vasco/FSI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bd0f136ccce4804629cee5127f0d09422b9bd8fb
FSI/TestesRealizados1/Default^Policy/Default^Policy.html
jelly 2b76e850a5 Testes Realizados sem Firewall
2026-05-28 13:02:16 -04:00

2920 lines
143 KiB
HTML
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>ZAP by Checkmarx Scanning Report</title>
<link
href="Default%5EPolicy/normalize/normalize.css" rel="stylesheet">
<link
href="Default%5EPolicy/themes/original/main.css" rel="stylesheet">
<link
href="Default%5EPolicy/themes/original/colors.css" rel="stylesheet">
</head>
<body>
<header>
<h1>ZAP by Checkmarx Scanning Report</h1>
<p>
<span>Generated with</span> <a href="https://zaproxy.org"><img
src="Default%5EPolicy/zap32x32.png" alt="The ZAP logo" class="zap-logo">ZAP</a>
<span>on Thu 28 May 2026, at 06:58:33</span>
</p>
<p>ZAP Version: 2.17.0</p>
<p>
ZAP by <a href="https://checkmarx.com/">Checkmarx</a>
</p>
</header>
<main>
<section id="contents" class="contents">
<h2>Contents</h2>
<nav>
<ol>
<li><a
href="#about-this-report">About This Report</a>
<ol>
<li><a
href="#report-parameters">Report Parameters</a></li>
</ol></li>
<data-th-block>
<li><a
href="#summaries">Summaries</a>
<ol>
<li><a
href="#risk-confidence-counts">Alert Counts by Risk and Confidence</a></li>
<li><a
href="#site-risk-counts">Alert Counts by Site and Risk</a></li>
<li><a
href="#alert-type-counts">Alert Counts by Alert Type</a></li>
<li><a
href="#insights">Insights</a></li>
</ol></li>
<li><a
href="#alerts">Alerts</a>
<ol>
<li><a
href="#alerts--risk-3-confidence-1"><span>Risk</span>=<span
class="risk-level">High</span>, <span>Confidence</span>=<span
class="confidence-level">Low</span> <span>(1)</span></a></li>
<li><a
href="#alerts--risk-2-confidence-3"><span>Risk</span>=<span
class="risk-level">Medium</span>, <span>Confidence</span>=<span
class="confidence-level">High</span> <span>(2)</span></a></li>
<li><a
href="#alerts--risk-2-confidence-2"><span>Risk</span>=<span
class="risk-level">Medium</span>, <span>Confidence</span>=<span
class="confidence-level">Medium</span> <span>(2)</span></a></li>
<li><a
href="#alerts--risk-1-confidence-2"><span>Risk</span>=<span
class="risk-level">Low</span>, <span>Confidence</span>=<span
class="confidence-level">Medium</span> <span>(2)</span></a></li>
<li><a
href="#alerts--risk-1-confidence-1"><span>Risk</span>=<span
class="risk-level">Low</span>, <span>Confidence</span>=<span
class="confidence-level">Low</span> <span>(1)</span></a></li>
<li><a
href="#alerts--risk-0-confidence-3"><span>Risk</span>=<span
class="risk-level">Informational</span>, <span>Confidence</span>=<span
class="confidence-level">High</span> <span>(1)</span></a></li>
<li><a
href="#alerts--risk-0-confidence-2"><span>Risk</span>=<span
class="risk-level">Informational</span>, <span>Confidence</span>=<span
class="confidence-level">Medium</span> <span>(2)</span></a></li>
</ol></li>
<li><a
href="#appendix">Appendix</a>
<ol>
<li><a
href="#alert-types">Alert Types</a></li>
</ol></li>
</data-th-block>
</ol>
</nav>
</section>
<section
id="about-this-report" class="about-this-report">
<h2>About This Report</h2>
<section
id="report-parameters">
<h3>Report Parameters</h3>
<div class="report-parameters--container">
<h4>Contexts</h4>
<p>No contexts were selected, so all contexts were included by default.</p>
<h4>Sites</h4>
<p>The following sites were included:</p>
<ul class="sites-list">
<li><span class="site">http://20.60.0.1:3000</span></li>
</ul>
<p>(If no sites were selected, all sites were included by default.)</p>
<p>An included site must also be within one of the included contexts for its data to be included in the report.</p>
<h4>Risk levels</h4>
<p>
<span>Included</span>:
<span class="included-risk-codes"><span class="risk-level">High</span>, <span class="risk-level">Medium</span>, <span class="risk-level">Low</span>, <span class="risk-level">Informational</span></span>
</p>
<p>
<span>Excluded</span>:
<span>None</span>
</p>
<h4>Confidence levels</h4>
<p>
<span>Included</span>:
<span class="included-confidence-codes"><span class="confidence-level">User Confirmed</span>, <span class="confidence-level">High</span>, <span class="confidence-level">Medium</span>, <span class="confidence-level">Low</span></span>
</p>
<p>
<span>Excluded</span>:
<span class="included-confidence-codes"> <span class="confidence-level">User Confirmed</span>, <span class="confidence-level">High</span>, <span class="confidence-level">Medium</span>, <span class="confidence-level">Low</span>, <span class="confidence-level">False Positive</span></span>
</p>
</div>
</section>
</section>
<section>
</section>
<section id="summaries" class="summaries">
<h2>Summaries</h2>
<section
id="risk-confidence-counts">
<h3>Alert Counts by Risk and Confidence</h3>
<table class="risk-confidence-counts-table">
<caption>
<p>This table shows the number of alerts for each level of risk and confidence included in the report.</p>
<p>(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)</p>
</caption>
<colgroup>
<col>
<col>
</colgroup>
<colgroup>
<col
style="width: 14.0%"><col
style="width: 14.0%"><col
style="width: 14.0%"><col
style="width: 14.0%">
<col style="width: 14.0%">
</colgroup>
<thead>
<tr>
<td colspan="2" rowspan="2"></td>
<th scope="colgroup"
colspan="5">Confidence</th>
</tr>
<tr>
<th scope="col">User Confirmed</th>
<th scope="col">High</th>
<th scope="col">Medium</th>
<th scope="col">Low</th>
<th scope="col">Total</th>
</tr>
</thead>
<tbody>
<tr>
<th scope="rowgroup"
rowspan="5">Risk</th>
<th scope="row">High</th>
<td><span>0</span><br> <span
class="additional-info-percentages">(0.0%)</span></td>
<td><span>0</span><br> <span
class="additional-info-percentages">(0.0%)</span></td>
<td><span>0</span><br> <span
class="additional-info-percentages">(0.0%)</span></td>
<td><span>1</span><br> <span
class="additional-info-percentages">(9.1%)</span></td>
<td><span>1</span><br> <span class="additional-info-percentages">(9.1%)</span></td>
</tr>
<tr>
<th scope="row">Medium</th>
<td><span>0</span><br> <span
class="additional-info-percentages">(0.0%)</span></td>
<td><span>2</span><br> <span
class="additional-info-percentages">(18.2%)</span></td>
<td><span>2</span><br> <span
class="additional-info-percentages">(18.2%)</span></td>
<td><span>0</span><br> <span
class="additional-info-percentages">(0.0%)</span></td>
<td><span>4</span><br> <span class="additional-info-percentages">(36.4%)</span></td>
</tr>
<tr>
<th scope="row">Low</th>
<td><span>0</span><br> <span
class="additional-info-percentages">(0.0%)</span></td>
<td><span>0</span><br> <span
class="additional-info-percentages">(0.0%)</span></td>
<td><span>2</span><br> <span
class="additional-info-percentages">(18.2%)</span></td>
<td><span>1</span><br> <span
class="additional-info-percentages">(9.1%)</span></td>
<td><span>3</span><br> <span class="additional-info-percentages">(27.3%)</span></td>
</tr>
<tr>
<th scope="row">Informational</th>
<td><span>0</span><br> <span
class="additional-info-percentages">(0.0%)</span></td>
<td><span>1</span><br> <span
class="additional-info-percentages">(9.1%)</span></td>
<td><span>2</span><br> <span
class="additional-info-percentages">(18.2%)</span></td>
<td><span>0</span><br> <span
class="additional-info-percentages">(0.0%)</span></td>
<td><span>3</span><br> <span class="additional-info-percentages">(27.3%)</span></td>
</tr>
<tr>
<th scope="row">Total</th>
<td><span>0</span><br> <span
class="additional-info-percentages">(0.0%)</span></td>
<td><span>3</span><br> <span
class="additional-info-percentages">(27.3%)</span></td>
<td><span>6</span><br> <span
class="additional-info-percentages">(54.5%)</span></td>
<td><span>2</span><br> <span
class="additional-info-percentages">(18.2%)</span></td>
<td><span>11</span><br> <span
class="additional-info-percentages">(100%)</span></td>
</tr>
</tbody>
</table>
</section>
<section
id="site-risk-counts">
<h3>Alert Counts by Site and Risk</h3>
<table class="site-risk-counts-table">
<caption>
<p>This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.</p>
<p>Alerts with a confidence level of &quot;False Positive&quot; have been excluded from these counts.</p>
<p>(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)</p>
</caption>
<colgroup>
<col>
<col>
</colgroup>
<colgroup>
<col
style="width: 16.25%"><col
style="width: 16.25%"><col
style="width: 16.25%"><col
style="width: 16.25%">
</colgroup>
<thead>
<tr>
<td colspan="2" rowspan="2"></td>
<th scope="colgroup" colspan="4">Risk</th>
</tr>
<tr>
<th scope="col">
<span>High</span><br> <span
class="additional-info-percentages">(= High)</span>
</th>
<th scope="col">
<span>Medium</span><br> <span
class="additional-info-percentages">(&gt;= Medium)</span>
</th>
<th scope="col">
<span>Low</span><br> <span
class="additional-info-percentages">(&gt;= Low)</span>
</th>
<th scope="col">
<span>Informational</span><br> <span
class="additional-info-percentages">(&gt;= Informational)</span>
</th>
</tr>
</thead>
<tbody>
<tr>
<th scope="rowgroup"
rowspan="1">Site</th>
<th scope="row">http://20.60.0.1:3000</th>
<td><span>1</span><br> <span
class="additional-info-percentages">(1)</span></td>
<td><span>4</span><br> <span
class="additional-info-percentages">(5)</span></td>
<td><span>3</span><br> <span
class="additional-info-percentages">(8)</span></td>
<td><span>3</span><br> <span
class="additional-info-percentages">(11)</span></td>
</tr>
</tbody>
</table>
</section>
<section
id="alert-type-counts">
<h3>Alert Counts by Alert Type</h3>
<table class="alert-type-counts-table">
<caption>
<p>This table shows the number of alerts of each alert type, together with the alert type&#39;s risk level.</p>
<p>(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)</p>
</caption>
<thead>
<tr>
<th scope="col">Alert type</th>
<th scope="col">Risk</th>
<th scope="col">Count</th>
</tr>
</thead>
<tbody>
<tr>
<th scope="row"><a
href="#alert-type-0">SQL Injection</a></th>
<td class="risk-level">High</td>
<td><span>1</span><br> <span
class="additional-info-percentages">(9.1%)</span></td>
</tr>
<tr>
<th scope="row"><a
href="#alert-type-1">Content Security Policy (CSP) Header Not Set</a></th>
<td class="risk-level">Medium</td>
<td><span>5</span><br> <span
class="additional-info-percentages">(45.5%)</span></td>
</tr>
<tr>
<th scope="row"><a
href="#alert-type-2">Cross-Domain Misconfiguration</a></th>
<td class="risk-level">Medium</td>
<td><span>5</span><br> <span
class="additional-info-percentages">(45.5%)</span></td>
</tr>
<tr>
<th scope="row"><a
href="#alert-type-3">Missing Anti-clickjacking Header</a></th>
<td class="risk-level">Medium</td>
<td><span>3</span><br> <span
class="additional-info-percentages">(27.3%)</span></td>
</tr>
<tr>
<th scope="row"><a
href="#alert-type-4">Session ID in URL Rewrite</a></th>
<td class="risk-level">Medium</td>
<td><span>5</span><br> <span
class="additional-info-percentages">(45.5%)</span></td>
</tr>
<tr>
<th scope="row"><a
href="#alert-type-5">Private IP Disclosure</a></th>
<td class="risk-level">Low</td>
<td><span>1</span><br> <span
class="additional-info-percentages">(9.1%)</span></td>
</tr>
<tr>
<th scope="row"><a
href="#alert-type-6">Timestamp Disclosure - Unix</a></th>
<td class="risk-level">Low</td>
<td><span>5</span><br> <span
class="additional-info-percentages">(45.5%)</span></td>
</tr>
<tr>
<th scope="row"><a
href="#alert-type-7">X-Content-Type-Options Header Missing</a></th>
<td class="risk-level">Low</td>
<td><span>5</span><br> <span
class="additional-info-percentages">(45.5%)</span></td>
</tr>
<tr>
<th scope="row"><a
href="#alert-type-8">Modern Web Application</a></th>
<td class="risk-level">Informational</td>
<td><span>5</span><br> <span
class="additional-info-percentages">(45.5%)</span></td>
</tr>
<tr>
<th scope="row"><a
href="#alert-type-9">Session Management Response Identified</a></th>
<td class="risk-level">Informational</td>
<td><span>1</span><br> <span
class="additional-info-percentages">(9.1%)</span></td>
</tr>
<tr>
<th scope="row"><a
href="#alert-type-10">User Agent Fuzzer</a></th>
<td class="risk-level">Informational</td>
<td><span>5</span><br> <span
class="additional-info-percentages">(45.5%)</span></td>
</tr>
</tbody>
<tfoot>
<tr>
<th scope="row">Total</th>
<td></td>
<td>11</td>
</tr>
</tfoot>
</table>
</section>
<section
id="insights">
<h3 class="left-header">Insights</h3>
<table class="insights-table">
<caption>
<p>This table shows information that is likely to be very relevant to you, but which is not related to vulnerabilities, or potentially even related to the application in question.</p>
</caption>
<thead>
<tr>
<th scope="col">Level</th>
<th scope="col">Reason</th>
<th scope="col">Site</th>
<th scope="col">Description</th>
<th scope="col">Statistic</th>
</tr>
</thead>
<tbody>
<tr>
<td class="risk-2">
<div>Medium</div>
</td>
<td>
<div>Exceeded Low</div>
</td>
<td>
<div></div>
</td>
<td>
<div>Percentage of memory used</div>
</td>
<td align="center">
<div>80 </div>
</td>
</tr>
<tr>
<td class="risk-1">
<div>Low</div>
</td>
<td>
<div>Warning</div>
</td>
<td>
<div></div>
</td>
<td>
<div>ZAP errors logged - see the zap.log file for details</div>
</td>
<td align="center">
<div>380 </div>
</td>
</tr>
<tr>
<td class="risk-1">
<div>Low</div>
</td>
<td>
<div>Warning</div>
</td>
<td>
<div></div>
</td>
<td>
<div>ZAP warnings logged - see the zap.log file for details</div>
</td>
<td align="center">
<div>122 </div>
</td>
</tr>
<tr>
<td class="risk-1">
<div>Low</div>
</td>
<td>
<div>Exceeded Low</div>
</td>
<td>
<div></div>
</td>
<td>
<div>Percentage of network failures</div>
</td>
<td align="center">
<div>5 %</div>
</td>
</tr>
<tr>
<td class="risk-1">
<div>Low</div>
</td>
<td>
