ZAP Scanning Report
Site: https://app.4shar3.pro
Generated on Mon, 29 Jun 2026 13:33:35
ZAP Version: 2.17.0
ZAP by Checkmarx
Summary of Alerts
| Risk Level | Number of Alerts |
|---|---|
|
High
|
0
|
|
Medium
|
3
|
|
Low
|
0
|
|
Informational
|
4
|
|
False Positives:
|
0
|
Summary of Sequences
For each step: result (Pass/Fail) - risk (of highest alert(s) for the step, if any).
Alerts
| Name | Risk Level | Number of Instances |
|---|---|---|
| CSP: script-src unsafe-eval | Medium | 3 |
| CSP: script-src unsafe-inline | Medium | 3 |
| CSP: style-src unsafe-inline | Medium | 3 |
| Information Disclosure - Suspicious Comments | Informational | 5 |
| Modern Web Application | Informational | 2 |
| Re-examine Cache-control Directives | Informational | 2 |
| User Agent Fuzzer | Informational | Systemic |
Alert Detail
|
Medium |
CSP: script-src unsafe-eval |
|---|---|
| Description |
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
|
| URL | https://app.4shar3.pro/4repo |
| Node Name | https://app.4shar3.pro/4repo |
| Method | GET |
| Parameter | Content-Security-Policy |
| Attack | |
| Evidence | default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests; |
| Other Info |
script-src includes unsafe-eval.
|
| URL | https://app.4shar3.pro/4repo/ |
| Node Name | https://app.4shar3.pro/4repo/ |
| Method | GET |
| Parameter | Content-Security-Policy |
| Attack | |
| Evidence | default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests; |
| Other Info |
script-src includes unsafe-eval.
|
| URL | https://app.4shar3.pro/newapp/onedrive-callback.html |
| Node Name | https://app.4shar3.pro/newapp/onedrive-callback.html |
| Method | GET |
| Parameter | Content-Security-Policy |
| Attack | |
| Evidence | default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro https://one.one.one.one https://icanhazip.com https://ajax.googleapis.com https://captive.apple.com https://res.cdn.office.net; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests; |
| Other Info |
script-src includes unsafe-eval.
|
| Instances | 3 |
| Solution |
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
|
| Reference |
https://www.w3.org/TR/CSP/
https://caniuse.com/#search=content+security+policy https://content-security-policy.com/ https://github.com/HtmlUnit/htmlunit-csp https://web.dev/articles/csp#resource-options |
| CWE Id | 693 |
| WASC Id | 15 |
| Plugin Id | 10055 |
|
Medium |
CSP: script-src unsafe-inline |
|---|---|
| Description |
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
|
| URL | https://app.4shar3.pro/4repo |
| Node Name | https://app.4shar3.pro/4repo |
| Method | GET |
| Parameter | Content-Security-Policy |
| Attack | |
| Evidence | default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests; |
| Other Info |
script-src includes unsafe-inline.
|
| URL | https://app.4shar3.pro/4repo/ |
| Node Name | https://app.4shar3.pro/4repo/ |
| Method | GET |
| Parameter | Content-Security-Policy |
| Attack | |
| Evidence | default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests; |
| Other Info |
script-src includes unsafe-inline.
|
| URL | https://app.4shar3.pro/newapp/onedrive-callback.html |
| Node Name | https://app.4shar3.pro/newapp/onedrive-callback.html |
| Method | GET |
| Parameter | Content-Security-Policy |
| Attack | |
| Evidence | default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro https://one.one.one.one https://icanhazip.com https://ajax.googleapis.com https://captive.apple.com https://res.cdn.office.net; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests; |
| Other Info |
script-src includes unsafe-inline.
|
| Instances | 3 |
| Solution |
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
|
| Reference |
https://www.w3.org/TR/CSP/
https://caniuse.com/#search=content+security+policy https://content-security-policy.com/ https://github.com/HtmlUnit/htmlunit-csp https://web.dev/articles/csp#resource-options |
| CWE Id | 693 |
| WASC Id | 15 |
| Plugin Id | 10055 |
|
Medium |
CSP: style-src unsafe-inline |
|---|---|
| Description |
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
|
| URL | https://app.4shar3.pro/4repo |
| Node Name | https://app.4shar3.pro/4repo |
| Method | GET |
| Parameter | Content-Security-Policy |
| Attack | |
| Evidence | default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests; |
| Other Info |
style-src includes unsafe-inline.
|
| URL | https://app.4shar3.pro/4repo/ |
| Node Name | https://app.4shar3.pro/4repo/ |
| Method | GET |
| Parameter | Content-Security-Policy |
| Attack | |
| Evidence | default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests; |
| Other Info |
style-src includes unsafe-inline.
|
| URL | https://app.4shar3.pro/newapp/onedrive-callback.html |
| Node Name | https://app.4shar3.pro/newapp/onedrive-callback.html |
| Method | GET |
| Parameter | Content-Security-Policy |
| Attack | |
| Evidence | default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro https://one.one.one.one https://icanhazip.com https://ajax.googleapis.com https://captive.apple.com https://res.cdn.office.net; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests; |
| Other Info |
style-src includes unsafe-inline.
|
| Instances | 3 |
| Solution |
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
|
| Reference |
https://www.w3.org/TR/CSP/
https://caniuse.com/#search=content+security+policy https://content-security-policy.com/ https://github.com/HtmlUnit/htmlunit-csp https://web.dev/articles/csp#resource-options |
| CWE Id | 693 |
| WASC Id | 15 |
| Plugin Id | 10055 |
|
Informational |
Information Disclosure - Suspicious Comments |
|---|---|
| Description |
The response appears to contain suspicious comments which may help an attacker.
