Feature/lab9

.github/pull_request_template.md

@@ -0,0 +1,6 @@
+## Goal
+## Changes
+## Testing
+- [ ] Clear, descriptive PR title
+- [ ] Documentation updated
+- [ ] No secrets committed

gen.conf

@@ -0,0 +1,70 @@
+# zap-baseline rule configuration file
+# Change WARN to IGNORE to ignore rule or FAIL to fail if rule matches
+# Only the rule identifiers are used - the names are just for info
+# You can add your own messages to each rule by appending them after a tab on each line.
+10003	WARN	(Vulnerable JS Library (Powered by Retire.js))
+10009	WARN	(In Page Banner Information Leak)
+10010	WARN	(Cookie No HttpOnly Flag)
+10011	WARN	(Cookie Without Secure Flag)
+10015	WARN	(Re-examine Cache-control Directives)
+10017	WARN	(Cross-Domain JavaScript Source File Inclusion)
+10019	WARN	(Content-Type Header Missing)
+10020	WARN	(Anti-clickjacking Header)
+10021	WARN	(X-Content-Type-Options Header Missing)
+10023	WARN	(Information Disclosure - Debug Error Messages)
+10024	WARN	(Information Disclosure - Sensitive Information in URL)
+10025	WARN	(Information Disclosure - Sensitive Information in HTTP Referrer Header)
+10026	WARN	(HTTP Parameter Override)
+10027	WARN	(Information Disclosure - Suspicious Comments)
+10028	WARN	(Off-site Redirect)
+10029	WARN	(Cookie Poisoning)
+10030	WARN	(User Controllable Charset)
+10031	WARN	(User Controllable HTML Element Attribute (Potential XSS))
+10032	WARN	(Viewstate)
+10033	WARN	(Directory Browsing)
+10034	WARN	(Heartbleed OpenSSL Vulnerability (Indicative))
+10035	WARN	(Strict-Transport-Security Header)
+10036	WARN	(HTTP Server Response Header)
+10037	WARN	(Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s))
+10038	WARN	(Content Security Policy (CSP) Header Not Set)
+10039	WARN	(X-Backend-Server Header Information Leak)
+10040	WARN	(Secure Pages Include Mixed Content)
+10041	WARN	(HTTP to HTTPS Insecure Transition in Form Post)
+10042	WARN	(HTTPS to HTTP Insecure Transition in Form Post)
+10043	WARN	(User Controllable JavaScript Event (XSS))
+10044	WARN	(Big Redirect Detected (Potential Sensitive Information Leak))
+10049	WARN	(Content Cacheability)
+10050	WARN	(Retrieved from Cache)
+10052	WARN	(X-ChromeLogger-Data (XCOLD) Header Information Leak)
+10054	WARN	(Cookie without SameSite Attribute)
+10055	WARN	(CSP)
+10056	WARN	(X-Debug-Token Information Leak)
+10057	WARN	(Username Hash Found)
+10061	WARN	(X-AspNet-Version Response Header)
+10062	WARN	(PII Disclosure)
+10063	WARN	(Permissions Policy Header Not Set)
+10096	WARN	(Timestamp Disclosure)
+10097	WARN	(Hash Disclosure)
+10098	WARN	(Cross-Domain Misconfiguration)
+10099	WARN	(Source Code Disclosure)
+10105	WARN	(Weak Authentication Method)
+10108	WARN	(Reverse Tabnabbing)
+10109	WARN	(Modern Web Application)
+10110	WARN	(Dangerous JS Functions)
+10111	WARN	(Authentication Request Identified)
+10112	WARN	(Session Management Response Identified)
+10113	WARN	(Verification Request Identified)
+10115	WARN	(Script Served From Malicious Domain (polyfill))
+10116	WARN	(ZAP is Out of Date)
+10202	WARN	(Absence of Anti-CSRF Tokens)
+2	WARN	(Private IP Disclosure)
+3	WARN	(Session ID in URL Rewrite)
+50001	WARN	(Script Passive Scan Rules)
+90001	WARN	(Insecure JSF ViewState)
+90002	WARN	(Java Serialization Object)
+90003	WARN	(Sub Resource Integrity Attribute Missing)
+90004	WARN	(Insufficient Site Isolation Against Spectre Vulnerability)
+90011	WARN	(Charset Mismatch)
+90022	WARN	(Application Error Disclosure)
+90030	WARN	(WSDL File Detection)
+90033	WARN	(Loosely Scoped Cookie)