<div>Exceeded High</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of responses with status code 4xx</div>
</td>
<td align="center">
<div>50 %</div>
</td>
</tr>
<tr>
<td class="risk-1">
<div>Low</div>
</td>
<td>
<div>Exceeded High</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of slow responses</div>
</td>
<td align="center">
<div>51 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of responses with status code 1xx</div>
</td>
<td align="center">
<div>1 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of responses with status code 2xx</div>
</td>
<td align="center">
<div>46 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of responses with status code 3xx</div>
</td>
<td align="center">
<div>3 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of responses with status code 5xx</div>
</td>
<td align="center">
<div>2 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of endpoints with content type application/javascript</div>
</td>
<td align="center">
<div>9 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of endpoints with content type application/json</div>
</td>
<td align="center">
<div>5 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of endpoints with content type application/octet-stream</div>
</td>
<td align="center">
<div>2 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of endpoints with content type image/jpeg</div>
</td>
<td align="center">
<div>6 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of endpoints with content type image/png</div>
</td>
<td align="center">
<div>3 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of endpoints with content type image/x-icon</div>
</td>
<td align="center">
<div>1 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of endpoints with content type text/css</div>
</td>
<td align="center">
<div>1 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of endpoints with content type text/html</div>
</td>
<td align="center">
<div>65 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of endpoints with content type text/markdown</div>
</td>
<td align="center">
<div>1 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of endpoints with content type text/plain</div>
</td>
<td align="center">
<div>1 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of endpoints with method GET</div>
</td>
<td align="center">
<div>97 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Percentage of endpoints with method POST</div>
</td>
<td align="center">
<div>2 %</div>
</td>
</tr>
<tr>
<td class="risk-0">
<div>Info</div>
</td>
<td>
<div>Informational</div>
</td>
<td>
<div>http://20.60.0.1:3000</div>
</td>
<td>
<div>Count of total endpoints</div>
</td>
<td align="center">
<div>173 </div>
</td>
</tr>
</tbody>
</table>
</section>
</section>
<section id="alerts" class="alerts">
<h2>Alerts</h2>
<ol>
<li id="alerts--risk-3-confidence-1">
<h3>
<span>Risk</span>=<span
class="risk-level">High</span>, <span>Confidence</span>=<span
class="confidence-level">Low</span> <span>(1)</span>
</h3>
<ol>
<li class="alerts--site-li">
<h4>
<span class="site">http://20.60.0.1:3000</span> <span>(1)</span>
</h4>
<ol>
<li>
<h5>
<a
href="#alert-type-0">SQL Injection</a> <span>(1)</span>
</h5>
<ol>
<li><details>
<summary>
<span class="request-method-n-url">GET http://20.60.0.1:3000/rest/products/search?q=%27%28</span>
</summary>
<table class="alerts-table">
<tr>
<th scope="row">Alert tags</th>
<td>
<ul class="alert-tags-list">
<li>
<span>POLICY_SEQUENCE = </span>
</li>
<li>
<span><a href="https://owasp.org/Top10/A03_2021-Injection/">OWASP_2021_A03</a></span>
</li>
<li>
<span><a href="https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#compliance">PCI_DSS</a></span>
</li>
<li>
<span><a href="https://cwe.mitre.org/data/definitions/89.html">CWE-89</a></span>
</li>
<li>
<span>POLICY_QA_CICD = </span>
</li>
<li>
<span>POLICY_DEV_CICD = </span>
</li>
<li>
<span><a href="https://owasp.org/Top10/2025/A05_2025-Injection/">OWASP_2025_A05</a></span>
</li>
<li>
<span><a href="https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05-Testing_for_SQL_Injection">WSTG-v42-INPV-05</a></span>
</li>
<li>
<span>POLICY_API = </span>
</li>
<li>
<span>POLICY_DEV_FULL = </span>
</li>
<li>
<span>POLICY_QA_STD = </span>
</li>
<li>
<span>POLICY_QA_FULL = </span>
</li>
<li>
<span>POLICY_PENTEST = </span>
</li>
<li>
<span><a href="https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#compliance">HIPAA</a></span>
</li>
<li>
<span><a href="https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html">OWASP_2017_A01</a></span>
</li>
<li>
<span><a href="https://owasp.org/API-Security/editions/2023/en/0xaa-unsafe-consumption-of-apis/">API_2023_API10</a></span>
</li>
<li>
<span>POLICY_DEV_STD = </span>
</li>
</ul>
</td>
</tr>
<tr>
<th scope="row">Alert description</th>
<td>
<p>SQL injection may be possible.</p>
</td>
</tr>
<tr>
<th scope="row">Request</th>
<td><details open="open">
<summary>Request line and header section (307 bytes)</summary>
<pre><code>GET http://20.60.0.1:3000/rest/products/search?q=%27%28 HTTP/1.1
host: 20.60.0.1:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer: http://20.60.0.1:3000/
</code></pre>
</details> <details class="request-body" open="open">
<summary>Request body (0 bytes)</summary>
<pre><code></code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Response</th>
<td><details open="open">
<summary>Status line and header section (362 bytes)</summary>
<pre><code>HTTP/1.1 500 Internal Server Error
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment &#39;self&#39;
X-Recruiting: /#/jobs
Content-Type: application/json; charset=utf-8
Vary: Accept-Encoding
Date: Thu, 28 May 2026 10:31:15 GMT
Connection: keep-alive
Keep-Alive: timeout=5
content-length: 309
</code></pre>
</details> <details class="response-body" open="open">
<summary>Response body (309 bytes)</summary>
<pre><code>{
&quot;error&quot;: {
&quot;message&quot;: &quot;SQLITE_ERROR: near \&quot;(\&quot;: syntax error&quot;,
&quot;stack&quot;: &quot;Error: SQLITE_ERROR: near \&quot;(\&quot;: syntax error&quot;,
&quot;errno&quot;: 1,
&quot;code&quot;: &quot;SQLITE_ERROR&quot;,
&quot;sql&quot;: &quot;SELECT * FROM Products WHERE ((name LIKE &#39;%&#39;(%&#39; OR description LIKE &#39;%&#39;(%&#39;) AND deletedAt IS NULL) ORDER BY name&quot;
}
}</code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Parameter</th>
<td><pre><code>q</code></pre></td>
</tr>
<tr>
<th scope="row">Attack</th>
<td><pre><code>&#39;(</code></pre></td>
</tr>
<tr>
<th scope="row">Evidence</th>
<td><pre><code>HTTP/1.1 500 Internal Server Error</code></pre></td>
</tr>
<tr>
<th scope="row">Solution</th>
<td>
<p>Do not trust client side input, even if there is client side validation in place.</p>
<p>In general, type check all data on the server side.</p>
<p>If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by &#39;?&#39;</p>
<p>If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries.</p>
<p>If database Stored Procedures can be used, use them.</p>
<p>Do *not* concatenate strings into queries in the stored procedure, or use &#39;exec&#39;, &#39;exec immediate&#39;, or equivalent functionality!</p>
<p>Do not create dynamic SQL queries using simple string concatenation.</p>
<p>Escape all data received from the client.</p>
<p>Apply an &#39;allow list&#39; of allowed characters, or a &#39;deny list&#39; of disallowed characters in user input.</p>
<p>Apply the principle of least privilege by using the least privileged database user possible.</p>
<p>In particular, avoid using the &#39;sa&#39; or &#39;db-owner&#39; database users. This does not eliminate SQL injection, but minimizes its impact.</p>
<p>Grant the minimum database access that is necessary for the application.</p>
</td>
</tr>
</table>
</details></li>
</ol>
</li>
</ol>
</li>
</ol>
</li>
<li id="alerts--risk-2-confidence-3">
<h3>
<span>Risk</span>=<span
class="risk-level">Medium</span>, <span>Confidence</span>=<span
class="confidence-level">High</span> <span>(2)</span>
</h3>
<ol>
<li class="alerts--site-li">
<h4>
<span class="site">http://20.60.0.1:3000</span> <span>(2)</span>
</h4>
<ol>
<li>
<h5>
<a
href="#alert-type-1">Content Security Policy (CSP) Header Not Set</a> <span>(1)</span>
</h5>
<ol>
<li><details>
<summary>
<span class="request-method-n-url">GET http://20.60.0.1:3000</span>
</summary>
<table class="alerts-table">
<tr>
<th scope="row">Alert tags</th>
<td>
<ul class="alert-tags-list">
<li>
<span><a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">OWASP_2021_A05</a></span>
</li>
<li>
<span>POLICY_QA_STD = </span>
</li>
<li>
<span>POLICY_PENTEST = </span>
</li>
<li>
<span><a href="https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#systemic">SYSTEMIC</a></span>
</li>
<li>
<span><a href="https://cwe.mitre.org/data/definitions/693.html">CWE-693</a></span>
</li>
<li>
<span><a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html">OWASP_2017_A06</a></span>
</li>
<li>
<span><a href="https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/">OWASP_2025_A02</a></span>
</li>
</ul>
</td>
</tr>
<tr>
<th scope="row">Alert description</th>
<td>
<p>Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.</p>
</td>
</tr>
<tr>
<th scope="row">Request</th>
<td><details open="open">
<summary>Request line and header section (228 bytes)</summary>
<pre><code>GET http://20.60.0.1:3000 HTTP/1.1
host: 20.60.0.1:3000
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
</code></pre>
</details> <details class="request-body" open="open">
<summary>Request body (0 bytes)</summary>
<pre><code></code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Response</th>
<td><details open="open">
<summary>Status line and header section (467 bytes)</summary>
<pre><code>HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment &#39;self&#39;
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Thu, 28 May 2026 10:18:52 GMT
ETag: W/&quot;26af-19e6e1813ac&quot;
Content-Type: text/html; charset=UTF-8
Content-Length: 9903
Vary: Accept-Encoding
Date: Thu, 28 May 2026 10:21:09 GMT
Connection: keep-alive
Keep-Alive: timeout=5
</code></pre>
</details> <details class="response-body">
<summary>Response body (9903 bytes)</summary>
<pre><code>&lt;!--
~ Copyright (c) 2014-2026 Bjoern Kimminich &amp; the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--&gt;
&lt;!doctype html&gt;
&lt;html lang=&quot;en&quot; data-beasties-container&gt;
&lt;head&gt;
&lt;meta charset=&quot;utf-8&quot;&gt;
&lt;title&gt;OWASP Juice Shop&lt;/title&gt;
&lt;meta name=&quot;description&quot; content=&quot;Probably the most modern and sophisticated insecure web application&quot;&gt;
&lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1&quot;&gt;
&lt;link rel=&quot;preconnect&quot; href=&quot;https://fonts.googleapis.com&quot;&gt;
&lt;link rel=&quot;preconnect&quot; href=&quot;https://fonts.gstatic.com&quot; crossorigin&gt;
&lt;style&gt;@font-face{font-family:&#39;VT323&#39;;font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format(&#39;woff2&#39;);unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:&#39;VT323&#39;;font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format(&#39;woff2&#39;);unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:&#39;VT323&#39;;font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format(&#39;woff2&#39;);unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}&lt;/style&gt;
&lt;link id=&quot;favicon&quot; rel=&quot;icon&quot; type=&quot;image/x-icon&quot; href=&quot;assets/public/favicon_js.ico&quot;&gt;
&lt;script&gt;
window.addEventListener(&quot;load&quot;, function(){
window.cookieconsent.initialise({
&quot;palette&quot;: {
&quot;popup&quot;: { &quot;background&quot;: &quot;var(--theme-primary)&quot;, &quot;text&quot;: &quot;var(--theme-text)&quot; },
&quot;button&quot;: { &quot;background&quot;: &quot;var(--theme-accent)&quot;, &quot;text&quot;: &quot;var(--theme-text)&quot; }
},
&quot;theme&quot;: &quot;classic&quot;,
&quot;position&quot;: &quot;bottom-right&quot;,
&quot;content&quot;: { &quot;message&quot;: &quot;This website uses fruit cookies to ensure you get the juiciest tracking experience.&quot;, &quot;dismiss&quot;: &quot;Me want it!&quot;, &quot;link&quot;: &quot;But me wait!&quot;, &quot;href&quot;: &quot;https://www.youtube.com/watch?v=9PnbKL3wuH4&quot; }
})});
&lt;/script&gt;
&lt;style&gt;.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, &quot;Helvetica Neue&quot;, sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}&lt;/style&gt;&lt;link rel=&quot;stylesheet&quot; href=&quot;styles.css&quot; media=&quot;print&quot; onload=&quot;this.media=&#39;all&#39;&quot;&gt;&lt;noscript&gt;&lt;link rel=&quot;stylesheet&quot; href=&quot;styles.css&quot;&gt;&lt;/noscript&gt;&lt;/head&gt;
&lt;body class=&quot;bluegrey-lightgreen-theme&quot;&gt;
&lt;app-root&gt;&lt;/app-root&gt;
&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-SCY7YOCS.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-PX7UKXVL.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-GNBEOV4E.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-7O3TTE7G.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-JCQ5N7PA.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-UNFVUBM2.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-524KQQJQ.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-SI2GTEZM.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-ZO2KHBRB.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-7AKA75AX.js&quot;&gt;&lt;script src=&quot;polyfills.js&quot; type=&quot;module&quot;&gt;&lt;/script&gt;&lt;script src=&quot;scripts.js&quot; defer&gt;&lt;/script&gt;&lt;script src=&quot;main.js&quot; type=&quot;module&quot;&gt;&lt;/script&gt;&lt;/body&gt;
