ZAP Scanning Report

Summary of Alerts

Risk LevelNumber of Alerts
High0
Medium2
Low4
Informational2

Alert Detail

Medium (Medium)Directory Browsing
Description

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information.

URLhttps://space-dev.sbm.itb.ac.id/js/angular-translate/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/pace/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/toastr/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/moment/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/jszip/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/angular-google-chart/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/jquery-scroll/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/css/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/jasny/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/lightbox/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/css/plugins/jquery-scroll/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/font-awesome/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/dataTables/v0.6/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/angular-chartjs/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/jquery-ui/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/controller/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/controller/dashboard/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/font-awesome/css/
MethodGET
AttackParent Directory
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/angular-idle/
MethodGET
AttackParent Directory
Instances36
Solution

Disable directory browsing. If this is required, make sure the listed files does not induce risks.

Reference

http://httpd.apache.org/docs/mod/core.html#options

http://alamo.satlug.org/pipermail/satlug/2002-February/000053.html

CWE Id548
WASC Id48
Source ID1
Medium (Medium)X-Frame-Options Header Not Set
Description

X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.

URLhttps://space-dev.sbm.itb.ac.id/
MethodGET
ParameterX-Frame-Options
URLhttps://space-dev.sbm.itb.ac.id
MethodGET
ParameterX-Frame-Options
Instances2
Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

Reference

http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

CWE Id16
WASC Id15
Source ID3
Low (Medium)X-Content-Type-Options Header Missing
Description

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.

URLhttps://space-dev.sbm.itb.ac.id/js/angular/angular-messages.min.js?v=1562
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/angular/angular.min.js?v=1562
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/pace/pace.min.js?v=1562
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/dataTables/v0.6/origin/datatables.min.js?v=1562
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/sweetalert/angular-sweetalert.min.js?v=1562
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/dataTables/v0.6/origin/buttons.flash.min.js
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/sweetalert/sweetalert.min.js?v=1562
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/metisMenu/jquery.metisMenu.js?v=1562
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/dataTables/v0.6/angular-datatables.buttons.min.js?v=1562
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/css/custom.css?v=1572
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/jquery-ui/jquery-ui.min.js?v=1562
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/dataTables/v0.6/origin/datatables.buttons.min.js
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/controller/dashboard/dashboardCtrl.js?v=20941017713
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/bootstrap/bootstrap.min.js?v=1562
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/angular/angular-cookies.min.js?v=1562
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/dataTables/v0.6/origin/datatables.fixedcolumn.min.js?v=1562
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/css/plugins/dataTables/responsive.datatables.css
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/globalConst.js?v=20941017713
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/controllers.js?v=20941017713
MethodGET
ParameterX-Content-Type-Options
URLhttps://space-dev.sbm.itb.ac.id/js/controller/loginCtrl.js?v=20941017713
MethodGET
ParameterX-Content-Type-Options
Instances76
Solution

Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

Other information

This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

At "High" threshold this scanner will not alert on client or server error responses.

Reference

http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx

https://www.owasp.org/index.php/List_of_useful_HTTP_headers

CWE Id16
WASC Id15
Source ID3
Low (Medium)Incomplete or No Cache-control and Pragma HTTP Header Set
Description

The cache-control and pragma HTTP header have not been set properly or are missing allowing the browser and proxies to cache content.

URLhttps://space-dev.sbm.itb.ac.id/css/plugins/dataTables/buttons.bootstrap.min.css
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/font-awesome/css/font-awesome.css
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/css/custom-bg1.css?v=1572
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/css/custom-bg3.css?v=1572
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/css/bootstrap.min.css
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/css/style.css?v=1572
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/css/custom.css?v=1572
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/css/animate.css
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/css/plugins/sweetalert/sweetalert.css
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/css/plugins/lightbox/angular-bootstrap-lightbox.min.css
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/css/plugins/dataTables/datatables.min.css
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/css/plugins/dataTables/datatables.fixedcolumns.css
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/css/plugins/toastr/toastr.min.css
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/css/plugins/jquery-scroll/jquery.scrollbar.css
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/css/plugins/dataTables/responsive.datatables.css
MethodGET
ParameterCache-Control
URLhttps://space-dev.sbm.itb.ac.id/css/select.css
MethodGET
ParameterCache-Control
Instances18
Solution

Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store, must-revalidate; and that the pragma HTTP header is set with no-cache.

Reference

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Web_Content_Caching

CWE Id525
WASC Id13
Source ID3
Low (Medium)Web Browser XSS Protection Not Enabled
Description

Web Browser XSS Protection is not enabled, or is disabled by the configuration of the 'X-XSS-Protection' HTTP response header on the web server

URLhttps://space-dev.sbm.itb.ac.id/
MethodGET
ParameterX-XSS-Protection
URLhttps://space-dev.sbm.itb.ac.id/robots.txt
MethodGET
ParameterX-XSS-Protection
URLhttps://space-dev.sbm.itb.ac.id/sitemap.xml
MethodGET
ParameterX-XSS-Protection
URLhttps://space-dev.sbm.itb.ac.id
MethodGET
ParameterX-XSS-Protection
Instances4
Solution

Ensure that the web browser's XSS filter is enabled, by setting the X-XSS-Protection HTTP response header to '1'.

Other information

The X-XSS-Protection HTTP response header allows the web server to enable or disable the web browser's XSS protection mechanism. The following values would attempt to enable it:

X-XSS-Protection: 1; mode=block

X-XSS-Protection: 1; report=http://www.example.com/xss

The following values would disable it:

X-XSS-Protection: 0

The X-XSS-Protection HTTP response header is currently supported on Internet Explorer, Chrome and Safari (WebKit).

