ZAP Scanning Report

ZAP Scanning Report

Site: https://app.4shar3.pro

Generated on Mon, 29 Jun 2026 13:33:35

ZAP Version: 2.17.0

ZAP by Checkmarx

Summary of Alerts

Risk Level Number of Alerts
High
0
Medium
3
Low
0
Informational
4
False Positives:
0

Summary of Sequences

For each step: result (Pass/Fail) - risk (of highest alert(s) for the step, if any).

Alerts

Name Risk Level Number of Instances
CSP: script-src unsafe-eval Medium 3
CSP: script-src unsafe-inline Medium 3
CSP: style-src unsafe-inline Medium 3
Information Disclosure - Suspicious Comments Informational 5
Modern Web Application Informational 2
Re-examine Cache-control Directives Informational 2
User Agent Fuzzer Informational Systemic

Alert Detail

Medium
CSP: script-src unsafe-eval
Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
URL https://app.4shar3.pro/4repo
Node Name https://app.4shar3.pro/4repo
Method GET
Parameter Content-Security-Policy
Attack
Evidence default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests;
Other Info
script-src includes unsafe-eval.
URL https://app.4shar3.pro/4repo/
Node Name https://app.4shar3.pro/4repo/
Method GET
Parameter Content-Security-Policy
Attack
Evidence default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests;
Other Info
script-src includes unsafe-eval.
URL https://app.4shar3.pro/newapp/onedrive-callback.html
Node Name https://app.4shar3.pro/newapp/onedrive-callback.html
Method GET
Parameter Content-Security-Policy
Attack
Evidence default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro https://one.one.one.one https://icanhazip.com https://ajax.googleapis.com https://captive.apple.com https://res.cdn.office.net; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests;
Other Info
script-src includes unsafe-eval.
Instances 3
Solution
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference https://www.w3.org/TR/CSP/
https://caniuse.com/#search=content+security+policy
https://content-security-policy.com/
https://github.com/HtmlUnit/htmlunit-csp
https://web.dev/articles/csp#resource-options
CWE Id 693
WASC Id 15
Plugin Id 10055
Medium
CSP: script-src unsafe-inline
Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
URL https://app.4shar3.pro/4repo
Node Name https://app.4shar3.pro/4repo
Method GET
Parameter Content-Security-Policy
Attack
Evidence default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests;
Other Info
script-src includes unsafe-inline.
URL https://app.4shar3.pro/4repo/
Node Name https://app.4shar3.pro/4repo/
Method GET
Parameter Content-Security-Policy
Attack
Evidence default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests;
Other Info
script-src includes unsafe-inline.
URL https://app.4shar3.pro/newapp/onedrive-callback.html
Node Name https://app.4shar3.pro/newapp/onedrive-callback.html
Method GET
Parameter Content-Security-Policy
Attack
Evidence default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro https://one.one.one.one https://icanhazip.com https://ajax.googleapis.com https://captive.apple.com https://res.cdn.office.net; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests;
Other Info
script-src includes unsafe-inline.
Instances 3
Solution
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference https://www.w3.org/TR/CSP/
https://caniuse.com/#search=content+security+policy
https://content-security-policy.com/
https://github.com/HtmlUnit/htmlunit-csp
https://web.dev/articles/csp#resource-options
CWE Id 693
WASC Id 15
Plugin Id 10055
Medium
CSP: style-src unsafe-inline
Description
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
URL https://app.4shar3.pro/4repo
Node Name https://app.4shar3.pro/4repo
Method GET
Parameter Content-Security-Policy
Attack
Evidence default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests;
Other Info
style-src includes unsafe-inline.
URL https://app.4shar3.pro/4repo/
Node Name https://app.4shar3.pro/4repo/
Method GET
Parameter Content-Security-Policy
Attack
Evidence default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests;
Other Info
style-src includes unsafe-inline.
URL https://app.4shar3.pro/newapp/onedrive-callback.html
Node Name https://app.4shar3.pro/newapp/onedrive-callback.html
Method GET
Parameter Content-Security-Policy
Attack
Evidence default-src 'self' https://www.gstatic.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'wasm-unsafe-eval' 'unsafe-eval' 'unsafe-inline' https://www.gstatic.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://res.cdn.office.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://www.gstatic.com; font-src 'self' https://fonts.gstatic.com https://www.gstatic.com data:; img-src 'self' data: blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; media-src 'self' blob: https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com; connect-src 'self' https://www.gstatic.com https://fonts.gstatic.com https://api.4shar3.pro https://api.4shar3.com https://4shar3-repo-prod.s3.eu-central-1.amazonaws.com https://i4-repository-prod.s3.eu-west-1.amazonaws.com https://p4ndor4-application-prod.s3.eu-central-1.amazonaws.com https://login.microsoftonline.com wss://app.4shar3.pro https://one.one.one.one https://icanhazip.com https://ajax.googleapis.com https://captive.apple.com https://res.cdn.office.net; worker-src 'self' blob: https://www.gstatic.com; child-src 'self' blob:; frame-ancestors 'self' https://*.teams.microsoft.com https://*.teams.office.com https://*.teams.live.com https://*.teams.cloud.microsoft https://teams.microsoft.com https://teams.office.com https://teams.live.com https://teams.cloud.microsoft; base-uri 'self'; form-action 'self'; object-src 'none'; upgrade-insecure-requests;
Other Info
style-src includes unsafe-inline.
Instances 3
Solution
Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
Reference https://www.w3.org/TR/CSP/
https://caniuse.com/#search=content+security+policy
https://content-security-policy.com/
https://github.com/HtmlUnit/htmlunit-csp
https://web.dev/articles/csp#resource-options
CWE Id 693
WASC Id 15
Plugin Id 10055
Informational
Information Disclosure - Suspicious Comments
Description
The response appears to contain suspicious comments which may help an attacker.
URL https://app.4shar3.pro/4repo/microsoft_auth.js
Node Name https://app.4shar3.pro/4repo/microsoft_auth.js
Method GET
Parameter
Attack
Evidence sessionStorage for later use (fallback)
Other Info
The following pattern was used: \bLATER\b and was detected in likely comment: "// Store code_verifier in sessionStorage for later use (fallback)", see evidence field for the suspicious comment/snippet.
URL https://app.4shar3.pro/4repo/microsoft_auth.js
Node Name https://app.4shar3.pro/4repo/microsoft_auth.js
Method GET
Parameter
Attack
Evidence ates code challenge from code verifier (SHA2
Other Info
The following pattern was used: \bFROM\b and was detected 3 times, the first in likely comment: "/**