&lt;/html&gt;
</code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Solution</th>
<td>
<p>Ensure that your web server, application server, load balancer, etc. is configured to set the Content-Security-Policy header.</p>
</td>
</tr>
</table>
</details></li>
</ol>
</li>
<li>
<h5>
<a
href="#alert-type-4">Session ID in URL Rewrite</a> <span>(1)</span>
</h5>
<ol>
<li><details>
<summary>
<span class="request-method-n-url">GET http://20.60.0.1:3000/socket.io/?EIO=4&amp;transport=polling&amp;t=Pvk6yvM&amp;sid=pd0V5LZ93y-FQn8oAAAA</span>
</summary>
<table class="alerts-table">
<tr>
<th scope="row">Alert tags</th>
<td>
<ul class="alert-tags-list">
<li>
<span><a href="https://cwe.mitre.org/data/definitions/598.html">CWE-598</a></span>
</li>
<li>
<span><a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">OWASP_2021_A01</a></span>
</li>
<li>
<span>POLICY_QA_STD = </span>
</li>
<li>
<span>POLICY_PENTEST = </span>
</li>
<li>
<span><a href="https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#systemic">SYSTEMIC</a></span>
</li>
<li>
<span><a href="https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/06-Session_Management_Testing/04-Testing_for_Exposed_Session_Variables">WSTG-v42-SESS-04</a></span>
</li>
<li>
<span><a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html">OWASP_2017_A03</a></span>
</li>
<li>
<span><a href="https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/">OWASP_2025_A01</a></span>
</li>
<li>
<span>POLICY_DEV_STD = </span>
</li>
</ul>
</td>
</tr>
<tr>
<th scope="row">Alert description</th>
<td>
<p>URL rewrite is used to track user session ID. The session ID may be disclosed via cross-site referer header. In addition, the session ID might be stored in browser history or server logs.</p>
</td>
</tr>
<tr>
<th scope="row">Request</th>
<td><details open="open">
<summary>Request line and header section (317 bytes)</summary>
<pre><code>GET http://20.60.0.1:3000/socket.io/?EIO=4&amp;transport=polling&amp;t=Pvk6yvM&amp;sid=pd0V5LZ93y-FQn8oAAAA HTTP/1.1
host: 20.60.0.1:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer: http://20.60.0.1:3000/
</code></pre>
</details> <details class="request-body" open="open">
<summary>Request body (0 bytes)</summary>
<pre><code></code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Response</th>
<td><details open="open">
<summary>Status line and header section (231 bytes)</summary>
<pre><code>HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://localhost:4200
Vary: Origin
Content-Type: text/plain; charset=UTF-8
Content-Length: 612
Date: Thu, 28 May 2026 10:23:03 GMT
Connection: keep-alive
Keep-Alive: timeout=5
</code></pre>
</details> <details class="response-body" open="open">
<summary>Response body (612 bytes)</summary>
<pre><code>40{&quot;sid&quot;:&quot;03u5dabLobU2g8TXAAAB&quot;}42[&quot;server started&quot;]42[&quot;challenge solved&quot;,{&quot;key&quot;:&quot;directoryListingChallenge&quot;,&quot;name&quot;:&quot;Confidential Document&quot;,&quot;challenge&quot;:&quot;Confidential Document (Access a confidential document.)&quot;,&quot;flag&quot;:&quot;8d2072c6b0a455608ca1a293dc0c9579883fc6a5&quot;,&quot;hidden&quot;:false,&quot;isRestore&quot;:false,&quot;codingChallenge&quot;:true}]42[&quot;challenge solved&quot;,{&quot;key&quot;:&quot;errorHandlingChallenge&quot;,&quot;name&quot;:&quot;Error Handling&quot;,&quot;challenge&quot;:&quot;Error Handling (Provoke an error that is neither very gracefully nor consistently handled.)&quot;,&quot;flag&quot;:&quot;9c297196ecf8890bc1e900fcf3aebae8c9f9880a&quot;,&quot;hidden&quot;:false,&quot;isRestore&quot;:false,&quot;codingChallenge&quot;:false}]</code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Parameter</th>
<td><pre><code>sid</code></pre></td>
</tr>
<tr>
<th scope="row">Evidence</th>
<td><pre><code>pd0V5LZ93y-FQn8oAAAA</code></pre></td>
</tr>
<tr>
<th scope="row">Solution</th>
<td>
<p>For secure content, put session ID in a cookie. To be even more secure consider using a combination of cookie and URL rewrite.</p>
</td>
</tr>
</table>
</details></li>
</ol>
</li>
</ol>
</li>
</ol>
</li>
<li id="alerts--risk-2-confidence-2">
<h3>
<span>Risk</span>=<span
class="risk-level">Medium</span>, <span>Confidence</span>=<span
class="confidence-level">Medium</span> <span>(2)</span>
</h3>
<ol>
<li class="alerts--site-li">
<h4>
<span class="site">http://20.60.0.1:3000</span> <span>(2)</span>
</h4>
<ol>
<li>
<h5>
<a
href="#alert-type-2">Cross-Domain Misconfiguration</a> <span>(1)</span>
</h5>
<ol>
<li><details>
<summary>
<span class="request-method-n-url">GET http://20.60.0.1:3000/robots.txt</span>
</summary>
<table class="alerts-table">
<tr>
<th scope="row">Alert tags</th>
<td>
<ul class="alert-tags-list">
<li>
<span><a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">OWASP_2021_A01</a></span>
</li>
<li>
<span>POLICY_QA_STD = </span>
</li>
<li>
<span>POLICY_PENTEST = </span>
</li>
<li>
<span><a href="https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#systemic">SYSTEMIC</a></span>
</li>
<li>
<span><a href="https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/">OWASP_2025_A01</a></span>
</li>
<li>
<span><a href="https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html">OWASP_2017_A05</a></span>
</li>
<li>
<span><a href="https://cwe.mitre.org/data/definitions/264.html">CWE-264</a></span>
</li>
</ul>
</td>
</tr>
<tr>
<th scope="row">Alert description</th>
<td>
<p>Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.</p>
</td>
</tr>
<tr>
<th scope="row">Other info</th>
<td>
<p>The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.</p>
</td>
</tr>
<tr>
<th scope="row">Request</th>
<td><details open="open">
<summary>Request line and header section (239 bytes)</summary>
<pre><code>GET http://20.60.0.1:3000/robots.txt HTTP/1.1
host: 20.60.0.1:3000
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
</code></pre>
</details> <details class="request-body" open="open">
<summary>Request body (0 bytes)</summary>
<pre><code></code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Response</th>
<td><details open="open">
<summary>Status line and header section (378 bytes)</summary>
<pre><code>HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment &#39;self&#39;
X-Recruiting: /#/jobs
Content-Type: text/plain; charset=utf-8
Content-Length: 28
ETag: W/&quot;1c-8HgF6mNyhsSFK0pascC9uB0wjX0&quot;
Vary: Accept-Encoding
Date: Thu, 28 May 2026 10:21:09 GMT
Connection: keep-alive
Keep-Alive: timeout=5
</code></pre>
</details> <details class="response-body" open="open">
<summary>Response body (28 bytes)</summary>
<pre><code>User-agent: *
Disallow: /ftp</code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Evidence</th>
<td><pre><code>Access-Control-Allow-Origin: *</code></pre></td>
</tr>
<tr>
<th scope="row">Solution</th>
<td>
<p>Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).</p>
<p>Configure the &quot;Access-Control-Allow-Origin&quot; HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.</p>
</td>
</tr>
</table>
</details></li>
</ol>
</li>
<li>
<h5>
<a
href="#alert-type-3">Missing Anti-clickjacking Header</a> <span>(1)</span>
</h5>
<ol>
<li><details>
<summary>
<span class="request-method-n-url">POST http://20.60.0.1:3000/socket.io/?EIO=4&amp;transport=polling&amp;t=Pvk6yux&amp;sid=pd0V5LZ93y-FQn8oAAAA</span>
</summary>
<table class="alerts-table">
<tr>
<th scope="row">Alert tags</th>
<td>
<ul class="alert-tags-list">
<li>
<span><a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">OWASP_2021_A05</a></span>
</li>
<li>
<span>POLICY_QA_STD = </span>
</li>
<li>
<span>POLICY_PENTEST = </span>
</li>
<li>
<span><a href="https://cwe.mitre.org/data/definitions/1021.html">CWE-1021</a></span>
</li>
<li>
<span><a href="https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#systemic">SYSTEMIC</a></span>
</li>
<li>
<span><a href="https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/09-Testing_for_Clickjacking">WSTG-v42-CLNT-09</a></span>
</li>
<li>
<span><a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html">OWASP_2017_A06</a></span>
</li>
<li>
<span><a href="https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/">OWASP_2025_A02</a></span>
</li>
</ul>
</td>
</tr>
<tr>
<th scope="row">Alert description</th>
<td>
<p>The response does not protect against &#39;ClickJacking&#39; attacks. It should include either Content-Security-Policy with &#39;frame-ancestors&#39; directive or X-Frame-Options.</p>
</td>
</tr>
<tr>
<th scope="row">Request</th>
<td><details open="open">
<summary>Request line and header section (408 bytes)</summary>
<pre><code>POST http://20.60.0.1:3000/socket.io/?EIO=4&amp;transport=polling&amp;t=Pvk6yux&amp;sid=pd0V5LZ93y-FQn8oAAAA HTTP/1.1
host: 20.60.0.1:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-type: text/plain;charset=UTF-8
Content-Length: 2
Origin: http://20.60.0.1:3000
Connection: keep-alive
Referer: http://20.60.0.1:3000/
</code></pre>
</details> <details class="request-body" open="open">
<summary>Request body (2 bytes)</summary>
<pre><code>40</code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Response</th>
<td><details open="open">
<summary>Status line and header section (213 bytes)</summary>
<pre><code>HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://localhost:4200
Vary: Origin
Content-Type: text/html
Content-Length: 2
Date: Thu, 28 May 2026 10:23:03 GMT
Connection: keep-alive
Keep-Alive: timeout=5
</code></pre>
</details> <details class="response-body" open="open">
<summary>Response body (2 bytes)</summary>
<pre><code>ok</code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Parameter</th>
<td><pre><code>x-frame-options</code></pre></td>
</tr>
<tr>
<th scope="row">Solution</th>
<td>
<p>Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app.</p>
<p>If you expect the page to be framed only by pages on your server (e.g. it&#39;s part of a FRAMESET) then you&#39;ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy&#39;s &quot;frame-ancestors&quot; directive.</p>
</td>
</tr>
</table>
</details></li>
</ol>
</li>
</ol>
</li>
</ol>
</li>
<li id="alerts--risk-1-confidence-2">
<h3>
<span>Risk</span>=<span
class="risk-level">Low</span>, <span>Confidence</span>=<span
class="confidence-level">Medium</span> <span>(2)</span>
</h3>
<ol>
<li class="alerts--site-li">
<h4>
<span class="site">http://20.60.0.1:3000</span> <span>(2)</span>
</h4>
<ol>
<li>
<h5>
<a
href="#alert-type-5">Private IP Disclosure</a> <span>(1)</span>
</h5>
<ol>
<li><details>
<summary>
<span class="request-method-n-url">GET http://20.60.0.1:3000/rest/admin/application-configuration</span>
</summary>
<table class="alerts-table">
<tr>
<th scope="row">Alert tags</th>
<td>
<ul class="alert-tags-list">
<li>
<span><a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">OWASP_2021_A01</a></span>
</li>
<li>
<span><a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html">OWASP_2017_A03</a></span>
</li>
<li>
<span><a href="https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/">OWASP_2025_A01</a></span>
</li>
<li>
<span>POLICY_QA_STD = </span>
</li>
<li>
<span>POLICY_PENTEST = </span>
</li>
<li>
<span><a href="https://cwe.mitre.org/data/definitions/497.html">CWE-497</a></span>
</li>
</ul>
</td>
</tr>
<tr>
<th scope="row">Alert description</th>
<td>
<p>A private IP (such as 10.x.x.x, 172.x.x.x, 192.168.x.x) or an Amazon EC2 private hostname (for example, ip-10-0-56-78) has been found in the HTTP response body. This information might be helpful for further attacks targeting internal systems.</p>
</td>
</tr>
<tr>
<th scope="row">Other info</th>
<td>
<p>192.168.99.100:3000</p>
<p>192.168.99.100:4200</p>
</td>
</tr>
<tr>
<th scope="row">Request</th>
<td><details open="open">
<summary>Request line and header section (314 bytes)</summary>
<pre><code>GET http://20.60.0.1:3000/rest/admin/application-configuration HTTP/1.1
host: 20.60.0.1:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer: http://20.60.0.1:3000/
</code></pre>
</details> <details class="request-body" open="open">
<summary>Request body (0 bytes)</summary>
<pre><code></code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Response</th>
<td><details open="open">
<summary>Status line and header section (389 bytes)</summary>
<pre><code>HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment &#39;self&#39;
X-Recruiting: /#/jobs
Content-Type: application/json; charset=utf-8
Content-Length: 23513
ETag: W/&quot;5bd9-reVonwE2GOcMzw2LpzIkSqyB2OE&quot;
Vary: Accept-Encoding
Date: Thu, 28 May 2026 10:22:59 GMT
Connection: keep-alive
Keep-Alive: timeout=5
</code></pre>
</details> <details class="response-body">
<summary>Response body (23513 bytes)</summary>