labs/submission9.md

@@ -0,0 +1,140 @@
+### Task 1
+
+#### OWASP ZAP baseline scan
+
+```bash
+$ docker run -d --name juice-shop -p 3000:3000 bkimminich/juice-shop
+...
+
+$ docker run --rm -u zap -v $(pwd):/zap/wrk:rw \
+  -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
+  -t http://host.docker.internal:3000 \
+  -g gen.conf \
+  -r zap-report.html
+Total of 123 URLs
+...
+FAIL-NEW: 0     FAIL-INPROG: 0  WARN-NEW: 6     WARN-INPROG: 0  INFO: 0 IGNORE: 0       PASS: 60
+```
+
+Generated report overview:
+
+![zap report](assets/zap-report.png)
+
+#### Findings
+
+- Number of Medium risk vulnerabilities found: `2`
+- Total warning-level findings in baseline output: `6`
+
+The 2 most interesting Medium findings were:
+
+1. **Content Security Policy (CSP) Header Not Set**
+   - The report marks this as `Medium`.
+   - Without CSP, the browser has fewer restrictions on which scripts and resources can be loaded.
+   - This can make XSS-style attacks easier.
+
+2. **Cross-Domain Misconfiguration**
+   - The report marks this as `Medium`.
+   - Cross-origin settings may be too permissive.
+   - This can expose resources to unintended origins.
+
+#### Security headers status
+
+From the report:
+
+- Missing / invalid:
+  - `Content-Security-Policy`
+  - `Cross-Origin-Embedder-Policy`
+  - `Cross-Origin-Opener-Policy`
+- Not raised as problems by the baseline scan:
+  - anti-clickjacking header
+  - `X-Content-Type-Options`
+
+These headers matter because they help browsers enforce safer behavior and reduce the impact of script injection, MIME confusion, and cross-origin abuse.
+
+#### Analysis
+
+The most common web application issues are usually weak browser-side protections, missing security headers, unsafe JavaScript behavior, information disclosure, and cross-origin misconfigurations. Even when there is no direct exploit shown by the baseline scan, these weaknesses make the application easier to attack.
+
+#### Cleanup
+
+```bash
+$ docker stop juice-shop && docker rm juice-shop
+juice-shop
+juice-shop
+```
+
+### Task 2
+
+#### Trivy scan summary
+
+From the Trivy output:
+
+- Total `CRITICAL` vulnerabilities: `19`
+- Total `HIGH` vulnerabilities: `46`
+
+Summary shown by Trivy:
+
+```text
+Node.js (node-pkg)
+==================
+Total: 65 (HIGH: 46, CRITICAL: 19)
+```
+
+#### Vulnerable packages
+
+Two example vulnerable packages from the scan:
+
+1. `crypto-js`
+   - `CVE-2023-46233`
+   - Severity: `CRITICAL`
+   - Title: `PBKDF2 1,000 times weaker than specified`
+
+2. `jsonwebtoken`
+   - `CVE-2015-9235`
+   - Severity: `CRITICAL`
+   - Title: `verification step bypass with an altered token`
+
+Other vulnerable packages also appeared in the report, for example:
+- `lodash`
+- `marsdb`
+- `tar`
+- `vm2`
+- `ws`
+
+#### Most common vulnerability type
+
+The most common issue type was vulnerable or outdated third-party Node.js dependencies. A lot of findings were related to:
+- denial of service
+- sandbox escape / arbitrary code execution
+- verification / authentication bypass
+- prototype pollution
+
+#### Additional findings
+
+Trivy also detected secret material in the image:
+
+```text
+/juice-shop/build/lib/insecurity.js  -> AsymmetricPrivateKey
+/juice-shop/lib/insecurity.ts        -> AsymmetricPrivateKey
+```
+
+#### Analysis
+
+Container image scanning is important before production because vulnerabilities are often already present in the base image or bundled dependencies before the application even starts. If these issues are not found early, they can be deployed directly into production environments.
+
+#### Reflection
+
+I would integrate these scans into CI/CD by running:
+- ZAP baseline scans against preview or test deployments
+- Trivy image scans right after the image build step
+
+I would fail the pipeline on critical findings, store reports as CI artifacts, and require remediation before deployment to production.
+
+#### Cleanup
+
+```bash
+$ docker rmi bkimminich/juice-shop
+Untagged: bkimminich/juice-shop:latest
+Deleted: sha256:a8139c141311c7f31fcf2e611125246928f703ee42827de33983fd9425d1b2f6
+```
+