ZAP by Checkmarx Scanning Report

Generated with ZAP on Sa. 5 Juli 2025, at 09:53:39

ZAP Version: 2.16.1

ZAP by Checkmarx

Contents

About This Report

Report Parameters

Contexts

No contexts were selected, so all contexts were included by default.

Sites

The following sites were included:

  • https://www.aegilock.de

(If no sites were selected, all sites were included by default.)

An included site must also be within one of the included contexts for its data to be included in the report.

Risk levels

Included: Hoch, Mittel, Gering, Informational

Excluded: None

Confidence levels

Included: User Confirmed, Hoch, Mittel, Gering

Excluded: User Confirmed, Hoch, Mittel, Gering, Falsch Positives Ergebnis

Summaries

Alert Counts by Risk and Confidence

This table shows the number of alerts for each level of risk and confidence included in the report.

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)
Confidence
User Confirmed Hoch Mittel Gering Total
Risk Hoch 0
(0,0 %)		 0
(0,0 %)		 0
(0,0 %)		 0
(0,0 %)		 0
(0,0 %)
Mittel 0
(0,0 %)		 4
(66,7 %)		 0
(0,0 %)		 0
(0,0 %)		 4
(66,7 %)
Gering 0
(0,0 %)		 0
(0,0 %)		 0
(0,0 %)		 0
(0,0 %)		 0
(0,0 %)
Informational 0
(0,0 %)		 0
(0,0 %)		 1
(16,7 %)		 1
(16,7 %)		 2
(33,3 %)
Total 0
(0,0 %)		 4
(66,7 %)		 1
(16,7 %)		 1
(16,7 %)		 6
(100%)

Alert Counts by Site and Risk

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

Alerts with a confidence level of "False Positive" have been excluded from these counts.

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)
Risk
Hoch
(= Hoch) 		Mittel
(>= Mittel) 		Gering
(>= Gering) 		Informational
(>= Informational)
Site https://www.aegilock.de 0
(0)		 4
(4)		 0
(4)		 2
(6)

Alert Counts by Alert Type

This table shows the number of alerts of each alert type, together with the alert type's risk level.

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)
Alert type Risk Count
CSP: Failure to Define Directive with No Fallback Mittel 12
(200,0 %)
CSP: Wildcard Directive Mittel 9
(150,0 %)
CSP: script-src unsafe-inline Mittel 9
(150,0 %)
CSP: style-src unsafe-inline Mittel 9
(150,0 %)
Re-examine Cache-control Directives Informational 5
(83,3 %)
User Agent Fuzzer Informational 8
(133,3 %)
Total 6

Alerts

  1. Risk=Mittel, Confidence=Hoch (4)

    1. https://www.aegilock.de (4)

      1. CSP: Failure to Define Directive with No Fallback (1)
        1. GET https://www.aegilock.de/internal
          Alert tags
          Alert description

          The Content Security Policy fails to define one of the directives that has no fallback. Missing/excluding them is the same as allowing anything.
          Other info

          The directive(s): frame-ancestors, form-action is/are among the directives that do not fallback to default-src.
          Request
          Request line and header section (285 bytes) 
          GET https://www.aegilock.de/internal HTTP/1.1
host: www.aegilock.de
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
referer: https://www.aegilock.de/robots.txt
          Request body (0 bytes)
          Response
          Status line and header section (411 bytes) 
          HTTP/1.1 404 Not Found
Date: Sat, 05 Jul 2025 07:48:15 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 147
Connection: keep-alive
Content-Security-Policy: default-src 'none'
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self';
X-Content-Type-Options: nosniff
          Response body (147 bytes) 
          <!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /internal</pre>
</body>
</html>
          Parameter 
          Content-Security-Policy
          Evidence 
          default-src 'none'
          Solution

          Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
      2. CSP: Wildcard Directive (1)
        1. GET https://www.aegilock.de/sitemap.xml
          Alert tags
          Alert description

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
          Other info

          The following directives either allow wildcard sources (or ancestors), are not defined, or are overly broadly defined:

          script-src, style-src, img-src, connect-src, frame-src, font-src, media-src, object-src, manifest-src, worker-src
          Request
          Request line and header section (243 bytes) 
          GET https://www.aegilock.de/sitemap.xml HTTP/1.1
host: www.aegilock.de
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
          Request body (0 bytes)
          Response
          Status line and header section (372 bytes) 
          HTTP/1.1 403 Forbidden
Date: Sat, 05 Jul 2025 07:48:15 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 9
Connection: keep-alive
ETag: W/"9-PatfYBLj4Um1qTm5zrukoLhNyPU"
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self';
X-Content-Type-Options: nosniff
          Response body (9 bytes) 
          Forbidden
          Parameter 
          Content-Security-Policy
          Evidence 
          frame-ancestors 'self';
          Solution

          Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
      3. CSP: script-src unsafe-inline (1)
        1. GET https://www.aegilock.de/sitemap.xml
          Alert tags
          Alert description

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
          Other info

          script-src includes unsafe-inline.
          Request
          Request line and header section (243 bytes) 
          GET https://www.aegilock.de/sitemap.xml HTTP/1.1
host: www.aegilock.de
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
          Request body (0 bytes)
          Response
          Status line and header section (372 bytes) 
          HTTP/1.1 403 Forbidden
Date: Sat, 05 Jul 2025 07:48:15 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 9
Connection: keep-alive
ETag: W/"9-PatfYBLj4Um1qTm5zrukoLhNyPU"
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self';
X-Content-Type-Options: nosniff
          Response body (9 bytes) 
          Forbidden
          Parameter 
          Content-Security-Policy
          Evidence 
          frame-ancestors 'self';
          Solution

          Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
      4. CSP: style-src unsafe-inline (1)
        1. GET https://www.aegilock.de/sitemap.xml
          Alert tags
          Alert description

          Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
          Other info

          style-src includes unsafe-inline.
          Request
          Request line and header section (243 bytes) 
          GET https://www.aegilock.de/sitemap.xml HTTP/1.1
host: www.aegilock.de
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
          Request body (0 bytes)
          Response
          Status line and header section (372 bytes) 
          HTTP/1.1 403 Forbidden
Date: Sat, 05 Jul 2025 07:48:15 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 9
Connection: keep-alive
ETag: W/"9-PatfYBLj4Um1qTm5zrukoLhNyPU"
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self';
X-Content-Type-Options: nosniff
          Response body (9 bytes) 
          Forbidden
          Parameter 
          Content-Security-Policy
          Evidence 
          frame-ancestors 'self';
          Solution

          Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.

  2. Risk=Informational, Confidence=Mittel (1)

    1. https://www.aegilock.de (1)

      1. User Agent Fuzzer (1)
        1. GET https://www.aegilock.de/
          Alert tags
          • CUSTOM_PAYLOADS =
          • POLICY_PENTEST =
          Alert description

          Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.
          Request
          Request line and header section (171 bytes) 
          GET https://www.aegilock.de/ HTTP/1.1
host: www.aegilock.de
user-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
pragma: no-cache
cache-control: no-cache
          Request body (0 bytes)
          Response
          Status line and header section (374 bytes) 
          HTTP/1.1 403 Forbidden
Date: Sat, 05 Jul 2025 07:48:25 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 24
Connection: keep-alive
ETag: W/"18-ncg/vA9p1PKp8G8/8DL3s8+5nWg"
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self';
X-Content-Type-Options: nosniff
          Response body (24 bytes) 
          Forbidden - ML Detection
          Parameter 
          Header User-Agent
          Attack 
          Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

  3. Risk=Informational, Confidence=Gering (1)

    1. https://www.aegilock.de (1)

      1. Re-examine Cache-control Directives (1)
        1. GET https://www.aegilock.de/robots.txt
          Alert tags
          Alert description

          The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
          Request
          Request line and header section (242 bytes) 
          GET https://www.aegilock.de/robots.txt HTTP/1.1
host: www.aegilock.de
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
          Request body (0 bytes)
          Response
          Status line and header section (455 bytes) 
          HTTP/1.1 200 OK
Date: Sat, 05 Jul 2025 07:48:15 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 110
Connection: keep-alive
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Thu, 12 Jun 2025 07:46:03 GMT
ETag: W/"6e-197631a64da"
Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self';
X-Content-Type-Options: nosniff
          Response body (110 bytes) 
          User-agent: *
Allow: /
Disallow: /admin
Disallow: /internal

Sitemap: https://www.aegilock.de/sitemap.xml
          Parameter 
          cache-control
          Evidence 
          public, max-age=0
          Solution

          For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".

Appendix

Alert Types

This section contains additional information on the types of alerts in the report.

  1. CSP: Failure to Define Directive with No Fallback

    Source raised by a passive scanner (CSP)
    CWE ID 693
    WASC ID 15
    Reference
    1. https://www.w3.org/TR/CSP/
    2. https://caniuse.com/#search=content+security+policy
    3. https://content-security-policy.com/
    4. https://github.com/HtmlUnit/htmlunit-csp
    5. https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources

  2. CSP: Wildcard Directive

    Source raised by a passive scanner (CSP)
    CWE ID 693
    WASC ID 15
    Reference
    1. https://www.w3.org/TR/CSP/
    2. https://caniuse.com/#search=content+security+policy
    3. https://content-security-policy.com/
    4. https://github.com/HtmlUnit/htmlunit-csp
    5. https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources

  3. CSP: script-src unsafe-inline

    Source raised by a passive scanner (CSP)
    CWE ID 693
    WASC ID 15
    Reference
    1. https://www.w3.org/TR/CSP/
    2. https://caniuse.com/#search=content+security+policy
    3. https://content-security-policy.com/
    4. https://github.com/HtmlUnit/htmlunit-csp
    5. https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources

  4. CSP: style-src unsafe-inline

    Source raised by a passive scanner (CSP)
    CWE ID 693
    WASC ID 15
    Reference
    1. https://www.w3.org/TR/CSP/
    2. https://caniuse.com/#search=content+security+policy
    3. https://content-security-policy.com/
    4. https://github.com/HtmlUnit/htmlunit-csp
    5. https://developers.google.com/web/fundamentals/security/csp#policy_applies_to_a_wide_variety_of_resources

  5. Re-examine Cache-control Directives

    Source raised by a passive scanner (Re-examine Cache-control Directives)
    CWE ID 525
    WASC ID 13
    Reference
    1. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
    2. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
    3. https://grayduck.mn/2021/09/13/cache-control-recommendations/

  6. User Agent Fuzzer

    Source raised by an active scanner (User Agent Fuzzer)
    Reference
    1. https://owasp.org/wstg