<pre><code>{&quot;config&quot;:{&quot;server&quot;:{&quot;port&quot;:3000,&quot;basePath&quot;:&quot;&quot;,&quot;baseUrl&quot;:&quot;http://localhost:3000&quot;},&quot;application&quot;:{&quot;domain&quot;:&quot;juice-sh.op&quot;,&quot;name&quot;:&quot;OWASP Juice Shop&quot;,&quot;logo&quot;:&quot;JuiceShop_Logo.png&quot;,&quot;favicon&quot;:&quot;favicon_js.ico&quot;,&quot;theme&quot;:&quot;bluegrey-lightgreen&quot;,&quot;showVersionNumber&quot;:true,&quot;showGitHubLinks&quot;:true,&quot;localBackupEnabled&quot;:true,&quot;numberOfRandomFakeUsers&quot;:0,&quot;altcoinName&quot;:&quot;Juicycoin&quot;,&quot;privacyContactEmail&quot;:&quot;donotreply@owasp-juice.shop&quot;,&quot;customMetricsPrefix&quot;:&quot;juiceshop&quot;,&quot;chatBot&quot;:{&quot;name&quot;:&quot;Juicy the Smart Assistant&quot;,&quot;avatar&quot;:&quot;JuicyChatBot.png&quot;,&quot;model&quot;:&quot;gemma4:e4b&quot;,&quot;llmMaxRetries&quot;:2,&quot;sampleQuestions&quot;:[&quot;CHATBOT_PROMPT_RECOMMENDATION_SUMMER_PARTY&quot;,&quot;CHATBOT_PROMPT_RECOMMENDATION_POPULAR&quot;,&quot;CHATBOT_PROMPT_RECOMMENDATION_SUGAR_FREE&quot;,&quot;CHATBOT_PROMPT_RECOMMENDATION_START_DAY&quot;,&quot;CHATBOT_PROMPT_RECOMMENDATION_SEASONAL&quot;]},&quot;social&quot;:{&quot;blueSkyUrl&quot;:&quot;https://bsky.app/profile/owasp-juice.shop&quot;,&quot;mastodonUrl&quot;:&quot;https://fosstodon.org/@owasp_juiceshop&quot;,&quot;twitterUrl&quot;:&quot;https://twitter.com/owasp_juiceshop&quot;,&quot;facebookUrl&quot;:&quot;https://www.facebook.com/owasp.juiceshop&quot;,&quot;slackUrl&quot;:&quot;https://owasp.org/slack/invite&quot;,&quot;redditUrl&quot;:&quot;https://www.reddit.com/r/owasp_juiceshop&quot;,&quot;pressKitUrl&quot;:&quot;https://github.com/OWASP/owasp-swag/tree/master/projects/juice-shop&quot;,&quot;nftUrl&quot;:&quot;https://opensea.io/collection/juice-shop&quot;,&quot;questionnaireUrl&quot;:null},&quot;recyclePage&quot;:{&quot;topProductImage&quot;:&quot;fruit_press.jpg&quot;,&quot;bottomProductImage&quot;:&quot;apple_pressings.jpg&quot;},&quot;welcomeBanner&quot;:{&quot;showOnFirstStart&quot;:true,&quot;title&quot;:&quot;Welcome to OWASP Juice Shop!&quot;,&quot;message&quot;:&quot;&lt;p&gt;Being a web application with a vast number of intended security vulnerabilities, the &lt;strong&gt;OWASP Juice Shop&lt;/strong&gt; is supposed to be the opposite of a best practice or template application for web developers: It is an awareness, training, demonstration and exercise tool for security risks in modern web applications. The &lt;strong&gt;OWASP Juice Shop&lt;/strong&gt; is an open-source project hosted by the non-profit &lt;a href=&#39;https://owasp.org&#39; target=&#39;_blank&#39;&gt;Open Worldwide Application Security Project (OWASP)&lt;/a&gt; and is developed and maintained by volunteers. Check out the link below for more information and documentation on the project.&lt;/p&gt;&lt;h1&gt;&lt;a href=&#39;https://owasp-juice.shop&#39; target=&#39;_blank&#39;&gt;https://owasp-juice.shop&lt;/a&gt;&lt;/h1&gt;&quot;},&quot;cookieConsent&quot;:{&quot;message&quot;:&quot;This website uses fruit cookies to ensure you get the juiciest tracking experience.&quot;,&quot;dismissText&quot;:&quot;Me want it!&quot;,&quot;linkText&quot;:&quot;But me wait!&quot;,&quot;linkUrl&quot;:&quot;https://www.youtube.com/watch?v=9PnbKL3wuH4&quot;},&quot;securityTxt&quot;:{&quot;contact&quot;:&quot;mailto:donotreply@owasp-juice.shop&quot;,&quot;encryption&quot;:&quot;https://keybase.io/bkimminich/pgp_keys.asc?fingerprint=19c01cb7157e4645e9e2c863062a85a8cbfbdcda&quot;,&quot;acknowledgements&quot;:&quot;/#/score-board&quot;,&quot;hiring&quot;:&quot;/#/jobs&quot;,&quot;csaf&quot;:&quot;/.well-known/csaf/provider-metadata.json&quot;},&quot;promotion&quot;:{&quot;video&quot;:&quot;owasp_promo.mp4&quot;,&quot;subtitles&quot;:&quot;owasp_promo.vtt&quot;},&quot;easterEggPlanet&quot;:{&quot;name&quot;:&quot;Orangeuze&quot;,&quot;overlayMap&quot;:&quot;orangemap2k.avif&quot;},&quot;googleOauth&quot;:{&quot;clientId&quot;:&quot;1005568560502-6hm16lef8oh46hr2d98vf2ohlnj4nfhq.apps.googleusercontent.com&quot;,&quot;authorizedRedirects&quot;:[{&quot;uri&quot;:&quot;https://demo.owasp-juice.shop&quot;},{&quot;uri&quot;:&quot;https://juice-shop.herokuapp.com&quot;},{&quot;uri&quot;:&quot;https://preview.owasp-juice.shop&quot;},{&quot;uri&quot;:&quot;https://juice-shop-staging.herokuapp.com&quot;},{&quot;uri&quot;:&quot;https://juice-shop.wtf&quot;},{&quot;uri&quot;:&quot;http://localhost:3000&quot;,&quot;proxy&quot;:&quot;https://local3000.owasp-juice.shop&quot;},{&quot;uri&quot;:&quot;http://127.0.0.1:3000&quot;,&quot;proxy&quot;:&quot;https://local3000.owasp-juice.shop&quot;},{&quot;uri&quot;:&quot;http://localhost:4200&quot;,&quot;proxy&quot;:&quot;https://local4200.owasp-juice.shop&quot;},{&quot;uri&quot;:&quot;http://127.0.0.1:4200&quot;,&quot;proxy&quot;:&quot;https://local4200.owasp-juice.shop&quot;},{&quot;uri&quot;:&quot;http://192.168.99.100:3000&quot;,&quot;proxy&quot;:&quot;https://localmac.owasp-juice.shop&quot;},{&quot;uri&quot;:&quot;http://192.168.99.100:4200&quot;,&quot;proxy&quot;:&quot;https://localmac.owasp-juice.shop&quot;},{&quot;uri&quot;:&quot;http://penguin.termina.linux.test:3000&quot;,&quot;proxy&quot;:&quot;https://localchromeos.owasp-juice.shop&quot;},{&quot;uri&quot;:&quot;http://penguin.termina.linux.test:4200&quot;,&quot;proxy&quot;:&quot;https://localchromeos.owasp-juice.shop&quot;}]}},&quot;challenges&quot;:{&quot;showSolvedNotifications&quot;:true,&quot;showHints&quot;:true,&quot;showMitigations&quot;:true,&quot;codingChallengesEnabled&quot;:&quot;solved&quot;,&quot;restrictToTutorialsFirst&quot;:false,&quot;overwriteUrlForProductTamperingChallenge&quot;:&quot;https://owasp.slack.com&quot;,&quot;xssBonusPayload&quot;:&quot;&lt;iframe width=\&quot;100%\&quot; height=\&quot;166\&quot; scrolling=\&quot;no\&quot; frameborder=\&quot;no\&quot; allow=\&quot;autoplay\&quot; src=\&quot;https://w.soundcloud.com/player/?url=https%3A//api.soundcloud.com/tracks/771984076&amp;color=%23ff5500&amp;auto_play=true&amp;hide_related=false&amp;show_comments=true&amp;show_user=true&amp;show_reposts=false&amp;show_teaser=true\&quot;&gt;&lt;/iframe&gt;&quot;,&quot;safetyMode&quot;:&quot;auto&quot;,&quot;csafHashValue&quot;:&quot;7e7ce7c65db3bf0625fcea4573d25cff41f2f7e3474f2c74334b14fc65bb4fd26af802ad17a3a03bf0eee6827a00fb8f7905f338c31b5e6ea9cb31620242e843&quot;,&quot;metricsIgnoredUserAgents&quot;:[&quot;Prometheus&quot;,&quot;Alloy&quot;,&quot;promscrape&quot;,&quot;otelcol&quot;]},&quot;hackingInstructor&quot;:{&quot;isEnabled&quot;:true,&quot;avatarImage&quot;:&quot;JuicyBot.png&quot;,&quot;hintPlaybackSpeed&quot;:&quot;normal&quot;},&quot;products&quot;:[{&quot;name&quot;:&quot;Apple Juice (1000ml)&quot;,&quot;price&quot;:1.99,&quot;deluxePrice&quot;:0.99,&quot;limitPerUser&quot;:5,&quot;description&quot;:&quot;The all-time classic.&quot;,&quot;image&quot;:&quot;apple_juice.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;One of my favorites!&quot;,&quot;author&quot;:&quot;admin&quot;},{&quot;text&quot;:&quot;Great! We&#39;ll have an apple party. Everyone brings an apple and - STUFFS IT DOWN EACH OTHER&#39;S THROAT!&quot;,&quot;author&quot;:&quot;basil&quot;}]},{&quot;name&quot;:&quot;Orange Juice (1000ml)&quot;,&quot;description&quot;:&quot;Made from oranges hand-picked by Uncle Dittmeyer.&quot;,&quot;price&quot;:2.99,&quot;deluxePrice&quot;:2.49,&quot;image&quot;:&quot;orange_juice.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;y0ur f1r3wall needs m0r3 musc13&quot;,&quot;author&quot;:&quot;uvogin&quot;}]},{&quot;name&quot;:&quot;Eggfruit Juice (500ml)&quot;,&quot;description&quot;:&quot;Now with even more exotic flavour.&quot;,&quot;price&quot;:8.99,&quot;image&quot;:&quot;eggfruit_juice.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;I bought it, would buy again. 5/7&quot;,&quot;author&quot;:&quot;admin&quot;}]},{&quot;name&quot;:&quot;Raspberry Juice (1000ml)&quot;,&quot;description&quot;:&quot;Made from blended Raspberry Pi, water and sugar.&quot;,&quot;price&quot;:4.99,&quot;image&quot;:&quot;raspberry_juice.jpg&quot;},{&quot;name&quot;:&quot;Lemon Juice (500ml)&quot;,&quot;description&quot;:&quot;Sour but full of vitamins.&quot;,&quot;price&quot;:2.99,&quot;deluxePrice&quot;:1.99,&quot;limitPerUser&quot;:5,&quot;image&quot;:&quot;lemon_juice.jpg&quot;},{&quot;name&quot;:&quot;Banana Juice (1000ml)&quot;,&quot;description&quot;:&quot;Monkeys love it the most.&quot;,&quot;price&quot;:1.99,&quot;image&quot;:&quot;banana_juice.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;Fry liked it too.&quot;,&quot;author&quot;:&quot;bender&quot;}]},{&quot;name&quot;:&quot;OWASP Juice Shop T-Shirt&quot;,&quot;description&quot;:&quot;Real fans wear it 24/7!&quot;,&quot;price&quot;:22.49,&quot;limitPerUser&quot;:5,&quot;image&quot;:&quot;fan_shirt.jpg&quot;},{&quot;name&quot;:&quot;OWASP Juice Shop CTF Girlie-Shirt&quot;,&quot;description&quot;:&quot;For serious Capture-the-Flag heroines only!&quot;,&quot;price&quot;:22.49,&quot;image&quot;:&quot;fan_girlie.jpg&quot;},{&quot;name&quot;:&quot;OWASP SSL Advanced Forensic Tool (O-Saft)&quot;,&quot;description&quot;:&quot;O-Saft is an easy to use tool to show information about SSL certificate and tests the SSL connection according given list of ciphers and various SSL configurations.&quot;,&quot;price&quot;:0.01,&quot;image&quot;:&quot;orange_juice.jpg&quot;,&quot;urlForProductTamperingChallenge&quot;:&quot;https://www.owasp.org/index.php/O-Saft&quot;},{&quot;name&quot;:&quot;Christmas Super-Surprise-Box (2014 Edition)&quot;,&quot;description&quot;:&quot;Contains a random selection of 10 bottles (each 500ml) of our tastiest juices and an extra fan shirt for an unbeatable price!&quot;,&quot;price&quot;:29.99,&quot;image&quot;:&quot;undefined.jpg&quot;,&quot;useForChristmasSpecialChallenge&quot;:true},{&quot;name&quot;:&quot;Rippertuer Special Juice&quot;,&quot;description&quot;:&quot;Contains a magical collection of the rarest fruits gathered from all around the world, like Cherymoya Annona cherimola, Jabuticaba Myrciaria cauliflora, Bael Aegle marmelos... and others, at an unbelievable price! &lt;br/&gt;&lt;span style=\&quot;color:red;\&quot;&gt;This item has been made unavailable because of lack of safety standards.&lt;/span&gt;&quot;,&quot;price&quot;:16.99,&quot;image&quot;:&quot;undefined.jpg&quot;,&quot;keywordsForPastebinDataLeakChallenge&quot;:[&quot;hueteroneel&quot;,&quot;eurogium edule&quot;]},{&quot;name&quot;:&quot;OWASP Juice Shop Sticker (2015/2016 design)&quot;,&quot;description&quot;:&quot;Die-cut sticker with the official 2015/2016 logo. By now this is a rare collectors item. &lt;em&gt;Out of stock!&lt;/em&gt;&quot;,&quot;price&quot;:999.99,&quot;image&quot;:&quot;sticker.png&quot;,&quot;deletedDate&quot;:&quot;2017-04-28&quot;},{&quot;name&quot;:&quot;OWASP Juice Shop Iron-Ons (16pcs)&quot;,&quot;description&quot;:&quot;Upgrade your clothes with washer safe &lt;a href=\&quot;https://www.stickeryou.com/products/owasp-juice-shop/794\&quot; target=\&quot;_blank\&quot;&gt;iron-ons&lt;/a&gt; of the OWASP Juice Shop or CTF Extension logo!&quot;,&quot;price&quot;:14.99,&quot;image&quot;:&quot;iron-on.jpg&quot;},{&quot;name&quot;:&quot;OWASP Juice Shop Magnets (16pcs)&quot;,&quot;description&quot;:&quot;Your fridge will be even cooler with these OWASP Juice Shop or CTF Extension logo &lt;a href=\&quot;https://www.stickeryou.com/products/owasp-juice-shop/794\&quot; target=\&quot;_blank\&quot;&gt;magnets&lt;/a&gt;!&quot;,&quot;price&quot;:15.99,&quot;image&quot;:&quot;magnets.jpg&quot;},{&quot;name&quot;:&quot;OWASP Juice Shop Sticker Page&quot;,&quot;description&quot;:&quot;Massive decoration opportunities with these OWASP Juice Shop or CTF Extension &lt;a href=\&quot;https://www.stickeryou.com/products/owasp-juice-shop/794\&quot; target=\&quot;_blank\&quot;&gt;sticker pages&lt;/a&gt;! Each page has 16 stickers on it.&quot;,&quot;price&quot;:9.99,&quot;image&quot;:&quot;sticker_page.jpg&quot;},{&quot;name&quot;:&quot;OWASP Juice Shop Sticker Single&quot;,&quot;description&quot;:&quot;Super high-quality vinyl &lt;a href=\&quot;https://www.stickeryou.com/products/owasp-juice-shop/794\&quot; target=\&quot;_blank\&quot;&gt;sticker single&lt;/a&gt; with the OWASP Juice Shop or CTF Extension logo! The ultimate laptop decal!&quot;,&quot;price&quot;:4.99,&quot;image&quot;:&quot;sticker_single.jpg&quot;},{&quot;name&quot;:&quot;OWASP Juice Shop Temporary Tattoos (16pcs)&quot;,&quot;description&quot;:&quot;Get one of these &lt;a href=\&quot;https://www.stickeryou.com/products/owasp-juice-shop/794\&quot; target=\&quot;_blank\&quot;&gt;temporary tattoos&lt;/a&gt; to proudly wear the OWASP Juice Shop or CTF Extension logo on your skin! If you tweet a photo of yourself with the tattoo, you get a couple of our stickers for free! Please mention &lt;a href=\&quot;https://twitter.com/owasp_juiceshop\&quot; target=\&quot;_blank\&quot;&gt;&lt;code&gt;@owasp_juiceshop&lt;/code&gt;&lt;/a&gt; in your tweet!&quot;,&quot;price&quot;:14.99,&quot;image&quot;:&quot;tattoo.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;I straight-up gots nuff props fo&#39;these tattoos!&quot;,&quot;author&quot;:&quot;rapper&quot;}]},{&quot;name&quot;:&quot;OWASP Juice Shop Mug&quot;,&quot;description&quot;:&quot;Black mug with regular logo on one side and CTF logo on the other! Your colleagues will envy you!&quot;,&quot;price&quot;:21.99,&quot;image&quot;:&quot;fan_mug.jpg&quot;},{&quot;name&quot;:&quot;OWASP Juice Shop Hoodie&quot;,&quot;description&quot;:&quot;Mr. Robot-style apparel. But in black. And with logo.&quot;,&quot;price&quot;:49.99,&quot;image&quot;:&quot;fan_hoodie.jpg&quot;},{&quot;name&quot;:&quot;OWASP Juice Shop-CTF Velcro Patch&quot;,&quot;description&quot;:&quot;4x3.5\&quot; embroidered patch with velcro backside. The ultimate decal for every tactical bag or backpack!&quot;,&quot;price&quot;:2.92,&quot;quantity&quot;:5,&quot;limitPerUser&quot;:5,&quot;image&quot;:&quot;velcro-patch.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;This thang would look phat on Bobby&#39;s jacked fur coat!&quot;,&quot;author&quot;:&quot;rapper&quot;},{&quot;text&quot;:&quot;Looks so much better on my uniform than the boring Starfleet symbol.&quot;,&quot;author&quot;:&quot;jim&quot;}]},{&quot;name&quot;:&quot;Woodruff Syrup \&quot;Forest Master X-Treme\&quot;&quot;,&quot;description&quot;:&quot;Harvested and manufactured in the Black Forest, Germany. Can cause hyperactive behavior in children. Can cause permanent green tongue when consumed undiluted.