ZAP by Checkmarx Scanning Report

Generated on Mon, 8 Dec 2025 02:58:51

ZAP Version: 2.16.1

ZAP by Checkmarx

Summary of Alerts

Risk Level	Number of Alerts
High	0
Medium	0
Low	0
Informational	3
False Positives:	0

Summary of Sequences

For each step: result (Pass/Fail) - risk (of highest alert(s) for the step, if any).

Alerts

Name	Risk Level	Number of Instances
Authentication Request Identified	Informational	2
Session Management Response Identified	Informational	2
User Agent Fuzzer	Informational	12

Passing Rules

Name	Rule Type	Threshold	Strength
Directory Browsing	Active	MEDIUM	MEDIUM
CRLF Injection	Active	MEDIUM	MEDIUM
Path Traversal	Active	MEDIUM	MEDIUM
Remote File Inclusion	Active	MEDIUM	MEDIUM
Parameter Tampering	Active	MEDIUM	MEDIUM
Server Side Include	Active	MEDIUM	MEDIUM
GET for POST	Active	MEDIUM	MEDIUM
Cross Site Scripting (Reflected)	Active	MEDIUM	MEDIUM
Cross Site Scripting (Persistent)	Active	MEDIUM	MEDIUM
Script Active Scan Rules	Active	MEDIUM	MEDIUM
Cross Site Scripting (Persistent) - Prime	Active	MEDIUM	MEDIUM
Cross Site Scripting (Persistent) - Spider	Active	MEDIUM	MEDIUM
SQL Injection	Active	MEDIUM	MEDIUM
SQL Injection - MySQL (Time Based)	Active	MEDIUM	MEDIUM
SQL Injection - Hypersonic SQL (Time Based)	Active	MEDIUM	MEDIUM
SQL Injection - Oracle (Time Based)	Active	MEDIUM	MEDIUM
SQL Injection - PostgreSQL (Time Based)	Active	MEDIUM	MEDIUM
SQL Injection - SQLite (Time Based)	Active	MEDIUM	MEDIUM
Cross Site Scripting (DOM Based)	Active	MEDIUM	MEDIUM
SQL Injection - MsSQL (Time Based)	Active	MEDIUM	MEDIUM
ELMAH Information Leak	Active	MEDIUM	MEDIUM
Trace.axd Information Leak	Active	MEDIUM	MEDIUM
XSLT Injection	Active	MEDIUM	MEDIUM
.htaccess Information Leak	Active	MEDIUM	MEDIUM
.env Information Leak	Active	MEDIUM	MEDIUM
Server Side Code Injection	Active	MEDIUM	MEDIUM
Hidden File Finder	Active	MEDIUM	MEDIUM
XPath Injection	Active	MEDIUM	MEDIUM
Remote OS Command Injection	Active	MEDIUM	MEDIUM
XML External Entity Attack	Active	MEDIUM	MEDIUM
Generic Padding Oracle	Active	MEDIUM	MEDIUM
Spring Actuator Information Leak	Active	MEDIUM	MEDIUM
SOAP Action Spoofing	Active	MEDIUM	MEDIUM
Log4Shell	Active	MEDIUM	MEDIUM
SOAP XML Injection	Active	MEDIUM	MEDIUM
Spring4Shell	Active	MEDIUM	MEDIUM
Heartbleed OpenSSL Vulnerability	Active	MEDIUM	MEDIUM
Buffer Overflow	Active	MEDIUM	MEDIUM
Source Code Disclosure - CVE-2012-1823	Active	MEDIUM	MEDIUM
Format String Error	Active	MEDIUM	MEDIUM
Server Side Template Injection	Active	MEDIUM	MEDIUM
Remote Code Execution - CVE-2012-1823	Active	MEDIUM	MEDIUM
Cloud Metadata Potentially Exposed	Active	MEDIUM	MEDIUM
External Redirect	Active	MEDIUM	MEDIUM
Remote OS Command Injection (Time Based)	Active	MEDIUM	MEDIUM
Server Side Template Injection (Blind)	Active	MEDIUM	MEDIUM
Source Code Disclosure - /WEB-INF Folder	Active	MEDIUM	MEDIUM
Verification Request Identified	Passive	MEDIUM	-
Private IP Disclosure	Passive	MEDIUM	-
Session ID in URL Rewrite	Passive	MEDIUM	-