|
| URL | https://app.4shar3.pro/4repo/microsoft_auth.js |
| Node Name | https://app.4shar3.pro/4repo/microsoft_auth.js |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | sessionStorage for later use (fallback) |
| Other Info |
The following pattern was used: \bLATER\b and was detected in likely comment: "// Store code_verifier in sessionStorage for later use (fallback)", see evidence field for the suspicious comment/snippet.
|
| URL | https://app.4shar3.pro/4repo/microsoft_auth.js |
| Node Name | https://app.4shar3.pro/4repo/microsoft_auth.js |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | ates code challenge from code verifier (SHA2 |
| Other Info |
The following pattern was used: \bFROM\b and was detected 3 times, the first in likely comment: "/**
* Generates code challenge from code verifier (SHA256 + base64url)
* Uses Web Crypto API for SHA256
* @aut", see evidence field for the suspicious comment/snippet.
|
| URL | https://app.4shar3.pro/4repo/microsoft_auth.js |
| Node Name | https://app.4shar3.pro/4repo/microsoft_auth.js |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | nds (500ms * 120) - user might take time to |
| Other Info |
The following pattern was used: \bUSER\b and was detected 2 times, the first in likely comment: "// Poll for up to 60 seconds (500ms * 120) - user might take time to login", see evidence field for the suspicious comment/snippet.
|
| URL | https://app.4shar3.pro/newapp/onedrive-callback.html |
| Node Name | https://app.4shar3.pro/newapp/onedrive-callback.html |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | ates code challenge from code verifier (SHA2 |
| Other Info |
The following pattern was used: \bFROM\b and was detected 2 times, the first in likely comment: "/**
* Generates code challenge from code verifier (SHA256 + base64url)
* @author Angelo Cimino
*/", see evidence field for the suspicious comment/snippet.
|
| URL | https://app.4shar3.pro/newapp/onedrive-callback.html |
| Node Name | https://app.4shar3.pro/newapp/onedrive-callback.html |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | current URL (remove query params except code_ |
| Other Info |
The following pattern was used: \bQUERY\b and was detected in likely comment: "// Get redirect URI from current URL (remove query params except code_verifier and main_app_url)", see evidence field for the suspicious comment/snippet.
|
| Instances | 5 |
| Solution |
Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.
|
| Reference | |
| CWE Id | 615 |
| WASC Id | 13 |
| Plugin Id | 10027 |
|
Informational |
Modern Web Application |
|---|---|
| Description |
The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.
|
| URL | https://app.4shar3.pro/4repo/ |
| Node Name | https://app.4shar3.pro/4repo/ |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | <script src="microsoft_auth.js"></script> |
| Other Info |
No links have been found while there are scripts, which is an indication that this is a modern web application.
|
| URL | https://app.4shar3.pro/newapp/onedrive-callback.html |
| Node Name | https://app.4shar3.pro/newapp/onedrive-callback.html |
| Method | GET |
| Parameter | |
| Attack | |
| Evidence | <script src="https://cdn.jsdelivr.net/npm/js-sha256@0.9.0/src/sha256.min.js" integrity="sha384-SuB7WKMIvlhvl2mlvYVIz6tj6HaybY+6SbVCKXUeH7OnIIIywXTz1YIGyb9ZBED5" crossorigin="anonymous"> </script> |
| Other Info |
No links have been found while there are scripts, which is an indication that this is a modern web application.
|
| Instances | 2 |
| Solution |
This is an informational alert and so no changes are required.
|
| Reference | |
| CWE Id | |
| WASC Id | |
| Plugin Id | 10109 |
|
Informational |
Re-examine Cache-control Directives |
|---|---|
| Description |
The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
|
| URL | https://app.4shar3.pro/4repo/manifest.json |
| Node Name | https://app.4shar3.pro/4repo/manifest.json |
| Method | GET |
| Parameter | cache-control |
| Attack | |
| Evidence | |
| Other Info | |
| URL | https://app.4shar3.pro/newapp/onedrive-callback.html |
| Node Name | https://app.4shar3.pro/newapp/onedrive-callback.html |
| Method | GET |
| Parameter | cache-control |
| Attack | |
| Evidence | |
| Other Info | |
| Instances | 2 |
| Solution |
For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".
|
| Reference |
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cache-Control https://grayduck.mn/2021/09/13/cache-control-recommendations/ |
| CWE Id | 525 |
| WASC Id | 13 |
| Plugin Id | 10015 |
|
Informational |
User Agent Fuzzer |
|---|---|
| Description |
Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.
|
| URL | https://app.4shar3.pro/4repo |
| Node Name | https://app.4shar3.pro/4repo |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) |
| Evidence | |
| Other Info | |
| URL | https://app.4shar3.pro/4repo |
| Node Name | https://app.4shar3.pro/4repo |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) |
| Evidence | |
| Other Info | |
| URL | https://app.4shar3.pro/4repo/icons |
| Node Name | https://app.4shar3.pro/4repo/icons |
| Method | GET |
| Parameter | Header User-Agent |
| Attack | Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1) |
| Evidence | |
| Other Info | |
| Instances | Systemic |
| Solution | |
| Reference | https://owasp.org/wstg |
| CWE Id | |
| WASC Id | |
| Plugin Id | 10104 |

