10112 10112 Session Management Response Identified Session Management Response Identified 0 2 Informational (Medium) Medium <p>The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to "Auto-Detect" then this rule will change the session management to use the tokens identified.</p> http://127.0.0.1:8080/govwayConsole/configurazionePolicyGestioneTokenList.do?_tabKey_infoType=aa http://127.0.0.1:8080/govwayConsole/configurazionePolicyGestioneTokenList.do (_tabKey_infoType)(__i_hidden_title_iconUso_0_0,__i_hidden_title_iconUso_0_4,__i_hidden_title_iconUso_1_0,__i_hidden_title_iconUso_1_4,_csrf,be_name_0,chkAll,search,selectcheckbox,url_entry_0,url_entry_1) POST JSESSIONID_GW_CONSOLE JSESSIONID_GW_CONSOLE cookie:JSESSIONID_GW_CONSOLE 1 false <p>This is an informational alert rather than a vulnerability and so there is nothing to fix.</p> <p>cookie:JSESSIONID_GW_CONSOLE</p> <p>https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id/</p> -1 -1 726 10031 10031 User Controllable HTML Element Attribute (Potential XSS) User Controllable HTML Element Attribute (Potential XSS) 0 1 Informational (Low) Low <p>This check looks at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability.</p> http://127.0.0.1:8080/govwayConsole/configurazionePolicyGestioneTokenList.do?_tabKey_infoType=aa http://127.0.0.1:8080/govwayConsole/configurazionePolicyGestioneTokenList.do (_tabKey_infoType)(__i_hidden_title_iconUso_0_0,__i_hidden_title_iconUso_0_4,__i_hidden_title_iconUso_10_0,__i_hidden_title_iconUso_10_4,__i_hidden_title_iconUso_11_0,__i_hidden_title_iconUso_11_4,__i_hidden_title_iconUso_12_0,__i_hidden_title_iconUso_12_4,__i_hidden_title_iconUso_13_0,__i_hidden_title_iconUso_13_4,__i_hidden_title_iconUso_14_0,__i_hidden_title_iconUso_14_4,__i_hidden_title_iconUso_15_0,__i_hidden_title_iconUso_15_4,__i_hidden_title_iconUso_16_0,__i_hidden_title_iconUso_16_4,__i_hidden_title_iconUso_17_0,__i_hidden_title_iconUso_17_4,__i_hidden_title_iconUso_18_0,__i_hidden_title_iconUso_18_4,__i_hidden_title_iconUso_19_0,__i_hidden_title_iconUso_19_4,__i_hidden_title_iconUso_1_0,__i_hidden_title_iconUso_1_4,__i_hidden_title_iconUso_2_0,__i_hidden_title_iconUso_2_4,__i_hidden_title_iconUso_3_0,__i_hidden_title_iconUso_3_4,__i_hidden_title_iconUso_4_0,__i_hidden_title_iconUso_4_4,__i_hidden_title_iconUso_5_0,__i_hidden_title_iconUso_5_4,__i_hidden_title_iconUso_6_0,__i_hidden_title_iconUso_6_4,__i_hidden_title_iconUso_7_0,__i_hidden_title_iconUso_7_4,__i_hidden_title_iconUso_8_0,__i_hidden_title_iconUso_8_4,__i_hidden_title_iconUso_9_0,__i_hidden_title_iconUso_9_4,_csrf,be_name_0,chkAll,limit,search,selectcheckbox,url_entry_0,url_entry_1,url_entry_10,url_entry_11,url_entry_12,url_entry_13,url_entry_14,url_entry_15,url_entry_16,url_entry_17,url_entry_18,url_entry_19,url_entry_2,url_entry_3,url_entry_4,url_entry_5,url_entry_6,url_entry_7,url_entry_8,url_entry_9) POST search User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL: http://127.0.0.1:8080/govwayConsole/configurazionePolicyGestioneTokenList.do?_tabKey_infoType=aa appears to include user input in: a(n) [input] tag [value] attribute The user input found was: search=ZAP The user-controlled value was: zap 1 false <p>Validate all input and sanitize output it before writing to any HTML attributes.</p> <p>User-controlled HTML attribute values were found. Try injecting special characters to see if XSS might be possible. The page at the following URL:</p><p></p><p>http://127.0.0.1:8080/govwayConsole/configurazionePolicyGestioneTokenList.do?_tabKey_infoType=aa</p><p></p><p>appears to include user input in:</p><p>a(n) [input] tag [value] attribute</p><p></p><p>The user input found was:</p><p>search=ZAP</p><p></p><p>The user-controlled value was:</p><p>zap</p> <p>https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html</p> 20 20 691 Info Informational insight.network.failure Percentage of network failures 1 Info Informational http://127.0.0.1:8080 insight.code.2xx Percentage of responses with status code 2xx 65 Info Informational http://127.0.0.1:8080 insight.code.3xx Percentage of responses with status code 3xx 9 Info Informational http://127.0.0.1:8080 insight.code.4xx Percentage of responses with status code 4xx 7 Info Informational http://127.0.0.1:8080 insight.code.5xx Percentage of responses with status code 5xx 17 Info Informational http://127.0.0.1:8080 insight.endpoint.ctype.application/zip Percentage of endpoints with content type application/zip 1 Info Informational http://127.0.0.1:8080 insight.endpoint.ctype.image/gif Percentage of endpoints with content type image/gif 1 Info Informational http://127.0.0.1:8080 insight.endpoint.ctype.image/png Percentage of endpoints with content type image/png 3 Info Informational http://127.0.0.1:8080 insight.endpoint.ctype.image/x-icon Percentage of endpoints with content type image/x-icon 1 Info Informational http://127.0.0.1:8080 insight.endpoint.ctype.text/css Percentage of endpoints with content type text/css 6 Info Informational http://127.0.0.1:8080 insight.endpoint.ctype.text/html Percentage of endpoints with content type text/html 73 Info Informational http://127.0.0.1:8080 insight.endpoint.ctype.text/javascript Percentage of endpoints with content type text/javascript 6 Info Informational http://127.0.0.1:8080 insight.endpoint.ctype.text/plain Percentage of endpoints with content type text/plain 1 Info Informational http://127.0.0.1:8080 insight.endpoint.method.GET Percentage of endpoints with method GET 65 Info Informational http://127.0.0.1:8080 insight.endpoint.method.POST Percentage of endpoints with method POST 34 Info Informational http://127.0.0.1:8080 insight.endpoint.total Count of total endpoints 202 Info Informational http://127.0.0.1:8080 insight.response.slow Percentage of slow responses 18