z4zIhf6b}b*b0|Z?2bxNbAlb*&-!+hzmq$fKMaqhiM-T+Gw6t*h_U({ddb?6-2&w|A zpn{45bPqNps$5aDKvhCrw+1VURUz5a1;EaoJE^Lw8q=z_wl+#jOPTPwnarrD$C>b1 zeBZ~~fqr423P90ogC0=PH?8Vm*#v}(0|k?r!xzizShj2#GiT1Ey}f-@07XSb?AWn` zo)51w@$*j*Sf2pBs|*LhoR?u5{SD7JEun@R9Ak(IM2sO~gs2fb$L0Oj{d{ntiOR}K z4jw#6R#w)CK$a|7Ld#z-Gd=bqy@><~t0b(&SH%x3{Wghj{ro$E>8w7|8!?eI&lp@s zaK#WcLS%r`jo>*Bw)ZCgII)AS>wjbG)~z%&G>ix$H+M2U56vZe;WP9n69iWA)shSX z`fak)9$cP#M-^Drp9UIWRk0R)RT8QshN)UI2q2optfzJ|r}}xe?|y;IjENjOcI+Mi z7cX9-`|VS7cbpDGkWxfn15~wP#HQ4&KGGL8Zqzd_CM6=?Fb}vQxI!o{fa9gn`BpRU zy|It{{Ct|4nwT|f*5LO}o;*oeSs7W&e}iV^hCM-${BO{>Jm(%YOnIR)X)V55tW|8v z^2ET^D*YDvtkSPaPoj^^$IF?s{&lVgQFL zf4TNCRPNcLzb)TB`ne$0!%HlF+%?X3TygP?!H8f?C?W&GVvG#277}_4P&Z27wKi^_ z`UMY9O6QgM5f&|4M0R!--M6}buJEI=4km*jh{gB1;;i$G!4U@|f*8RtASQ%eXNt)N z2*#qQRjl#oYmeiff0@FG0rvrUs1Grl_V)4yJq|S&*HyA`hPcY4iwPqM T`!Z{P00000NkvXXu0mjf{kVU6 literal 0 HcmV?d00001