&quot;,&quot;price&quot;:6.99,&quot;image&quot;:&quot;woodruff_syrup.jpg&quot;},{&quot;name&quot;:&quot;Green Smoothie&quot;,&quot;description&quot;:&quot;Looks poisonous but is actually very good for your health! Made from green cabbage, spinach, kiwi and grass.&quot;,&quot;price&quot;:1.99,&quot;image&quot;:&quot;green_smoothie.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;Fresh out of a replicator.&quot;,&quot;author&quot;:&quot;jim&quot;}]},{&quot;name&quot;:&quot;Quince Juice (1000ml)&quot;,&quot;description&quot;:&quot;Juice of the &lt;em&gt;Cydonia oblonga&lt;/em&gt; fruit. Not exactly sweet but rich in Vitamin C.&quot;,&quot;price&quot;:4.99,&quot;image&quot;:&quot;quince.jpg&quot;},{&quot;name&quot;:&quot;Apple Pomace&quot;,&quot;description&quot;:&quot;Finest pressings of apples. Allergy disclaimer: Might contain traces of worms. Can be &lt;a href=\&quot;/#recycle\&quot;&gt;sent back to us&lt;/a&gt; for recycling.&quot;,&quot;price&quot;:0.89,&quot;limitPerUser&quot;:5,&quot;image&quot;:&quot;apple_pressings.jpg&quot;},{&quot;name&quot;:&quot;Fruit Press&quot;,&quot;description&quot;:&quot;Fruits go in. Juice comes out. Pomace you can send back to us for recycling purposes.&quot;,&quot;price&quot;:89.99,&quot;image&quot;:&quot;fruit_press.jpg&quot;},{&quot;name&quot;:&quot;OWASP Juice Shop Logo (3D-printed)&quot;,&quot;description&quot;:&quot;This rare item was designed and handcrafted in Sweden. This is why it is so incredibly expensive despite its complete lack of purpose.&quot;,&quot;price&quot;:99.99,&quot;image&quot;:&quot;3d_keychain.jpg&quot;,&quot;fileForRetrieveBlueprintChallenge&quot;:&quot;JuiceShop.stl&quot;,&quot;exifForBlueprintChallenge&quot;:[&quot;OpenSCAD&quot;]},{&quot;name&quot;:&quot;Juice Shop Artwork&quot;,&quot;description&quot;:&quot;Unique masterpiece painted with different kinds of juice on 90g/m² lined paper.&quot;,&quot;price&quot;:278.74,&quot;quantity&quot;:0,&quot;image&quot;:&quot;artwork.jpg&quot;,&quot;deletedDate&quot;:&quot;2020-12-24&quot;},{&quot;name&quot;:&quot;Global OWASP WASPY Award 2017 Nomination&quot;,&quot;description&quot;:&quot;Your chance to nominate up to three quiet pillars of the OWASP community ends 2017-06-30! &lt;a href=\&quot;https://www.owasp.org/index.php/WASPY_Awards_2017\&quot;&gt;Nominate now!&lt;/a&gt;&quot;,&quot;price&quot;:0.03,&quot;image&quot;:&quot;waspy.png&quot;,&quot;deletedDate&quot;:&quot;2017-07-01&quot;},{&quot;name&quot;:&quot;Strawberry Juice (500ml)&quot;,&quot;description&quot;:&quot;Sweet &amp; tasty!&quot;,&quot;price&quot;:3.99,&quot;image&quot;:&quot;strawberry_juice.jpeg&quot;},{&quot;name&quot;:&quot;Carrot Juice (1000ml)&quot;,&quot;description&quot;:&quot;As the old German saying goes: \&quot;Carrots are good for the eyes. Or has anyone ever seen a rabbit with glasses?\&quot;&quot;,&quot;price&quot;:2.99,&quot;image&quot;:&quot;carrot_juice.jpeg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;0 st4rs f0r 7h3 h0rr1bl3 s3cur17y&quot;,&quot;author&quot;:&quot;uvogin&quot;}]},{&quot;name&quot;:&quot;OWASP Juice Shop Sweden Tour 2017 Sticker Sheet (Special Edition)&quot;,&quot;description&quot;:&quot;10 sheets of Sweden-themed stickers with 15 stickers on each.&quot;,&quot;price&quot;:19.1,&quot;image&quot;:&quot;stickersheet_se.png&quot;,&quot;deletedDate&quot;:&quot;2017-09-20&quot;},{&quot;name&quot;:&quot;Pwning OWASP Juice Shop&quot;,&quot;description&quot;:&quot;&lt;em&gt;The official Companion Guide&lt;/em&gt; by Björn Kimminich available &lt;a href=\&quot;https://leanpub.com/juice-shop\&quot;&gt;for free on LeanPub&lt;/a&gt; and also &lt;a href=\&quot;https://pwning.owasp-juice.shop\&quot;&gt;readable online&lt;/a&gt;!&quot;,&quot;price&quot;:5.99,&quot;image&quot;:&quot;cover_small.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;Even more interesting than watching Interdimensional Cable!&quot;,&quot;author&quot;:&quot;morty&quot;}]},{&quot;name&quot;:&quot;Melon Bike (Comeback-Product 2018 Edition)&quot;,&quot;description&quot;:&quot;The wheels of this bicycle are made from real water melons. You might not want to ride it up/down the curb too hard.&quot;,&quot;price&quot;:2999,&quot;quantity&quot;:3,&quot;limitPerUser&quot;:1,&quot;image&quot;:&quot;melon_bike.jpeg&quot;},{&quot;name&quot;:&quot;OWASP Juice Shop Coaster (10pcs)&quot;,&quot;description&quot;:&quot;Our 95mm circle coasters are printed in full color and made from thick, premium coaster board.&quot;,&quot;price&quot;:19.99,&quot;quantity&quot;:0,&quot;image&quot;:&quot;coaster.jpg&quot;},{&quot;name&quot;:&quot;OWASP Snakes and Ladders - Web Applications&quot;,&quot;description&quot;:&quot;This amazing web application security awareness board game is &lt;a href=\&quot;https://steamcommunity.com/sharedfiles/filedetails/?id=1969196030\&quot;&gt;available for Tabletop Simulator on Steam Workshop&lt;/a&gt; now!&quot;,&quot;price&quot;:0.01,&quot;quantity&quot;:8,&quot;image&quot;:&quot;snakes_ladders.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;Wait for a 10$ Steam sale of Tabletop Simulator!&quot;,&quot;author&quot;:&quot;bjoernOwasp&quot;}]},{&quot;name&quot;:&quot;OWASP Snakes and Ladders - Mobile Apps&quot;,&quot;description&quot;:&quot;This amazing mobile app security awareness board game is &lt;a href=\&quot;https://steamcommunity.com/sharedfiles/filedetails/?id=1970691216\&quot;&gt;available for Tabletop Simulator on Steam Workshop&lt;/a&gt; now!&quot;,&quot;price&quot;:0.01,&quot;quantity&quot;:0,&quot;image&quot;:&quot;snakes_ladders_m.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;Here yo&#39; learn how tha fuck ta not show yo&#39; goddamn phone on camera!&quot;,&quot;author&quot;:&quot;rapper&quot;}]},{&quot;name&quot;:&quot;OWASP Juice Shop Holographic Sticker&quot;,&quot;description&quot;:&quot;Die-cut holographic sticker. Stand out from those 08/15-sticker-covered laptops with this shiny beacon of 80&#39;s coolness!&quot;,&quot;price&quot;:2,&quot;quantity&quot;:0,&quot;image&quot;:&quot;holo_sticker.png&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;Rad, dude!&quot;,&quot;author&quot;:&quot;rapper&quot;},{&quot;text&quot;:&quot;Looks spacy on Bones&#39; new tricorder!&quot;,&quot;author&quot;:&quot;jim&quot;},{&quot;text&quot;:&quot;Will put one on the Planet Express ship&#39;s bumper!&quot;,&quot;author&quot;:&quot;bender&quot;}]},{&quot;name&quot;:&quot;OWASP Juice Shop \&quot;King of the Hill\&quot; Facemask&quot;,&quot;description&quot;:&quot;Facemask with compartment for filter from 50% cotton and 50% polyester.&quot;,&quot;price&quot;:13.49,&quot;quantity&quot;:0,&quot;limitPerUser&quot;:1,&quot;image&quot;:&quot;fan_facemask.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;K33p5 y0ur ju1cy 5plu773r 70 y0ur53lf!&quot;,&quot;author&quot;:&quot;uvogin&quot;},{&quot;text&quot;:&quot;Puny mask for puny human weaklings!&quot;,&quot;author&quot;:&quot;bender&quot;}]},{&quot;name&quot;:&quot;Juice Shop Adversary Trading Card (Common)&quot;,&quot;description&quot;:&quot;Common rarity \&quot;Juice Shop\&quot; card for the &lt;a href=\&quot;https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\&quot;&gt;Adversary Trading Cards&lt;/a&gt; CCG.&quot;,&quot;price&quot;:2.99,&quot;deluxePrice&quot;:0.99,&quot;deletedDate&quot;:&quot;2020-11-30&quot;,&quot;limitPerUser&quot;:5,&quot;image&quot;:&quot;ccg_common.png&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;Ooooh, puny human playing Mau Mau, now?&quot;,&quot;author&quot;:&quot;bender&quot;}]},{&quot;name&quot;:&quot;Juice Shop Adversary Trading Card (Super Rare)&quot;,&quot;description&quot;:&quot;Super rare \&quot;Juice Shop\&quot; card with holographic foil-coating for the &lt;a href=\&quot;https://docs.google.com/forms/d/e/1FAIpQLSecLEakawSQ56lBe2JOSbFwFYrKDCIN7Yd3iHFdQc5z8ApwdQ/viewform\&quot;&gt;Adversary Trading Cards&lt;/a&gt; CCG.&quot;,&quot;price&quot;:99.99,&quot;deluxePrice&quot;:69.99,&quot;deletedDate&quot;:&quot;2020-11-30&quot;,&quot;quantity&quot;:2,&quot;limitPerUser&quot;:1,&quot;image&quot;:&quot;ccg_foil.png&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;Mau Mau with bling-bling? Humans are so pathetic!&quot;,&quot;author&quot;:&quot;bender&quot;}]},{&quot;name&quot;:&quot;Juice Shop \&quot;Permafrost\&quot; 2020 Edition&quot;,&quot;description&quot;:&quot;Exact version of &lt;a href=\&quot;https://github.com/juice-shop/juice-shop/releases/tag/v9.3.1-PERMAFROST\&quot;&gt;OWASP Juice Shop that was archived on 02/02/2020&lt;/a&gt; by the GitHub Archive Program and ultimately went into the &lt;a href=\&quot;https://github.blog/2020-07-16-github-archive-program-the-journey-of-the-worlds-open-source-code-to-the-arctic\&quot;&gt;Arctic Code Vault&lt;/a&gt; on July 8. 2020 where it will be safely stored for at least 1000 years.&quot;,&quot;price&quot;:9999.99,&quot;quantity&quot;:1,&quot;limitPerUser&quot;:1,&quot;image&quot;:&quot;permafrost.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;🧊 Let it go, let it go 🎶 Can&#39;t hold it back anymore 🎶 Let it go, let it go 🎶 Turn away and slam the door ❄️&quot;,&quot;author&quot;:&quot;rapper&quot;}]},{&quot;name&quot;:&quot;Best Juice Shop Salesman Artwork&quot;,&quot;description&quot;:&quot;Unique digital painting depicting Stan, our most qualified and almost profitable salesman. He made a succesful carreer in selling used ships, coffins, krypts, crosses, real estate, life insurance, restaurant supplies, voodoo enhanced asbestos and courtroom souvenirs before &lt;em&gt;finally&lt;/em&gt; adding his expertise to the Juice Shop marketing team.&quot;,&quot;price&quot;:5000,&quot;quantity&quot;:1,&quot;image&quot;:&quot;artwork2.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;I&#39;d stand on my head to make you a deal for this piece of art.&quot;,&quot;author&quot;:&quot;stan&quot;},{&quot;text&quot;:&quot;Just when my opinion of humans couldn&#39;t get any lower, along comes Stan...&quot;,&quot;author&quot;:&quot;bender&quot;}]},{&quot;name&quot;:&quot;OWASP Juice Shop Card (non-foil)&quot;,&quot;description&quot;:&quot;Mythic rare &lt;small&gt;&lt;em&gt;(obviously...)&lt;/em&gt;&lt;/small&gt; card \&quot;OWASP Juice Shop\&quot; with three distinctly useful abilities. Alpha printing, mint condition. A true collectors piece to own!&quot;,&quot;price&quot;:1000,&quot;quantity&quot;:3,&quot;limitPerUser&quot;:1,&quot;image&quot;:&quot;card_alpha.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;DO NOT PLAY WITH THIS! Double-sleeve, then put it in the GitHub Arctic Vault for perfect preservation and boost of secondary market value!&quot;,&quot;author&quot;:&quot;accountant&quot;}]},{&quot;name&quot;:&quot;20th Anniversary Celebration Ticket&quot;,&quot;description&quot;:&quot;Get your &lt;a href=\&quot;https://20thanniversary.owasp.org/\&quot; target=\&quot;_blank\&quot;&gt;free 🎫 for OWASP 20th Anniversary Celebration&lt;/a&gt; online conference! Hear from world renowned keynotes and special speakers, network with your peers and interact with our event sponsors. With an anticipated 10k+ attendees from around the world, you will not want to miss this live on-line event!&quot;,&quot;price&quot;:1e-20,&quot;deletedDate&quot;:&quot;2021-09-25&quot;,&quot;limitPerUser&quot;:1,&quot;image&quot;:&quot;20th.jpeg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;I&#39;ll be there! Will you, too?&quot;,&quot;author&quot;:&quot;bjoernOwasp&quot;}]},{&quot;name&quot;:&quot;OWASP Juice Shop LEGO™ Tower&quot;,&quot;description&quot;:&quot;Want to host a Juice Shop CTF in style? Build &lt;a href=\&quot;https://github.com/OWASP/owasp-swag/blob/master/projects/juice-shop/lego/OWASP%20JuiceShop%20Pi-server%201.2.pdf\&quot; target=\&quot;_blank\&quot;&gt;your own LEGO™ tower&lt;/a&gt; which holds four Raspberry Pi 4 models with PoE HAT modules &lt;a href=\&quot;https://github.com/juice-shop/multi-juicer/blob/main/guides/raspberry-pi/raspberry-pi.md\&quot; target=\&quot;_blank\&quot;&gt;running a MultiJuicer Kubernetes cluster&lt;/a&gt;! Wire to a switch and connect to your network to have an out-of-the-box ready CTF up in no time!&quot;,&quot;price&quot;:799,&quot;quantity&quot;:3,&quot;limitPerUser&quot;:1,&quot;image&quot;:&quot;lego_case.jpg&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;Check out the /#/photo-wall for some impressions of the assembly process!&quot;,&quot;author&quot;:&quot;bjoernOwasp&quot;}]},{&quot;name&quot;:&quot;DSOMM &amp; Juice Shop User Day Ticket&quot;,&quot;description&quot;:&quot;You are going to the OWASP Global AppSec San Francisco 2024? &lt;a href=\&quot;https://www.eventbrite.com/e/owasp-global-appsec-san-francisco-2024-tickets-723699172707\&quot; target=\&quot;_blank\&quot;&gt;Get a ticket&lt;sup&gt;*&lt;/sup&gt;&lt;/a&gt; for this amazing side event as well! Check the juice-packed agenda &lt;a href=\&quot;https://owasp.org/www-project-juice-shop/#div-userday2024\&quot; target=\&quot;_blank\&quot;&gt;here&lt;/a&gt; for all the details!&lt;br&gt;&lt;br&gt;&lt;small&gt;&lt;small&gt;&lt;sup&gt;*&lt;/sup&gt;=scroll down to &lt;strong&gt;Elevate: DSOMM and Juice Shop User Day (Sept. 25)&lt;/strong&gt; after clicking &lt;em&gt;Get Tickets&lt;/em&gt; on Eventbrite. Ticket price set to only covers fees for room, AV, and catering throughout the day.&lt;/small&gt;&lt;/small&gt;&quot;,&quot;price&quot;:55.2,&quot;deletedDate&quot;:&quot;2024-09-26&quot;,&quot;limitPerUser&quot;:1,&quot;image&quot;:&quot;user_day_ticket.png&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;The DSOMM Live Assessment session will even use Juice Shop as its \&quot;real-world\&quot; example!&quot;,&quot;author&quot;:&quot;timo&quot;},{&quot;text&quot;:&quot;We will showcase the amazing MultiJuicer Lego Tower at this event!