Script Served From Malicious Domain (polyfill)	Passive	MEDIUM	-
ZAP is Out of Date	Passive	MEDIUM	-
Insecure JSF ViewState	Passive	MEDIUM	-
Vulnerable JS Library (Powered by Retire.js)	Passive	MEDIUM	-
Charset Mismatch	Passive	MEDIUM	-
Cookie No HttpOnly Flag	Passive	MEDIUM	-
Cookie Without Secure Flag	Passive	MEDIUM	-
Re-examine Cache-control Directives	Passive	MEDIUM	-
Cross-Domain JavaScript Source File Inclusion	Passive	MEDIUM	-
Content-Type Header Missing	Passive	MEDIUM	-
Anti-clickjacking Header	Passive	MEDIUM	-
X-Content-Type-Options Header Missing	Passive	MEDIUM	-
Application Error Disclosure	Passive	MEDIUM	-
Information Disclosure - Debug Error Messages	Passive	MEDIUM	-
Information Disclosure - Sensitive Information in URL	Passive	MEDIUM	-
Information Disclosure - Sensitive Information in HTTP Referrer Header	Passive	MEDIUM	-
Information Disclosure - Suspicious Comments	Passive	MEDIUM	-
Off-site Redirect	Passive	MEDIUM	-
Cookie Poisoning	Passive	MEDIUM	-
User Controllable Charset	Passive	MEDIUM	-
WSDL File Detection	Passive	MEDIUM	-
User Controllable HTML Element Attribute (Potential XSS)	Passive	MEDIUM	-
Loosely Scoped Cookie	Passive	MEDIUM	-
Viewstate	Passive	MEDIUM	-
Directory Browsing	Passive	MEDIUM	-
Heartbleed OpenSSL Vulnerability (Indicative)	Passive	MEDIUM	-
Strict-Transport-Security Header	Passive	MEDIUM	-
HTTP Server Response Header	Passive	MEDIUM	-
Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)	Passive	MEDIUM	-
Content Security Policy (CSP) Header Not Set	Passive	MEDIUM	-
X-Backend-Server Header Information Leak	Passive	MEDIUM	-
Secure Pages Include Mixed Content	Passive	MEDIUM	-
HTTP to HTTPS Insecure Transition in Form Post	Passive	MEDIUM	-
HTTPS to HTTP Insecure Transition in Form Post	Passive	MEDIUM	-
User Controllable JavaScript Event (XSS)	Passive	MEDIUM	-
Big Redirect Detected (Potential Sensitive Information Leak)	Passive	MEDIUM	-
Retrieved from Cache	Passive	MEDIUM	-
X-ChromeLogger-Data (XCOLD) Header Information Leak	Passive	MEDIUM	-
Cookie without SameSite Attribute	Passive	MEDIUM	-
CSP	Passive	MEDIUM	-
X-Debug-Token Information Leak	Passive	MEDIUM	-
Username Hash Found	Passive	MEDIUM	-
X-AspNet-Version Response Header	Passive	MEDIUM	-
PII Disclosure	Passive	MEDIUM	-
Script Passive Scan Rules	Passive	MEDIUM	-
Stats Passive Scan Rule	Passive	MEDIUM	-
Absence of Anti-CSRF Tokens	Passive	MEDIUM	-
Timestamp Disclosure	Passive	MEDIUM	-
Hash Disclosure	Passive	MEDIUM	-
Cross-Domain Misconfiguration	Passive	MEDIUM	-
Weak Authentication Method	Passive	MEDIUM	-
Reverse Tabnabbing	Passive	MEDIUM	-
Modern Web Application	Passive	MEDIUM	-

Sites

Number of Sites tree nodes actively scanned: 13

http://localhost:8080

HTTP Response Code	Number of Responses
404 Not Found	1356
415 Unsupported Media Type	4
405 Method Not Allowed	1621
200 OK	4638
400 Bad Request	1465

Authentication Statistics	Number of Responses
State : Logged Out	4194
Authentication : Success	1616
State : Logged In	1641
stats.auth.sessiontoken.token	3233

