ZAPContents
About this report
Report parameters
Contexts
No contexts were selected, so all contexts were included by default.
Sites
The following sites were included:
- http://localhost:8082
(If no sites were selected, all sites were included by default.)
An included site must also be within one of the included contexts for its data to be included in the report.
Risk levels
Included: Alto, Médio, Baixo, Informativo
Excluded: None
Confidence levels
Included: User Confirmed, Alto, Médio, Baixo
Excluded: User Confirmed, Alto, Médio, Baixo, Falso Positivo
Summaries
Alert counts by risk and confidence
| Confidence | ||||||
|---|---|---|---|---|---|---|
| User Confirmed | Alto | Médio | Baixo | Total | ||
| Risk | Alto | 0 (0,0%) |
0 (0,0%) |
0 (0,0%) |
0 (0,0%) |
0 (0,0%) |
| Médio | 0 (0,0%) |
0 (0,0%) |
0 (0,0%) |
0 (0,0%) |
0 (0,0%) |
|
| Baixo | 0 (0,0%) |
0 (0,0%) |
1 (100,0%) |
0 (0,0%) |
1 (100,0%) |
|
| Informativo | 0 (0,0%) |
0 (0,0%) |
0 (0,0%) |
0 (0,0%) |
0 (0,0%) |
|
| Total | 0 (0,0%) |
0 (0,0%) |
1 (100,0%) |
0 (0,0%) |
1 (100%) |
|
Alert counts by site and risk
| Risk | |||||
|---|---|---|---|---|---|
|
Alto (= Alto) |
Médio (>= Médio) |
Baixo (>= Baixo) |
Informativo (>= Informativo) |
||
| Site | http://localhost:8082 | 0 (0) |
0 (0) |
1 (1) |
0 (1) |
Alert counts by alert type
| Alert type | Risk | Count |
|---|---|---|
| X-Content-Type-Options Header Missing | Baixo | 1 (100,0%) |
| Total | 1 |
Alerts
-
Risk=Baixo, Confidence=Médio (1)
-
http://localhost:8082 (1)
-
X-Content-Type-Options Header Missing (1)
GET http://localhost:8082/api/v1/products/category/LANCHE?page=0&size=10
Alert tags Alert description The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
Other info This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.
At "High" threshold this scan rule will not alert on client or server error responses.
Request Request line and header section (311 bytes)
GET http://localhost:8082/api/v1/products/category/LANCHE?page=0&size=10 HTTP/1.1 User-Agent: PostmanRuntime/7.28.1 Accept: */* Postman-Token: 00590b6f-ac34-499b-95c1-66d3cfcd856c Connection: keep-alive Referer: http://localhost:8082/api/v1/products/category/LANCHE?page=0&size=10 host: localhost:8082Request body (0 bytes)
Response Status line and header section (154 bytes)
HTTP/1.1 200 Content-Type: application/json Date: Tue, 12 Mar 2024 01:11:02 GMT Keep-Alive: timeout=60 Connection: keep-alive content-length: 170Response body (170 bytes)
{"code":200,"body":[{"sku":"65efab871c5ba5178ce3e871","title":"X salada","category":"LANCHE","description":"test","price":12.1,"image":"test"}],"hasNext":false,"total":1}Parameter x-content-type-optionsSolution Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.
If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.
-
-
Appendix
Alert types
This section contains additional information on the types of alerts in the report.
-
X-Content-Type-Options Header Missing
Source raised by a passive scanner (X-Content-Type-Options Header Missing) CWE ID 693 WASC ID 15 Reference