&quot;,&quot;author&quot;:&quot;jannik&quot;}]},{&quot;name&quot;:&quot;Pineapple Juice (1000ml)&quot;,&quot;description&quot;:&quot;Tropical refreshment from the finest sun-ripened pineapples.&quot;,&quot;price&quot;:2.99,&quot;image&quot;:&quot;pineapple_juice.png&quot;},{&quot;name&quot;:&quot;Melon Juice (1000ml)&quot;,&quot;description&quot;:&quot;Refreshing and sweet juice made from ripe melons.&quot;,&quot;price&quot;:2.49,&quot;image&quot;:&quot;melon_juice.png&quot;},{&quot;name&quot;:&quot;Grape Juice (1000ml)&quot;,&quot;description&quot;:&quot;Deep purple and full of antioxidants from selected grapes.&quot;,&quot;price&quot;:2.99,&quot;image&quot;:&quot;grape_juice.png&quot;},{&quot;name&quot;:&quot;Dragonfruit Juice (500ml)&quot;,&quot;description&quot;:&quot;Exotic and vibrant juice made from dragonfruit.&quot;,&quot;price&quot;:3.99,&quot;image&quot;:&quot;dragonfruit_juice.png&quot;},{&quot;name&quot;:&quot;Berry Juice (1000ml)&quot;,&quot;description&quot;:&quot;A delicious blend of fresh forest berries.&quot;,&quot;price&quot;:3.49,&quot;image&quot;:&quot;berry_juice.png&quot;},{&quot;name&quot;:&quot;Basil Smoothie&quot;,&quot;description&quot;:&quot;A unique blend of fresh basil and ginger for a healthy kick.&quot;,&quot;price&quot;:2.99,&quot;image&quot;:&quot;basil_smoothie.png&quot;,&quot;reviews&quot;:[{&quot;text&quot;:&quot;(ง&#39;̀-&#39;́)ง&quot;,&quot;author&quot;:&quot;basil&quot;}]},{&quot;name&quot;:&quot;Bragă (500ml)&quot;,&quot;description&quot;:&quot;Traditional Balkan drink made from fermented millet. Lightly sweet-sour, refreshing, and naturally energizing.&quot;,&quot;price&quot;:2.49,&quot;image&quot;:&quot;braga.jpg&quot;},{&quot;name&quot;:&quot;Elderflower Cordial (500ml)&quot;,&quot;description&quot;:&quot;Floral and fragrant soft drink made from elderflowers. Traditionally enjoyed chilled.&quot;,&quot;price&quot;:3.29,&quot;image&quot;:&quot;elderflower_cordial.jpg&quot;},{&quot;name&quot;:&quot;Sea Buckthorn Juice (500ml)&quot;,&quot;description&quot;:&quot;Tangy and slightly sour juice, extremely rich in Vitamin C and antioxidants.&quot;,&quot;price&quot;:3.99,&quot;image&quot;:&quot;sea_buckthorn_juice.jpg&quot;},{&quot;name&quot;:&quot;Pomegranate Drink (500ml)&quot;,&quot;description&quot;:&quot;A sweet and tart refreshment inspired by classic grenadine flavors.&quot;,&quot;price&quot;:4.49,&quot;image&quot;:&quot;pomegranate_drink.jpg&quot;}],&quot;memories&quot;:[{&quot;image&quot;:&quot;magn(et)ificent!-1571814229653.jpg&quot;,&quot;caption&quot;:&quot;Magn(et)ificent!&quot;,&quot;user&quot;:&quot;bjoernGoogle&quot;},{&quot;image&quot;:&quot;my-rare-collectors-item!-[̲̅$̲̅(̲̅-͡°-͜ʖ-͡°̲̅)̲̅$̲̅]-1572603645543.jpg&quot;,&quot;caption&quot;:&quot;My rare collectors item! [̲̅$̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅$̲̅]&quot;,&quot;user&quot;:&quot;bjoernGoogle&quot;},{&quot;image&quot;:&quot;favorite-hiking-place.png&quot;,&quot;caption&quot;:&quot;I love going hiking here...&quot;,&quot;geoStalkingMetaSecurityQuestion&quot;:14,&quot;geoStalkingMetaSecurityAnswer&quot;:&quot;Daniel Boone National Forest&quot;},{&quot;image&quot;:&quot;IMG_4253.jpg&quot;,&quot;caption&quot;:&quot;My old workplace...&quot;,&quot;geoStalkingVisualSecurityQuestion&quot;:10,&quot;geoStalkingVisualSecurityAnswer&quot;:&quot;ITsec&quot;},{&quot;image&quot;:&quot;BeeHaven.png&quot;,&quot;caption&quot;:&quot;Welcome to the Bee Haven (/#/bee-haven)🐝&quot;,&quot;user&quot;:&quot;evm&quot;},{&quot;image&quot;:&quot;sorted-the-pieces,-starting-assembly-process-1721152307290.jpg&quot;,&quot;caption&quot;:&quot;Sorted the pieces, starting assembly process...&quot;,&quot;user&quot;:&quot;bjoernOwasp&quot;},{&quot;image&quot;:&quot;building-something-literally-bottom-up-1721152342603.jpg&quot;,&quot;caption&quot;:&quot;Building something literally bottom up...&quot;,&quot;user&quot;:&quot;bjoernOwasp&quot;},{&quot;image&quot;:&quot;putting-in-the-hardware-1721152366854.jpg&quot;,&quot;caption&quot;:&quot;Putting in the hardware...&quot;,&quot;user&quot;:&quot;bjoernOwasp&quot;},{&quot;image&quot;:&quot;everything-up-and-running!-1721152385146.jpg&quot;,&quot;caption&quot;:&quot;Everything up and running!&quot;,&quot;user&quot;:&quot;bjoernOwasp&quot;}],&quot;ctf&quot;:{&quot;showFlagsInNotifications&quot;:false,&quot;showCountryDetailsInNotifications&quot;:&quot;none&quot;,&quot;countryMapping&quot;:null,&quot;systemWideNotifications&quot;:{&quot;url&quot;:null,&quot;pollFrequencySeconds&quot;:null}}}}</code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Evidence</th>
<td><pre><code>192.168.99.100:3000</code></pre></td>
</tr>
<tr>
<th scope="row">Solution</th>
<td>
<p>Remove the private IP address from the HTTP response body. For comments, use JSP/ASP/PHP comment instead of HTML/JavaScript comment which can be seen by client browsers.</p>
</td>
</tr>
</table>
</details></li>
</ol>
</li>
<li>
<h5>
<a
href="#alert-type-7">X-Content-Type-Options Header Missing</a> <span>(1)</span>
</h5>
<ol>
<li><details>
<summary>
<span class="request-method-n-url">GET http://20.60.0.1:3000/socket.io/?EIO=4&amp;transport=polling&amp;t=Pvk6yOd</span>
</summary>
<table class="alerts-table">
<tr>
<th scope="row">Alert tags</th>
<td>
<ul class="alert-tags-list">
<li>
<span><a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">OWASP_2021_A05</a></span>
</li>
<li>
<span>POLICY_QA_STD = </span>
</li>
<li>
<span>POLICY_PENTEST = </span>
</li>
<li>
<span><a href="https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#systemic">SYSTEMIC</a></span>
</li>
<li>
<span><a href="https://cwe.mitre.org/data/definitions/693.html">CWE-693</a></span>
</li>
<li>
<span><a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html">OWASP_2017_A06</a></span>
</li>
<li>
<span><a href="https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/">OWASP_2025_A02</a></span>
</li>
</ul>
</td>
</tr>
<tr>
<th scope="row">Alert description</th>
<td>
<p>The Anti-MIME-Sniffing header X-Content-Type-Options was not set to &#39;nosniff&#39;. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.</p>
</td>
</tr>
<tr>
<th scope="row">Other info</th>
<td>
<p>This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.</p>
<p>At &quot;High&quot; threshold this scan rule will not alert on client or server error responses.</p>
</td>
</tr>
<tr>
<th scope="row">Request</th>
<td><details open="open">
<summary>Request line and header section (292 bytes)</summary>
<pre><code>GET http://20.60.0.1:3000/socket.io/?EIO=4&amp;transport=polling&amp;t=Pvk6yOd HTTP/1.1
host: 20.60.0.1:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer: http://20.60.0.1:3000/
</code></pre>
</details> <details class="request-body" open="open">
<summary>Request body (0 bytes)</summary>
<pre><code></code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Response</th>
<td><details open="open">
<summary>Status line and header section (230 bytes)</summary>
<pre><code>HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://localhost:4200
Vary: Origin
Content-Type: text/plain; charset=UTF-8
Content-Length: 96
Date: Thu, 28 May 2026 10:22:58 GMT
Connection: keep-alive
Keep-Alive: timeout=5
</code></pre>
</details> <details class="response-body" open="open">
<summary>Response body (96 bytes)</summary>
<pre><code>0{&quot;sid&quot;:&quot;pd0V5LZ93y-FQn8oAAAA&quot;,&quot;upgrades&quot;:[&quot;websocket&quot;],&quot;pingInterval&quot;:25000,&quot;pingTimeout&quot;:5000}</code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Parameter</th>
<td><pre><code>x-content-type-options</code></pre></td>
</tr>
<tr>
<th scope="row">Solution</th>
<td>
<p>Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to &#39;nosniff&#39; for all web pages.</p>
<p>If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.</p>
</td>
</tr>
</table>
</details></li>
</ol>
</li>
</ol>
</li>
</ol>
</li>
<li id="alerts--risk-1-confidence-1">
<h3>
<span>Risk</span>=<span
class="risk-level">Low</span>, <span>Confidence</span>=<span
class="confidence-level">Low</span> <span>(1)</span>
</h3>
<ol>
<li class="alerts--site-li">
<h4>
<span class="site">http://20.60.0.1:3000</span> <span>(1)</span>
</h4>
<ol>
<li>
<h5>
<a
href="#alert-type-6">Timestamp Disclosure - Unix</a> <span>(1)</span>
</h5>
<ol>
<li><details>
<summary>
<span class="request-method-n-url">GET http://20.60.0.1:3000</span>
</summary>
<table class="alerts-table">
<tr>
<th scope="row">Alert tags</th>
<td>
<ul class="alert-tags-list">
<li>
<span><a href="https://owasp.org/Top10/A01_2021-Broken_Access_Control/">OWASP_2021_A01</a></span>
</li>
<li>
<span><a href="https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html">OWASP_2017_A03</a></span>
</li>
<li>
<span><a href="https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/">OWASP_2025_A01</a></span>
</li>
<li>
<span>POLICY_PENTEST = </span>
</li>
<li>
<span><a href="https://cwe.mitre.org/data/definitions/497.html">CWE-497</a></span>
</li>
<li>
<span><a href="https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#systemic">SYSTEMIC</a></span>
</li>
</ul>
</td>
</tr>
<tr>
<th scope="row">Alert description</th>
<td>
<p>A timestamp was disclosed by the application/web server. - Unix</p>
</td>
</tr>
<tr>
<th scope="row">Other info</th>
<td>
<p>1666666667, which evaluates to: 2022-10-24 22:57:47.</p>
</td>
</tr>
<tr>
<th scope="row">Request</th>
<td><details open="open">
<summary>Request line and header section (228 bytes)</summary>
<pre><code>GET http://20.60.0.1:3000 HTTP/1.1
host: 20.60.0.1:3000
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
</code></pre>
</details> <details class="request-body" open="open">
<summary>Request body (0 bytes)</summary>
<pre><code></code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Response</th>
<td><details open="open">
<summary>Status line and header section (467 bytes)</summary>
<pre><code>HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment &#39;self&#39;
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Thu, 28 May 2026 10:18:52 GMT
ETag: W/&quot;26af-19e6e1813ac&quot;
Content-Type: text/html; charset=UTF-8
Content-Length: 9903
Vary: Accept-Encoding
Date: Thu, 28 May 2026 10:21:09 GMT
Connection: keep-alive
Keep-Alive: timeout=5
</code></pre>
</details> <details class="response-body">
<summary>Response body (9903 bytes)</summary>
<pre><code>&lt;!--
~ Copyright (c) 2014-2026 Bjoern Kimminich &amp; the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--&gt;
&lt;!doctype html&gt;
&lt;html lang=&quot;en&quot; data-beasties-container&gt;
&lt;head&gt;
&lt;meta charset=&quot;utf-8&quot;&gt;
&lt;title&gt;OWASP Juice Shop&lt;/title&gt;
&lt;meta name=&quot;description&quot; content=&quot;Probably the most modern and sophisticated insecure web application&quot;&gt;
&lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1&quot;&gt;
&lt;link rel=&quot;preconnect&quot; href=&quot;https://fonts.googleapis.com&quot;&gt;
&lt;link rel=&quot;preconnect&quot; href=&quot;https://fonts.gstatic.com&quot; crossorigin&gt;
&lt;style&gt;@font-face{font-family:&#39;VT323&#39;;font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format(&#39;woff2&#39;);unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:&#39;VT323&#39;;font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format(&#39;woff2&#39;);unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:&#39;VT323&#39;;font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format(&#39;woff2&#39;);unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}&lt;/style&gt;
&lt;link id=&quot;favicon&quot; rel=&quot;icon&quot; type=&quot;image/x-icon&quot; href=&quot;assets/public/favicon_js.ico&quot;&gt;
&lt;script&gt;
window.addEventListener(&quot;load&quot;, function(){
window.cookieconsent.initialise({
&quot;palette&quot;: {
&quot;popup&quot;: { &quot;background&quot;: &quot;var(--theme-primary)&quot;, &quot;text&quot;: &quot;var(--theme-text)&quot; },
&quot;button&quot;: { &quot;background&quot;: &quot;var(--theme-accent)&quot;, &quot;text&quot;: &quot;var(--theme-text)&quot; }
},
&quot;theme&quot;: &quot;classic&quot;,
&quot;position&quot;: &quot;bottom-right&quot;,
&quot;content&quot;: { &quot;message&quot;: &quot;This website uses fruit cookies to ensure you get the juiciest tracking experience.&quot;, &quot;dismiss&quot;: &quot;Me want it!&quot;, &quot;link&quot;: &quot;But me wait!&quot;, &quot;href&quot;: &quot;https://www.youtube.com/watch?v=9PnbKL3wuH4&quot; }
})});
&lt;/script&gt;
&lt;style&gt;.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, &quot;Helvetica Neue&quot;, sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}&lt;/style&gt;&lt;link rel=&quot;stylesheet&quot; href=&quot;styles.css&quot; media=&quot;print&quot; onload=&quot;this.media=&#39;all&#39;&quot;&gt;&lt;noscript&gt;&lt;link rel=&quot;stylesheet&quot; href=&quot;styles.css&quot;&gt;&lt;/noscript&gt;&lt;/head&gt;
&lt;body class=&quot;bluegrey-lightgreen-theme&quot;&gt;
&lt;app-root&gt;&lt;/app-root&gt;
&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-SCY7YOCS.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-PX7UKXVL.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-GNBEOV4E.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-7O3TTE7G.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-JCQ5N7PA.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-UNFVUBM2.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-524KQQJQ.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-SI2GTEZM.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-ZO2KHBRB.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-7AKA75AX.js&quot;&gt;&lt;script src=&quot;polyfills.js&quot; type=&quot;module&quot;&gt;&lt;/script&gt;&lt;script src=&quot;scripts.js&quot; defer&gt;&lt;/script&gt;&lt;script src=&quot;main.js&quot; type=&quot;module&quot;&gt;&lt;/script&gt;&lt;/body&gt;