Parameter Name	Type	Times Used	# Values
category	URL	1	1
name	URL	1	1
page	URL	1	1
size	URL	1	1
Cache-Control	Header	1623	1
Connection	Header	1	1
Content-Length	Header	1	1
Content-Security-Policy	Header	1623	1
Content-Type	Header	1623	2
Date	Header	1623	149
Expires	Header	1623	1
Pragma	Header	1623	1
Vary	Header	4869	3
X-Content-Type-Options	Header	1623	1
X-Frame-Options	Header	1623	1
X-XSS-Protection	Header	1623	1
content-length	Header	1622	5

Alert Detail

Informational	Authentication Request Identified
Description	The given request has been identified as an authentication request. The 'Other Info' field contains a set of key=value lines which identify any relevant fields. If the request is in a context which has an Authentication Method set to "Auto-Detect" then this rule will change the authentication to match the request identified.

URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	username
Attack
Evidence	password
Other Info	userParam=username userValue=John Doe passwordParam=password
Show / hide Request and Response
Request Header - size: 468 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 pragma: no-cache cache-control: no-cache accept: / content-type: application/json content-length: 40 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjU4MiwiZXhwIjoxNzY1MjQ4OTgyfQ.OV0FC031pbEYK5ZQkqx8m0ak7Yi7VbystZIBK9YMYek
Request Body - size: 40 bytes.	{"username":"John Doe","password":"ZAP"}
Response Header - size: 421 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:56:22 GMT content-length: 79
Response Body - size: 79 bytes.	{"success":false,"message":"Username contains invalid characters","token":null}
URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	username
Attack
Evidence	password
Other Info	userParam=username userValue=testuser passwordParam=password
Show / hide Request and Response
Request Header - size: 311 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 pragma: no-cache cache-control: no-cache content-type: application/json; charset=utf-8 content-length: 44
Request Body - size: 44 bytes.	{"username":"testuser","password":"Test123"}
Response Header - size: 422 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:56:20 GMT content-length: 193
Response Body - size: 193 bytes.	{"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjU4MCwiZXhwIjoxNzY1MjQ4OTgwfQ.d1yruQmw96EAN2EX8lPKZFxtjys_OHViUZBE66b7tO4"}
Instances	2
Solution	This is an informational alert rather than a vulnerability and so there is nothing to fix.
Reference	https://www.zaproxy.org/docs/desktop/addons/authentication-helper/auth-req-id/
Tags
CWE Id
WASC Id
Plugin Id	10111

Informational	Session Management Response Identified
Description	The given response has been identified as containing a session management token. The 'Other Info' field contains a set of header tokens that can be used in the Header Based Session Management Method. If the request is in a context which has a Session Management Method set to "Auto-Detect" then this rule will change the session management to use the tokens identified.

URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	token
Attack
Evidence	token
Other Info	json:token
Show / hide Request and Response
Request Header - size: 311 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 pragma: no-cache cache-control: no-cache content-type: application/json; charset=utf-8 content-length: 44
Request Body - size: 44 bytes.	{"username":"testuser","password":"Test123"}
Response Header - size: 422 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:56:20 GMT content-length: 193
Response Body - size: 193 bytes.	{"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjU4MCwiZXhwIjoxNzY1MjQ4OTgwfQ.d1yruQmw96EAN2EX8lPKZFxtjys_OHViUZBE66b7tO4"}
URL	http://localhost:8080/api/auth/login
Method	GET
Parameter	token
Attack
Evidence	token
Other Info	json:token
Show / hide Request and Response
Request Header - size: 433 bytes.	GET http://localhost:8080/api/products/ HTTP/1.1 host: localhost:8080 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 pragma: no-cache cache-control: no-cache accept: / content-length: 0 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjU4MiwiZXhwIjoxNzY1MjQ4OTgyfQ.OV0FC031pbEYK5ZQkqx8m0ak7Yi7VbystZIBK9YMYek
Request Body - size: 0 bytes.
Response Header - size: 430 bytes.	HTTP/1.1 404 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/problem+json Date: Mon, 08 Dec 2025 02:56:22 GMT content-length: 127
Response Body - size: 127 bytes.	{"type":"about:blank","title":"Not Found","status":404,"detail":"No static resource api/products.","instance":"/api/products/"}
Instances	2
Solution	This is an informational alert rather than a vulnerability and so there is nothing to fix.
Reference	https://www.zaproxy.org/docs/desktop/addons/authentication-helper/session-mgmt-id/
Tags
CWE Id
WASC Id
Plugin Id	10112

Informational	User Agent Fuzzer
Description	Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.

URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	Header User-Agent
Attack	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Evidence
Other Info
Show / hide Request and Response
Request Header - size: 409 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) pragma: no-cache cache-control: no-cache content-type: application/json; charset=utf-8 content-length: 44 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyMywiZXhwIjoxNzY1MjQ5MTIzfQ.J96vq4bRaSb7dxOfcPociaaL08FrysTpKWcTaggem0k
Request Body - size: 44 bytes.	{"username":"testuser","password":"Test123"}
Response Header - size: 422 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:58:43 GMT content-length: 193
Response Body - size: 193 bytes.	{"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyMywiZXhwIjoxNzY1MjQ5MTIzfQ.J96vq4bRaSb7dxOfcPociaaL08FrysTpKWcTaggem0k"}
URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	Header User-Agent
Attack	Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Evidence
Other Info
Show / hide Request and Response
Request Header - size: 409 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) pragma: no-cache cache-control: no-cache content-type: application/json; charset=utf-8 content-length: 44 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyMywiZXhwIjoxNzY1MjQ5MTIzfQ.J96vq4bRaSb7dxOfcPociaaL08FrysTpKWcTaggem0k
Request Body - size: 44 bytes.	{"username":"testuser","password":"Test123"}
Response Header - size: 422 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:58:43 GMT content-length: 193
Response Body - size: 193 bytes.	{"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyMywiZXhwIjoxNzY1MjQ5MTIzfQ.J96vq4bRaSb7dxOfcPociaaL08FrysTpKWcTaggem0k"}
URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	Header User-Agent
Attack	Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Evidence
Other Info
Show / hide Request and Response
Request Header - size: 409 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) pragma: no-cache cache-control: no-cache content-type: application/json; charset=utf-8 content-length: 44 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyMywiZXhwIjoxNzY1MjQ5MTIzfQ.J96vq4bRaSb7dxOfcPociaaL08FrysTpKWcTaggem0k
Request Body - size: 44 bytes.	{"username":"testuser","password":"Test123"}
Response Header - size: 422 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:58:43 GMT content-length: 193
Response Body - size: 193 bytes.	{"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyMywiZXhwIjoxNzY1MjQ5MTIzfQ.J96vq4bRaSb7dxOfcPociaaL08FrysTpKWcTaggem0k"}
URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	Header User-Agent
Attack	Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko
Evidence
Other Info
Show / hide Request and Response
Request Header - size: 421 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko pragma: no-cache cache-control: no-cache content-type: application/json; charset=utf-8 content-length: 44 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyMywiZXhwIjoxNzY1MjQ5MTIzfQ.J96vq4bRaSb7dxOfcPociaaL08FrysTpKWcTaggem0k
Request Body - size: 44 bytes.	{"username":"testuser","password":"Test123"}
Response Header - size: 422 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:58:43 GMT content-length: 193
Response Body - size: 193 bytes.	{"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyMywiZXhwIjoxNzY1MjQ5MTIzfQ.J96vq4bRaSb7dxOfcPociaaL08FrysTpKWcTaggem0k"}
URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	Header User-Agent
Attack	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0
Evidence
Other Info
Show / hide Request and Response
Request Header - size: 487 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3739.0 Safari/537.36 Edg/75.0.109.0 pragma: no-cache cache-control: no-cache content-type: application/json; charset=utf-8 content-length: 44 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyMywiZXhwIjoxNzY1MjQ5MTIzfQ.J96vq4bRaSb7dxOfcPociaaL08FrysTpKWcTaggem0k
Request Body - size: 44 bytes.	{"username":"testuser","password":"Test123"}
Response Header - size: 422 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:58:44 GMT content-length: 193
Response Body - size: 193 bytes.	{"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg"}
URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	Header User-Agent
Attack	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Evidence
Other Info
Show / hide Request and Response
Request Header - size: 474 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 pragma: no-cache cache-control: no-cache content-type: application/json; charset=utf-8 content-length: 44 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg
Request Body - size: 44 bytes.	{"username":"testuser","password":"Test123"}
Response Header - size: 422 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:58:44 GMT content-length: 193
Response Body - size: 193 bytes.	{"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg"}
URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	Header User-Agent
Attack	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0
Evidence
Other Info
Show / hide Request and Response
Request Header - size: 437 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/91.0 pragma: no-cache cache-control: no-cache content-type: application/json; charset=utf-8 content-length: 44 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg
Request Body - size: 44 bytes.	{"username":"testuser","password":"Test123"}
Response Header - size: 422 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:58:44 GMT content-length: 193
Response Body - size: 193 bytes.	{"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg"}
URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	Header User-Agent
Attack	Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Evidence
Other Info
Show / hide Request and Response
Request Header - size: 431 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) pragma: no-cache cache-control: no-cache content-type: application/json; charset=utf-8 content-length: 44 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg
Request Body - size: 44 bytes.	{"username":"testuser","password":"Test123"}
Response Header - size: 422 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:58:44 GMT content-length: 193
Response Body - size: 193 bytes.	{"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg"}
URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	Header User-Agent
Attack	Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)
Evidence
Other Info
Show / hide Request and Response
Request Header - size: 442 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp) pragma: no-cache cache-control: no-cache content-type: application/json; charset=utf-8 content-length: 44 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg
Request Body - size: 44 bytes.	{"username":"testuser","password":"Test123"}
Response Header - size: 422 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:58:44 GMT content-length: 193
Response Body - size: 193 bytes.	{"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg"}
URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	Header User-Agent
Attack	Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4
Evidence
Other Info
Show / hide Request and Response
Request Header - size: 495 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4 pragma: no-cache cache-control: no-cache content-type: application/json; charset=utf-8 content-length: 44 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg
Request Body - size: 44 bytes.	{"username":"testuser","password":"Test123"}
Response Header - size: 422 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:58:44 GMT content-length: 193
Response Body - size: 193 bytes.	{"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg"}
URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	Header User-Agent
Attack	Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16
Evidence
Other Info
Show / hide Request and Response
Request Header - size: 500 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16 pragma: no-cache cache-control: no-cache content-type: application/json; charset=utf-8 content-length: 44 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg
Request Body - size: 44 bytes.	{"username":"testuser","password":"Test123"}
Response Header - size: 422 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:58:44 GMT content-length: 193
Response Body - size: 193 bytes.	{"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg"}
URL	http://localhost:8080/api/auth/login
Method	POST
Parameter	Header User-Agent
Attack	msnbot/1.1 (+http://search.msn.com/msnbot.htm)
Evidence
Other Info
Show / hide Request and Response
Request Header - size: 405 bytes.	POST http://localhost:8080/api/auth/login HTTP/1.1 host: localhost:8080 user-agent: msnbot/1.1 (+http://search.msn.com/msnbot.htm) pragma: no-cache cache-control: no-cache content-type: application/json; charset=utf-8 content-length: 44 Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg
Request Body - size: 44 bytes.	{"username":"testuser","password":"Test123"}
Response Header - size: 422 bytes.	HTTP/1.1 200 Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: 0 X-Frame-Options: DENY Content-Security-Policy: default-src 'self' Content-Type: application/json Date: Mon, 08 Dec 2025 02:58:44 GMT content-length: 193
Response Body - size: 193 bytes.	{"success":true,"message":"Login successfully","token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0dXNlciIsImlhdCI6MTc2NTE2MjcyNCwiZXhwIjoxNzY1MjQ5MTI0fQ.2DqZd-7Xj6E4cIlEPtOXsaiyf4cGWdUCb1vJKqrECyg"}
Instances	12
Solution
Reference	https://owasp.org/wstg
Tags	CUSTOM_PAYLOADS = POLICY_PENTEST = SYSTEMIC
CWE Id
WASC Id
Plugin Id	10104

Sequence Details

With the associated active scan results.