Note that this alert is only raised if the response body could potentially contain an XSS payload (with a text-based content type, with a non-zero length).

Reference

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

https://www.veracode.com/blog/2014/03/guidelines-for-setting-security-headers/

CWE Id933
WASC Id14
Source ID3
Low (Medium)Cross-Domain JavaScript Source File Inclusion
Description

The page includes one or more script files from a third-party domain.

URLhttps://space-dev.sbm.itb.ac.id/
MethodGET
Parameter//unpkg.com/angular-ui-router@0.4.2/release/angular-ui-router.js
Evidence<script src="//unpkg.com/angular-ui-router@0.4.2/release/angular-ui-router.js"></script>
URLhttps://space-dev.sbm.itb.ac.id/
MethodGET
Parameterhttps://ajax.googleapis.com/ajax/libs/angular_material/1.1.0/angular-material.min.js
Evidence<script src="https://ajax.googleapis.com/ajax/libs/angular_material/1.1.0/angular-material.min.js"></script>
URLhttps://space-dev.sbm.itb.ac.id
MethodGET
Parameterhttps://ajax.googleapis.com/ajax/libs/angular_material/1.1.0/angular-material.min.js
Evidence<script src="https://ajax.googleapis.com/ajax/libs/angular_material/1.1.0/angular-material.min.js"></script>
URLhttps://space-dev.sbm.itb.ac.id
MethodGET
Parameter//unpkg.com/angular-ui-router@0.4.2/release/angular-ui-router.js
Evidence<script src="//unpkg.com/angular-ui-router@0.4.2/release/angular-ui-router.js"></script>
Instances4
Solution

Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.

Reference

CWE Id829
WASC Id15
Source ID3
Informational (Medium)Information Disclosure - Suspicious Comments
Description

The response appears to contain suspicious comments which may help an attacker.

URLhttps://space-dev.sbm.itb.ac.id/js/tableFactory.js?v=20941017713
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/jszip/jszip.min.js
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/jquery-ui/jquery-ui.min.js?v=1562
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/config.js?v=20941017713
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/dataTables/v0.6/origin/datatables.fixedcolumn.min.js?v=1562
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/angular/angular-aria.min.js?v=1562
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/dataTables/v0.6/origin/datatables.responsive.js
MethodGET
URLhttps://space-dev.sbm.itb.ac.id
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/dataTables/v0.6/origin/datatables.columnfilter.js?v=1562
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/dataTables/v0.6/origin/datatables.lightcolumnfilter.min.js?v=1562
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/angular-chartjs/Chart.min.js?v=1562
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/translations.js?v=20941017713
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/moment/moment.min.js?v=1562
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/angular/angular-sanitize.min.js?v=1562
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/jasny/jasny-bootstrap.min.js?v=1562
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/angular/angular-animate.min.js?v=1562
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/angular-google-chart/ng-google-chart.js?v=1562
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/oclazyload/dist/ocLazyLoad.min.js?v=1562
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/app.js?v=20941017713
MethodGET
URLhttps://space-dev.sbm.itb.ac.id/js/controller/loginCtrl.js?v=20941017713
MethodGET
Instances36
Solution

Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.

Other information

var url = baseURL + 'qualifications/datatables/admin?category=' + category;

if ($rootScope.role == 'Research Group Administrator') {

Reference

CWE Id200
WASC Id13
Source ID3
Informational (Low)Timestamp Disclosure - Unix
Description

A timestamp was disclosed by the application/web server - Unix

URLhttps://space-dev.sbm.itb.ac.id/css/bootstrap.min.css
MethodGET
Evidence00000000
URLhttps://space-dev.sbm.itb.ac.id/js/bootstrap/ui-bootstrap-tpls-1.1.2.min.js?v=1562
MethodGET
Evidence22222222
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/jszip/jszip.min.js
MethodGET
Evidence20971520
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/jquery-ui/jquery-ui.min.js?v=1562
MethodGET
Evidence0123456789
URLhttps://space-dev.sbm.itb.ac.id/css/bootstrap.min.css
MethodGET
Evidence42857143
URLhttps://space-dev.sbm.itb.ac.id/js/plugins/angular-google-chart/ng-google-chart.js?v=1562
MethodGET
Evidence20125572
URLhttps://space-dev.sbm.itb.ac.id/css/bootstrap.min.css
MethodGET
Evidence33333333
URLhttps://space-dev.sbm.itb.ac.id/js/bootstrap/ui-bootstrap-tpls-1.1.2.min.js?v=1562
MethodGET
Evidence86400000
URLhttps://space-dev.sbm.itb.ac.id/js/angular/angular.min.js?v=1562
MethodGET
Evidence56613888
URLhttps://space-dev.sbm.itb.ac.id/js/bootstrap/ui-bootstrap-tpls-1.1.2.min.js?v=1562
MethodGET
Evidence11111111
URLhttps://space-dev.sbm.itb.ac.id/css/bootstrap.min.css
MethodGET
Evidence66666667
URLhttps://space-dev.sbm.itb.ac.id/css/bootstrap.min.css
MethodGET
Evidence80000000
URLhttps://space-dev.sbm.itb.ac.id/css/select.css
MethodGET
Evidence19227496
URLhttps://space-dev.sbm.itb.ac.id/css/style.css?v=1572
MethodGET
Evidence428571429
URLhttps://space-dev.sbm.itb.ac.id/css/select.css
MethodGET
Evidence42857143
Instances15
Solution

Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.

Other information

00000000, which evaluates to: 1970-01-01 07:00:00

Reference

https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure

http://projects.webappsec.org/w/page/13246936/Information%20Leakage

CWE Id200
WASC Id13
Source ID3