&lt;/html&gt;
</code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Evidence</th>
<td><pre><code>1666666667</code></pre></td>
</tr>
<tr>
<th scope="row">Solution</th>
<td>
<p>Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.</p>
</td>
</tr>
</table>
</details></li>
</ol>
</li>
</ol>
</li>
</ol>
</li>
<li id="alerts--risk-0-confidence-3">
<h3>
<span>Risk</span>=<span
class="risk-level">Informational</span>, <span>Confidence</span>=<span
class="confidence-level">High</span> <span>(1)</span>
</h3>
<ol>
<li class="alerts--site-li">
<h4>
<span class="site">http://20.60.0.1:3000</span> <span>(1)</span>
</h4>
<ol>
<li>
<h5>
<a
href="#alert-type-9">Session Management Response Identified</a> <span>(1)</span>
</h5>
<ol>
<li><details>
<summary>
<span class="request-method-n-url">GET http://20.60.0.1:3000/rest/continue-code/</span>
</summary>
<table class="alerts-table">
<tr>
<th scope="row">Alert tags</th>
<td>
<ul class="alert-tags-list">
</ul>
</td>
</tr>
<tr>
<th scope="row">Alert description</th>
<td>
<p>The given response has been identified as containing a session management token. The &#39;Other Info&#39; field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to &quot;Auto-Detect&quot; then this rule will change the session management to use the tokens identified.</p>
</td>
</tr>
<tr>
<th scope="row">Other info</th>
<td>
<p>json:continueCode</p>
</td>
</tr>
<tr>
<th scope="row">Request</th>
<td><details open="open">
<summary>Request line and header section (297 bytes)</summary>
<pre><code>GET http://20.60.0.1:3000/rest/continue-code/ HTTP/1.1
host: 20.60.0.1:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer: http://20.60.0.1:3000/
</code></pre>
</details> <details class="request-body" open="open">
<summary>Request body (0 bytes)</summary>
<pre><code></code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Response</th>
<td><details open="open">
<summary>Status line and header section (384 bytes)</summary>
<pre><code>HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment &#39;self&#39;
X-Recruiting: /#/jobs
Content-Type: application/json; charset=utf-8
Content-Length: 79
ETag: W/&quot;4f-uLu5Lde8X4OncOnJeidFijss6vg&quot;
Vary: Accept-Encoding
Date: Thu, 28 May 2026 10:45:25 GMT
Connection: keep-alive
Keep-Alive: timeout=5
</code></pre>
</details> <details class="response-body" open="open">
<summary>Response body (79 bytes)</summary>
<pre><code>{&quot;continueCode&quot;:&quot;y1OzBZxNpnLrM5WmgEKv8XakQ7DA6LcQGJ6yOlV9Pow1jYqbz2eRB34oE5mM&quot;}</code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Parameter</th>
<td><pre><code>continueCode</code></pre></td>
</tr>
<tr>
<th scope="row">Evidence</th>
<td><pre><code>continueCode</code></pre></td>
</tr>
<tr>
<th scope="row">Solution</th>
<td>
<p>This is an informational alert rather than a vulnerability and so there is nothing to fix.</p>
</td>
</tr>
</table>
</details></li>
</ol>
</li>
</ol>
</li>
</ol>
</li>
<li id="alerts--risk-0-confidence-2">
<h3>
<span>Risk</span>=<span
class="risk-level">Informational</span>, <span>Confidence</span>=<span
class="confidence-level">Medium</span> <span>(2)</span>
</h3>
<ol>
<li class="alerts--site-li">
<h4>
<span class="site">http://20.60.0.1:3000</span> <span>(2)</span>
</h4>
<ol>
<li>
<h5>
<a
href="#alert-type-8">Modern Web Application</a> <span>(1)</span>
</h5>
<ol>
<li><details>
<summary>
<span class="request-method-n-url">GET http://20.60.0.1:3000</span>
</summary>
<table class="alerts-table">
<tr>
<th scope="row">Alert tags</th>
<td>
<ul class="alert-tags-list">
<li>
<span><a href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">OWASP_2021_A05</a></span>
</li>
<li>
<span>POLICY_QA_STD = </span>
</li>
<li>
<span>POLICY_PENTEST = </span>
</li>
<li>
<span><a href="https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#systemic">SYSTEMIC</a></span>
</li>
<li>
<span><a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html">OWASP_2017_A06</a></span>
</li>
<li>
<span><a href="https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/">OWASP_2025_A02</a></span>
</li>
<li>
<span>POLICY_DEV_STD = </span>
</li>
</ul>
</td>
</tr>
<tr>
<th scope="row">Alert description</th>
<td>
<p>The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.</p>
</td>
</tr>
<tr>
<th scope="row">Other info</th>
<td>
<p>No links have been found while there are scripts, which is an indication that this is a modern web application.</p>
</td>
</tr>
<tr>
<th scope="row">Request</th>
<td><details open="open">
<summary>Request line and header section (228 bytes)</summary>
<pre><code>GET http://20.60.0.1:3000 HTTP/1.1
host: 20.60.0.1:3000
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
</code></pre>
</details> <details class="request-body" open="open">
<summary>Request body (0 bytes)</summary>
<pre><code></code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Response</th>
<td><details open="open">
<summary>Status line and header section (467 bytes)</summary>
<pre><code>HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: payment &#39;self&#39;
X-Recruiting: /#/jobs
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Thu, 28 May 2026 10:18:52 GMT
ETag: W/&quot;26af-19e6e1813ac&quot;
Content-Type: text/html; charset=UTF-8
Content-Length: 9903
Vary: Accept-Encoding
Date: Thu, 28 May 2026 10:21:09 GMT
Connection: keep-alive
Keep-Alive: timeout=5
</code></pre>
</details> <details class="response-body">
<summary>Response body (9903 bytes)</summary>
<pre><code>&lt;!--
~ Copyright (c) 2014-2026 Bjoern Kimminich &amp; the OWASP Juice Shop contributors.
~ SPDX-License-Identifier: MIT
--&gt;
&lt;!doctype html&gt;
&lt;html lang=&quot;en&quot; data-beasties-container&gt;
&lt;head&gt;
&lt;meta charset=&quot;utf-8&quot;&gt;
&lt;title&gt;OWASP Juice Shop&lt;/title&gt;
&lt;meta name=&quot;description&quot; content=&quot;Probably the most modern and sophisticated insecure web application&quot;&gt;
&lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1&quot;&gt;
&lt;link rel=&quot;preconnect&quot; href=&quot;https://fonts.googleapis.com&quot;&gt;
&lt;link rel=&quot;preconnect&quot; href=&quot;https://fonts.gstatic.com&quot; crossorigin&gt;
&lt;style&gt;@font-face{font-family:&#39;VT323&#39;;font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isQFJXGdg.woff2) format(&#39;woff2&#39;);unicode-range:U+0102-0103, U+0110-0111, U+0128-0129, U+0168-0169, U+01A0-01A1, U+01AF-01B0, U+0300-0301, U+0303-0304, U+0308-0309, U+0323, U+0329, U+1EA0-1EF9, U+20AB;}@font-face{font-family:&#39;VT323&#39;;font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isRFJXGdg.woff2) format(&#39;woff2&#39;);unicode-range:U+0100-02BA, U+02BD-02C5, U+02C7-02CC, U+02CE-02D7, U+02DD-02FF, U+0304, U+0308, U+0329, U+1D00-1DBF, U+1E00-1E9F, U+1EF2-1EFF, U+2020, U+20A0-20AB, U+20AD-20C0, U+2113, U+2C60-2C7F, U+A720-A7FF;}@font-face{font-family:&#39;VT323&#39;;font-style:normal;font-weight:400;font-display:swap;src:url(https://fonts.gstatic.com/s/vt323/v18/pxiKyp0ihIEF2isfFJU.woff2) format(&#39;woff2&#39;);unicode-range:U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;}&lt;/style&gt;
&lt;link id=&quot;favicon&quot; rel=&quot;icon&quot; type=&quot;image/x-icon&quot; href=&quot;assets/public/favicon_js.ico&quot;&gt;
&lt;script&gt;
window.addEventListener(&quot;load&quot;, function(){
window.cookieconsent.initialise({
&quot;palette&quot;: {
&quot;popup&quot;: { &quot;background&quot;: &quot;var(--theme-primary)&quot;, &quot;text&quot;: &quot;var(--theme-text)&quot; },
&quot;button&quot;: { &quot;background&quot;: &quot;var(--theme-accent)&quot;, &quot;text&quot;: &quot;var(--theme-text)&quot; }
},
&quot;theme&quot;: &quot;classic&quot;,
&quot;position&quot;: &quot;bottom-right&quot;,
&quot;content&quot;: { &quot;message&quot;: &quot;This website uses fruit cookies to ensure you get the juiciest tracking experience.&quot;, &quot;dismiss&quot;: &quot;Me want it!&quot;, &quot;link&quot;: &quot;But me wait!&quot;, &quot;href&quot;: &quot;https://www.youtube.com/watch?v=9PnbKL3wuH4&quot; }
})});
&lt;/script&gt;
&lt;style&gt;.bluegrey-lightgreen-theme{--mat-sys-background:#121316;--mat-sys-error:#ffb4ab;--mat-sys-error-container:#93000a;--mat-sys-inverse-on-surface:#2f3033;--mat-sys-inverse-primary:#005cbb;--mat-sys-inverse-surface:#e3e2e6;--mat-sys-on-background:#e3e2e6;--mat-sys-on-error:#690005;--mat-sys-on-error-container:#ffdad6;--mat-sys-on-primary:#002f65;--mat-sys-on-primary-container:#d7e3ff;--mat-sys-on-primary-fixed:#001b3f;--mat-sys-on-primary-fixed-variant:#00458f;--mat-sys-on-secondary:#283041;--mat-sys-on-secondary-container:#dae2f9;--mat-sys-on-secondary-fixed:#131c2b;--mat-sys-on-secondary-fixed-variant:#3e4759;--mat-sys-on-surface:#e3e2e6;--mat-sys-on-surface-variant:#e0e2ec;--mat-sys-on-tertiary:#173800;--mat-sys-on-tertiary-container:#82ff10;--mat-sys-on-tertiary-fixed:#0b2000;--mat-sys-on-tertiary-fixed-variant:#245100;--mat-sys-outline:#8e9099;--mat-sys-outline-variant:#44474e;--mat-sys-primary:#abc7ff;--mat-sys-primary-container:#00458f;--mat-sys-primary-fixed:#d7e3ff;--mat-sys-primary-fixed-dim:#abc7ff;--mat-sys-scrim:#000000;--mat-sys-secondary:#bec6dc;--mat-sys-secondary-container:#3e4759;--mat-sys-secondary-fixed:#dae2f9;--mat-sys-secondary-fixed-dim:#bec6dc;--mat-sys-shadow:#000000;--mat-sys-surface:#121316;--mat-sys-surface-bright:#38393c;--mat-sys-surface-container:#1f2022;--mat-sys-surface-container-high:#292a2c;--mat-sys-surface-container-highest:#343537;--mat-sys-surface-container-low:#1a1b1f;--mat-sys-surface-container-lowest:#0d0e11;--mat-sys-surface-dim:#121316;--mat-sys-surface-tint:#abc7ff;--mat-sys-surface-variant:#44474e;--mat-sys-tertiary:#70e000;--mat-sys-tertiary-container:#245100;--mat-sys-tertiary-fixed:#82ff10;--mat-sys-tertiary-fixed-dim:#70e000;--mat-sys-neutral-variant20:#2d3038;--mat-sys-neutral10:#1a1b1f;--mat-sys-level0:0px 0px 0px 0px rgba(0, 0, 0, .2), 0px 0px 0px 0px rgba(0, 0, 0, .14), 0px 0px 0px 0px rgba(0, 0, 0, .12);--mat-sys-level1:0px 2px 1px -1px rgba(0, 0, 0, .2), 0px 1px 1px 0px rgba(0, 0, 0, .14), 0px 1px 3px 0px rgba(0, 0, 0, .12);--mat-sys-level2:0px 3px 3px -2px rgba(0, 0, 0, .2), 0px 3px 4px 0px rgba(0, 0, 0, .14), 0px 1px 8px 0px rgba(0, 0, 0, .12);--mat-sys-level3:0px 3px 5px -1px rgba(0, 0, 0, .2), 0px 6px 10px 0px rgba(0, 0, 0, .14), 0px 1px 18px 0px rgba(0, 0, 0, .12);--mat-sys-level4:0px 5px 5px -3px rgba(0, 0, 0, .2), 0px 8px 10px 1px rgba(0, 0, 0, .14), 0px 3px 14px 2px rgba(0, 0, 0, .12);--mat-sys-level5:0px 7px 8px -4px rgba(0, 0, 0, .2), 0px 12px 17px 2px rgba(0, 0, 0, .14), 0px 5px 22px 4px rgba(0, 0, 0, .12);--mat-sys-corner-extra-large:28px;--mat-sys-corner-extra-large-top:28px 28px 0 0;--mat-sys-corner-extra-small:4px;--mat-sys-corner-extra-small-top:4px 4px 0 0;--mat-sys-corner-full:9999px;--mat-sys-corner-large:16px;--mat-sys-corner-large-end:0 16px 16px 0;--mat-sys-corner-large-start:16px 0 0 16px;--mat-sys-corner-large-top:16px 16px 0 0;--mat-sys-corner-medium:12px;--mat-sys-corner-none:0;--mat-sys-corner-small:8px;--mat-sys-dragged-state-layer-opacity:.16;--mat-sys-focus-state-layer-opacity:.12;--mat-sys-hover-state-layer-opacity:.08;--mat-sys-pressed-state-layer-opacity:.12;color:var(--mat-sys-on-surface);background-color:var(--mat-sys-surface)}html{font-family:var(--mat-sys-body-medium-font, Roboto, &quot;Helvetica Neue&quot;, sans-serif)}.bluegrey-lightgreen-theme{--theme-primary:#438fff;--theme-primary-lighter:rgb(97.6, 161.229787234, 255);--theme-primary-light:rgb(118, 173.3829787234, 255);--theme-primary-darker:rgb(36.4, 124.770212766, 255);--theme-primary-dark:rgb(16, 112.6170212766, 255);--theme-primary-fade-10:#438fff;--theme-primary-fade-20:#438fff;--theme-primary-fade-30:#438fff;--theme-primary-fade-40:#438fff;--theme-primary-fade-50:#438fff;--theme-accent:#50a400;--theme-accent-lighter:rgb(94.9268292683, 194.6, 0);--theme-accent-light:rgb(104.8780487805, 215, 0);--theme-accent-darker:rgb(65.0731707317, 133.4, 0);--theme-accent-dark:rgb(55.1219512195, 113, 0);--theme-accent-fade-10:#50a400;--theme-accent-fade-20:#50a400;--theme-accent-fade-30:#50a400;--theme-accent-fade-40:#50a400;--theme-accent-fade-50:#50a400;--theme-warn:#ffb4ab;--theme-warn-lighter:rgb(255, 207.3214285714, 201.6);--theme-warn-light:rgb(255, 225.5357142857, 222);--theme-warn-darker:rgb(255, 152.6785714286, 140.4);--theme-warn-dark:rgb(255, 134.4642857143, 120);--theme-warn-fade-10:#ffb4ab;--theme-warn-fade-20:#ffb4ab;--theme-warn-fade-30:#ffb4ab;--theme-warn-fade-40:#ffb4ab;--theme-warn-fade-50:#ffb4ab;--theme-text:#e3e2e6;--theme-text-lighter:rgb(242.8666666667, 242.4333333333, 244.1666666667);--theme-text-light:rgb(253.4444444444, 253.3888888889, 253.6111111111);--theme-text-darker:rgb(200.5555555556, 198.6111111111, 206.3888888889);--theme-text-dark:rgb(160.8888888889, 157.5277777778, 170.9722222222);--theme-text-fade-10:#e3e2e6;--theme-text-fade-20:#e3e2e6;--theme-text-fade-30:#e3e2e6;--theme-text-fade-40:#e3e2e6;--theme-text-fade-50:#e3e2e6;--theme-text-invert-15:rgb(197.15, 196.45, 199.25);--theme-text-invert-30:rgb(167.3, 166.9, 168.5);--theme-background:#1f2022;--theme-background-lighter:rgb(45.5938461538, 47.0646153846, 50.0061538462);--theme-background-light:rgb(55.3230769231, 57.1076923077, 60.6769230769);--theme-background-darker:rgb(16.4061538462, 16.9353846154, 17.9938461538);--theme-background-dark:rgb(6.6769230769, 6.8923076923, 7.3230769231);--theme-background-darkest:hsl(220, 4.6153846154%, -1.2549019608%);--theme-thumbnail-border:1px solid #abc7ff;--mdc-filled-text-field-container-color:#0000;--mdc-filled-text-field-disabled-container-color:#0000;--theme-background:#3e3e3e;--theme-background-lighter:#4a4a4a;--theme-background-light:#5a5a5a;--theme-background-darker:#333638;--theme-background-dark:#303030;--theme-background-darkest:#2b2b2b;--theme-text:#e8ecef;--theme-text-lighter:#f2f5f7;--theme-text-light:#fff;--theme-text-darker:#b8c0c7;--theme-text-dark:#7f8a93;--mat-sys-surface:#333638;--mat-sys-on-surface:#e8ecef;--mat-sys-surface-container:#3e3e3e;--mat-sys-surface-container-high:#404244;--mat-sys-on-surface-variant:#b8c0c7;--mat-sys-outline:#5a5a5a;--mat-sys-outline-variant:#404244}.bluegrey-lightgreen-theme{--theme-warn:#f44336;--theme-warn-lighter:rgb(245.5877358491, 94.1358490566, 83.0122641509);--theme-warn-light:rgb(246.6462264151, 112.2264150943, 102.3537735849);--theme-warn-darker:rgb(242.4122641509, 39.8641509434, 24.9877358491);--theme-warn-dark:rgb(234.1839622642, 27.9622641509, 12.8160377358);--theme-warn-fade-10:#f44336;--theme-warn-fade-20:#f44336;--theme-warn-fade-30:#f44336;--theme-warn-fade-40:#f44336;--theme-warn-fade-50:#f44336;--mat-sys-error:#f44336;--mat-sys-on-error:#fff}@media screen and (-webkit-min-device-pixel-ratio:0){}&lt;/style&gt;&lt;link rel=&quot;stylesheet&quot; href=&quot;styles.css&quot; media=&quot;print&quot; onload=&quot;this.media=&#39;all&#39;&quot;&gt;&lt;noscript&gt;&lt;link rel=&quot;stylesheet&quot; href=&quot;styles.css&quot;&gt;&lt;/noscript&gt;&lt;/head&gt;
