[研究][ASP.NET]OWASP Zed Attack Proxy (ZAP) 2.14.0 弱掃試用
2023-11-21
環境:Visual Studio 2022 + ASP.NET + WebForm + Web Application + C#
OWASP Zed Attack Proxy (ZAP) 是免費黑箱 Web 弱點掃描工具
********************************************************************************
Default.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs"
Inherits="WebApplication3.Default" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
Test
</div>
</form>
</body>
</html>
|
Default.aspx.cs
using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; namespace WebApplication3 { public partial class Default : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { } } } |
基本上就是預設的 WebForm Code。
********************************************************************************
測試2次,每次測試完,都把 ZAP 關閉,再重新啟動。
第一次測試 https://localhost
第二次測試 https://xxx.xxx.xxx.xxx
********************************************************************************
Medium:
Absence of Anti-CSRF Tokens
Content Security Policy (CSP) Header Not Set
Missing Anti-clickjacking Header
Low:
Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)
Server Leaks Version Information via "Server" HTTP Response Header Field
Strict-Transport-Security Header Not Set
X-AspNet-Version Response Header
X-Content-Type-Options Header Missing
Info:
Re-examine Cache-control Directives Informational
User Agent Fuzzer Informational
User Controllable HTML Element Attribute (Potential XSS)
(完)
相關
[研究][ASP.NET]OWASP Zed Attack Proxy (ZAP) 2.14.0 弱掃試用https://shaurong.blogspot.com/2023/11/aspnetowasp-zed-attack-proxy-zap-2140.html
[研究] OWASP Zed Attack Proxy (ZAP) v2.7.0 黑箱弱點掃描工具安裝與試用
http://shaurong.blogspot.com/2018/06/owasp-zed-attack-proxy-zap-v270.html
[研究] OWASP WebGoat 8.0 安裝
http://shaurong.blogspot.com/2018/06/owasp-webgoat-80.html
[研究] OWASP WebGoatFor.Net 安裝
http://shaurong.blogspot.com/2016/12/owasp-webgoatfornet.html
[研究] OWASP WebGoat 7.1 安裝
http://shaurong.blogspot.com/2016/12/owasp-webgoat-71.html
[研究] OWASP Zed Attack Proxy (ZAP) 2.4.2、2.6.0 滲透測試、弱點掃描工具安裝與試用
http://shaurong.blogspot.com/2015/10/owasp-zed-attack-proxy-zap-242.html
沒有留言:
張貼留言