Skip to content

Exclude empty request and response from report

Philip Cunningham requested to merge philipcunningham-remove-empty-responses-from-dast-report into main

What does this MR do?

Problem

@warias was able to generate a secure report that omitted required fields:

{
   "category": "dast",
   "confidence": "Medium",
   "cve": "10047",
   "description": "Content which was initially accessed via HTTPS (i.e.: using SSL/TLS encryption) is also accessible via HTTP (without encryption).",
   "evidence": {
      "request": {
         "headers": [],
         "method": "",
         "url": ""
      },
      "response": {
         "headers": [],
         "reason_phrase": "",
         "status_code": ""
      },
      "summary": "http://xxx.nip.io/static/css/5.71be5c0a.chunk.css; ZAP attempted to connect via: http://xxx.nip.io/static/css/5.71be5c0a.chunk.css"
   },
   "id": "09655f19-5919-4264-934f-5cab657848c1",
   "identifiers": [
      {
         "name": "HTTPS Content Available via HTTP",
         "type": "ZAProxy_PluginId",
         "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
         "value": "10047"
      },
      {
         "name": "CWE-311",
         "type": "CWE",
         "url": "https://cwe.mitre.org/data/definitions/311.html",
         "value": "311"
      }
   ],
   "links": [
      {
         "url": "https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html"
      },
      {
         "url": "https://owasp.org/www-community/Security_Headers"
      },
      {
         "url": "http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security"
      },
      {
         "url": "http://caniuse.com/stricttransportsecurity"
      },
      {
         "url": "http://tools.ietf.org/html/rfc6797"
      }
   ],
   "location": {
      "hostname": "https://xxx.nip.io",
      "method": "GET",
      "param": "",
      "path": "/static/css/5.71be5c0a.chunk.css"
   },
   "message": "HTTPS Content Available via HTTP",
   "scanner": {
      "id": "zaproxy",
      "name": "ZAProxy"
   },
   "severity": "Low",
   "solution": "Ensure that your web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security."
}

the issues are that method and url have a minLength requirement and status_code should be of type integer. enabling the strict schema validation by default surfaced the issue.

Proposed Solution

remove code that sets default values when request/response are missing. think this is ok because the only required fields in evidence are id and name.

Alternative Solutions Considered

use bogus default values that conform to the secure report schema.

Edited by Philip Cunningham

Merge request reports