&lt;body class=&quot;bluegrey-lightgreen-theme&quot;&gt;
&lt;app-root&gt;&lt;/app-root&gt;
&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-SCY7YOCS.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-PX7UKXVL.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-GNBEOV4E.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-7O3TTE7G.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-JCQ5N7PA.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-UNFVUBM2.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-524KQQJQ.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-SI2GTEZM.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-ZO2KHBRB.js&quot;&gt;&lt;link rel=&quot;modulepreload&quot; href=&quot;chunk-7AKA75AX.js&quot;&gt;&lt;script src=&quot;polyfills.js&quot; type=&quot;module&quot;&gt;&lt;/script&gt;&lt;script src=&quot;scripts.js&quot; defer&gt;&lt;/script&gt;&lt;script src=&quot;main.js&quot; type=&quot;module&quot;&gt;&lt;/script&gt;&lt;/body&gt;
&lt;/html&gt;
</code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Evidence</th>
<td><pre><code>&lt;script&gt;
window.addEventListener(&quot;load&quot;, function(){
window.cookieconsent.initialise({
&quot;palette&quot;: {
&quot;popup&quot;: { &quot;background&quot;: &quot;var(--theme-primary)&quot;, &quot;text&quot;: &quot;var(--theme-text)&quot; },
&quot;button&quot;: { &quot;background&quot;: &quot;var(--theme-accent)&quot;, &quot;text&quot;: &quot;var(--theme-text)&quot; }
},
&quot;theme&quot;: &quot;classic&quot;,
&quot;position&quot;: &quot;bottom-right&quot;,
&quot;content&quot;: { &quot;message&quot;: &quot;This website uses fruit cookies to ensure you get the juiciest tracking experience.&quot;, &quot;dismiss&quot;: &quot;Me want it!&quot;, &quot;link&quot;: &quot;But me wait!&quot;, &quot;href&quot;: &quot;https://www.youtube.com/watch?v=9PnbKL3wuH4&quot; }
})});
&lt;/script&gt;</code></pre></td>
</tr>
<tr>
<th scope="row">Solution</th>
<td>
<p>This is an informational alert and so no changes are required.</p>
</td>
</tr>
</table>
</details></li>
</ol>
</li>
<li>
<h5>
<a
href="#alert-type-10">User Agent Fuzzer</a> <span>(1)</span>
</h5>
<ol>
<li><details>
<summary>
<span class="request-method-n-url">GET http://20.60.0.1:3000/socket.io/?EIO=4&amp;transport=polling&amp;t=Pvk7mTy</span>
</summary>
<table class="alerts-table">
<tr>
<th scope="row">Alert tags</th>
<td>
<ul class="alert-tags-list">
<li>
<span>CUSTOM_PAYLOADS = </span>
</li>
<li>
<span>POLICY_PENTEST = </span>
</li>
<li>
<span><a href="https://www.zaproxy.org/docs/desktop/addons/common-library/alerttags/#systemic">SYSTEMIC</a></span>
</li>
</ul>
</td>
</tr>
<tr>
<th scope="row">Alert description</th>
<td>
<p>Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.</p>
</td>
</tr>
<tr>
<th scope="row">Request</th>
<td><details open="open">
<summary>Request line and header section (398 bytes)</summary>
<pre><code>GET http://20.60.0.1:3000/socket.io/?EIO=4&amp;transport=polling&amp;t=Pvk7mTy HTTP/1.1
host: 20.60.0.1:3000
user-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: */*
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Referer: http://20.60.0.1:3000/
Cookie: language=en; continueCode=y1OzBZxNpnLrM5WmgEKv8XakQ7DA6LcQGJ6yOlV9Pow1jYqbz2eRB34oE5mM; welcomebanner_status=dismiss
</code></pre>
</details> <details class="request-body" open="open">
<summary>Request body (0 bytes)</summary>
<pre><code></code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Response</th>
<td><details open="open">
<summary>Status line and header section (230 bytes)</summary>
<pre><code>HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://localhost:4200
Vary: Origin
Content-Type: text/plain; charset=UTF-8
Content-Length: 96
Date: Thu, 28 May 2026 10:47:48 GMT
Connection: keep-alive
Keep-Alive: timeout=5
</code></pre>
</details> <details class="response-body" open="open">
<summary>Response body (96 bytes)</summary>
<pre><code>0{&quot;sid&quot;:&quot;Xorp3Pbs1alpY9B3AAGq&quot;,&quot;upgrades&quot;:[&quot;websocket&quot;],&quot;pingInterval&quot;:25000,&quot;pingTimeout&quot;:5000}</code></pre>
</details></td>
</tr>
<tr>
<th scope="row">Parameter</th>
<td><pre><code>Header User-Agent</code></pre></td>
</tr>
<tr>
<th scope="row">Attack</th>
<td><pre><code>Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)</code></pre></td>
</tr>
</table>
</details></li>
</ol>
</li>
</ol>
</li>
</ol>
</li>
</ol>
</section>
<section id="appendix" class="appendix">
<h2>Appendix</h2>
<section id="alert-types" class="alert-types">
<h3>Alert Types</h3>
<p class="alert-types-intro">This section contains additional information on the types of alerts in the report.</p>
<ol>
<li
id="alert-type-0">
<h4>SQL Injection</h4>
<table class="alert-types-table">
<tr>
<th scope="row">Source</th>
<td>
<span>raised by an active scanner</span> <span>(<a
href="https://www.zaproxy.org/docs/alerts/40018/">SQL Injection</a>)
</span>
</td>
</tr>
<tr>
<th scope="row">CWE ID</th>
<td><a
href="https://cwe.mitre.org/data/definitions/89.html">89</a></td>
</tr>
<tr>
<th scope="row">WASC ID</th>
<td>19</td>
</tr>
<tr>
<th scope="row">Reference</th>
<td>
<ol>
<li><a
href="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html">https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html</a></li>
</ol>
</td>
</tr>
</table>
</li>
<li
id="alert-type-1">
<h4>Content Security Policy (CSP) Header Not Set</h4>
<table class="alert-types-table">
<tr>
<th scope="row">Source</th>
<td>
<span>raised by a passive scanner</span> <span>(<a
href="https://www.zaproxy.org/docs/alerts/10038/">Content Security Policy (CSP) Header Not Set</a>)
</span>
</td>
</tr>
<tr>
<th scope="row">CWE ID</th>
<td><a
href="https://cwe.mitre.org/data/definitions/693.html">693</a></td>
</tr>
<tr>
<th scope="row">WASC ID</th>
<td>15</td>
</tr>
<tr>
<th scope="row">Reference</th>
<td>
<ol>
<li><a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP">https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP</a></li>
<li><a
href="https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html">https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html</a></li>
<li><a
href="https://www.w3.org/TR/CSP/">https://www.w3.org/TR/CSP/</a></li>
<li><a
href="https://w3c.github.io/webappsec-csp/">https://w3c.github.io/webappsec-csp/</a></li>
<li><a
href="https://web.dev/articles/csp">https://web.dev/articles/csp</a></li>
<li><a
href="https://caniuse.com/#feat=contentsecuritypolicy">https://caniuse.com/#feat=contentsecuritypolicy</a></li>
<li><a
href="https://content-security-policy.com/">https://content-security-policy.com/</a></li>
</ol>
</td>
</tr>
</table>
</li>
<li
id="alert-type-2">
<h4>Cross-Domain Misconfiguration</h4>
<table class="alert-types-table">
<tr>
<th scope="row">Source</th>
<td>
<span>raised by a passive scanner</span> <span>(<a
href="https://www.zaproxy.org/docs/alerts/10098/">Cross-Domain Misconfiguration</a>)
</span>
</td>
</tr>
<tr>
<th scope="row">CWE ID</th>
<td><a
href="https://cwe.mitre.org/data/definitions/264.html">264</a></td>
</tr>
<tr>
<th scope="row">WASC ID</th>
<td>14</td>
</tr>
<tr>
<th scope="row">Reference</th>
<td>
<ol>
<li><a
href="https://vulncat.fortify.com/en/detail?category=HTML5&amp;subcategory=Overly%20Permissive%20CORS%20Policy">https://vulncat.fortify.com/en/detail?category=HTML5&amp;subcategory=Overly%20Permissive%20CORS%20Policy</a></li>
</ol>
</td>
</tr>
</table>
</li>
<li
id="alert-type-3">
<h4>Missing Anti-clickjacking Header</h4>
<table class="alert-types-table">
<tr>
<th scope="row">Source</th>
<td>
<span>raised by a passive scanner</span> <span>(<a
href="https://www.zaproxy.org/docs/alerts/10020/">Anti-clickjacking Header</a>)
</span>
</td>
</tr>
<tr>
<th scope="row">CWE ID</th>
<td><a
href="https://cwe.mitre.org/data/definitions/1021.html">1021</a></td>
</tr>
<tr>
<th scope="row">WASC ID</th>
<td>15</td>
</tr>
<tr>
<th scope="row">Reference</th>
<td>
<ol>
<li><a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options">https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options</a></li>
</ol>
</td>
</tr>
</table>
</li>
<li
id="alert-type-4">
<h4>Session ID in URL Rewrite</h4>
<table class="alert-types-table">
<tr>
<th scope="row">Source</th>
<td>
<span>raised by a passive scanner</span> <span>(<a
href="https://www.zaproxy.org/docs/alerts/3/">Session ID in URL Rewrite</a>)
</span>
</td>
</tr>
<tr>
<th scope="row">CWE ID</th>
<td><a
href="https://cwe.mitre.org/data/definitions/598.html">598</a></td>
</tr>
<tr>
<th scope="row">WASC ID</th>
<td>13</td>
</tr>
<tr>
<th scope="row">Reference</th>
<td>
<ol>
<li><a
href="https://seclists.org/webappsec/2002/q4/111">https://seclists.org/webappsec/2002/q4/111</a></li>
</ol>
</td>
</tr>
</table>
</li>
<li
id="alert-type-5">
<h4>Private IP Disclosure</h4>
<table class="alert-types-table">
<tr>
<th scope="row">Source</th>
<td>
<span>raised by a passive scanner</span> <span>(<a
href="https://www.zaproxy.org/docs/alerts/2/">Private IP Disclosure</a>)
</span>
</td>
</tr>
<tr>
<th scope="row">CWE ID</th>
<td><a
href="https://cwe.mitre.org/data/definitions/497.html">497</a></td>
</tr>
<tr>
<th scope="row">WASC ID</th>
<td>13</td>
</tr>
<tr>
<th scope="row">Reference</th>
<td>
<ol>
<li><a
href="https://datatracker.ietf.org/doc/html/rfc1918">https://datatracker.ietf.org/doc/html/rfc1918</a></li>
</ol>
</td>
</tr>
</table>
</li>
<li
id="alert-type-6">
<h4>Timestamp Disclosure - Unix</h4>
<table class="alert-types-table">
<tr>
<th scope="row">Source</th>
<td>
<span>raised by a passive scanner</span> <span>(<a
href="https://www.zaproxy.org/docs/alerts/10096/">Timestamp Disclosure</a>)
</span>
</td>
</tr>
<tr>
<th scope="row">CWE ID</th>
<td><a
href="https://cwe.mitre.org/data/definitions/497.html">497</a></td>
</tr>
<tr>
<th scope="row">WASC ID</th>
<td>13</td>
</tr>
<tr>
<th scope="row">Reference</th>
<td>
<ol>
<li><a
href="https://cwe.mitre.org/data/definitions/200.html">https://cwe.mitre.org/data/definitions/200.html</a></li>
</ol>
</td>
</tr>
</table>
</li>
<li
id="alert-type-7">
<h4>X-Content-Type-Options Header Missing</h4>
<table class="alert-types-table">
<tr>
<th scope="row">Source</th>
<td>
<span>raised by a passive scanner</span> <span>(<a
href="https://www.zaproxy.org/docs/alerts/10021/">X-Content-Type-Options Header Missing</a>)
</span>
</td>
</tr>
<tr>
<th scope="row">CWE ID</th>
<td><a
href="https://cwe.mitre.org/data/definitions/693.html">693</a></td>
</tr>
<tr>
<th scope="row">WASC ID</th>
<td>15</td>
</tr>
<tr>
<th scope="row">Reference</th>
<td>
<ol>
<li><a
href="https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)">https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)</a></li>
<li><a
href="https://owasp.org/www-community/Security_Headers">https://owasp.org/www-community/Security_Headers</a></li>
</ol>
</td>
</tr>
</table>
</li>
<li
id="alert-type-8">
<h4>Modern Web Application</h4>
<table class="alert-types-table">
<tr>
<th scope="row">Source</th>
<td>
<span>raised by a passive scanner</span> <span>(<a
href="https://www.zaproxy.org/docs/alerts/10109/">Modern Web Application</a>)
</span>
</td>
</tr>
</table>
</li>
<li
id="alert-type-9">
<h4>Session Management Response Identified</h4>
<table class="alert-types-table">
<tr>
<th scope="row">Source</th>
<td>
<span>raised by a passive scanner</span> <span>(<a
href="https://www.zaproxy.org/docs/alerts/10112/">Session Management Response Identified</a>)
</span>
</td>
</tr>
<tr>
<th scope="row">Reference</th>
<td>
<ol>
<li><a
href="https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id/">https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id/</a></li>
</ol>
</td>
</tr>
</table>
</li>
<li
id="alert-type-10">
<h4>User Agent Fuzzer</h4>
<table class="alert-types-table">
<tr>
<th scope="row">Source</th>
<td>
<span>raised by an active scanner</span> <span>(<a
href="https://www.zaproxy.org/docs/alerts/10104/">User Agent Fuzzer</a>)
</span>
</td>
</tr>
<tr>
<th scope="row">Reference</th>
<td>
<ol>
<li><a
href="https://owasp.org/wstg">https://owasp.org/wstg</a></li>
</ol>
</td>
</tr>
</table>
</li>
</ol>
</section>
</section>
</main>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink