ZAP by Checkmarx Scanning Report

Generated with ZAP on Mon 8 Dec 2025, at 02:58:51

ZAP Version: 2.16.1

ZAP by Checkmarx

Contents

About This Report

Report Parameters

Contexts

The following contexts were selected to be included:

  • AuthContext

Sites

The following sites were included:

  • http://localhost:8080

(If no sites were selected, all sites were included by default.)

An included site must also be within one of the included contexts for its data to be included in the report.

Risk levels

Included: High, Medium, Low, Informational

Excluded: None

Confidence levels

Included: User Confirmed, High, Medium, Low, False Positive

Excluded: None

Summaries

Alert Counts by Risk and Confidence

This table shows the number of alerts for each level of risk and confidence included in the report.

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)
Confidence
User Confirmed High Medium Low False Positive Total
Risk High 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)
Medium 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)
Low 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)
Informational 0
(0.0%)		 1
(33.3%)		 2
(66.7%)		 0
(0.0%)		 0
(0.0%)		 3
(100.0%)
Total 0
(0.0%)		 1
(33.3%)		 2
(66.7%)		 0
(0.0%)		 0
(0.0%)		 3
(100%)

Alert Counts by Site and Risk

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

Alerts with a confidence level of "False Positive" have been excluded from these counts.

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)
Risk
High
(= High) 		Medium
(>= Medium) 		Low
(>= Low) 		Informational
(>= Informational)
Site http://localhost:8080 0
(0)		 0
(0)		 0
(0)		 3
(3)

Alert Counts by Alert Type

This table shows the number of alerts of each alert type, together with the alert type's risk level.

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)
Alert type Risk Count
Authentication Request Identified Informational 2
(66.7%)
Session Management Response Identified Informational 2
(66.7%)
User Agent Fuzzer Informational 12
(400.0%)
Total 3

Alerts

  1. Risk=Informational, Confidence=High (1)

    1. http://localhost:8080 (1)

      1. Authentication Request Identified (1)
        1. POST http://localhost:8080/api/auth/login
          Alert tags
          Alert description

          The given request has been identified as an authentication request. The 'Other Info' field contains a set of key=value lines which identify any relevant fields. If the request is in a context which has an Authentication Method set to "Auto-Detect" then this rule will change the authentication to match the request identified.
          Other info

          userParam=username

          userValue=testuser

          passwordParam=password
          Request
          Request line and header section (311 bytes) 
          POST http://localhost:8080/api/auth/login HTTP/1.1
host: localhost:8080
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
content-type: application/json; charset=utf-8
content-length: 44
          Request body (44 bytes) 
          {"username":"testuser","password":"Test123"}
          Response
          Status line and header section (422 bytes) 
          HTTP/1.1 200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'
Content-Type: application/json
Date: Mon, 08 Dec 2025 02:56:20 GMT
content-length: 193
          Response body (193 bytes) 
          {"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjU4MCwiZXhwIjoxNzY1MjQ4OTgwfQ.d1yruQmw96EAN2EX8lPKZFxtjys_OHViUZBE66b7tO4"}
          Parameter 
          username
          Evidence 
          password
          Solution

          This is an informational alert rather than a vulnerability and so there is nothing to fix.

  2. Risk=Informational, Confidence=Medium (2)

    1. http://localhost:8080 (2)

      1. Session Management Response Identified (1)
        1. POST http://localhost:8080/api/auth/login
          Alert tags
          Alert description

          The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to "Auto-Detect" then this rule will change the session management to use the tokens identified.
          Other info

          json:token
          Request
          Request line and header section (311 bytes) 
          POST http://localhost:8080/api/auth/login HTTP/1.1
host: localhost:8080
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
pragma: no-cache
cache-control: no-cache
content-type: application/json; charset=utf-8
content-length: 44
          Request body (44 bytes) 
          {"username":"testuser","password":"Test123"}
          Response
          Status line and header section (422 bytes) 
          HTTP/1.1 200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'
Content-Type: application/json
Date: Mon, 08 Dec 2025 02:56:20 GMT
content-length: 193
          Response body (193 bytes) 
          {"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjU4MCwiZXhwIjoxNzY1MjQ4OTgwfQ.d1yruQmw96EAN2EX8lPKZFxtjys_OHViUZBE66b7tO4"}
          Parameter 
          token
          Evidence 
          token
          Solution

          This is an informational alert rather than a vulnerability and so there is nothing to fix.
      2. User Agent Fuzzer (1)
        1. POST http://localhost:8080/api/auth/login
          Alert tags
          • CUSTOM_PAYLOADS =
          • POLICY_PENTEST =
          • SYSTEMIC
          Alert description

          Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.
          Request
          Request line and header section (409 bytes) 
          POST http://localhost:8080/api/auth/login HTTP/1.1
host: localhost:8080
user-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
pragma: no-cache
cache-control: no-cache
content-type: application/json; charset=utf-8
content-length: 44
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyMywiZXhwIjoxNzY1MjQ5MTIzfQ.J96vq4bRaSb7dxOfcPociaaL08FrysTpKWcTaggem0k
          Request body (44 bytes) 
          {"username":"testuser","password":"Test123"}
          Response
          Status line and header section (422 bytes) 
          HTTP/1.1 200
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'
Content-Type: application/json
Date: Mon, 08 Dec 2025 02:58:43 GMT
content-length: 193
          Response body (193 bytes) 
          {"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyMywiZXhwIjoxNzY1MjQ5MTIzfQ.J96vq4bRaSb7dxOfcPociaaL08FrysTpKWcTaggem0k"}
          Parameter 
          Header User-Agent
          Attack 
          Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)

Appendix

Alert Types

This section contains additional information on the types of alerts in the report.

  1. Authentication Request Identified

    Source raised by a passive scanner (Authentication Request Identified)
    Reference
    1. https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-req-id/

  2. Session Management Response Identified

    Source raised by a passive scanner (Session Management Response Identified)
    Reference
    1. https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id/

  3. User Agent Fuzzer

    Source raised by an active scanner (User Agent Fuzzer)
    Reference
    1. https://owasp.org/wstg