* Generates code challenge from code verifier (SHA256 + base64url)

* Uses Web Crypto API for SHA256

* @aut", see evidence field for the suspicious comment/snippet.
URL https://app.4shar3.pro/4repo/microsoft_auth.js
Node Name https://app.4shar3.pro/4repo/microsoft_auth.js
Method GET
Parameter
Attack
Evidence nds (500ms * 120) - user might take time to
Other Info
The following pattern was used: \bUSER\b and was detected 2 times, the first in likely comment: "// Poll for up to 60 seconds (500ms * 120) - user might take time to login", see evidence field for the suspicious comment/snippet.
URL https://app.4shar3.pro/newapp/onedrive-callback.html
Node Name https://app.4shar3.pro/newapp/onedrive-callback.html
Method GET
Parameter
Attack
Evidence ates code challenge from code verifier (SHA2
Other Info
The following pattern was used: \bFROM\b and was detected 2 times, the first in likely comment: "/**

* Generates code challenge from code verifier (SHA256 + base64url)

* @author Angelo Cimino

*/", see evidence field for the suspicious comment/snippet.
URL https://app.4shar3.pro/newapp/onedrive-callback.html
Node Name https://app.4shar3.pro/newapp/onedrive-callback.html
Method GET
Parameter
Attack
Evidence current URL (remove query params except code_
Other Info
The following pattern was used: \bQUERY\b and was detected in likely comment: "// Get redirect URI from current URL (remove query params except code_verifier and main_app_url)", see evidence field for the suspicious comment/snippet.
Instances 5
Solution
Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.
Reference
CWE Id 615
WASC Id 13
Plugin Id 10027
Informational
Modern Web Application
Description
The application appears to be a modern web application. If you need to explore it automatically then the Ajax Spider may well be more effective than the standard one.
URL https://app.4shar3.pro/4repo/
Node Name https://app.4shar3.pro/4repo/
Method GET
Parameter
Attack
Evidence <script src="microsoft_auth.js"></script>
Other Info
No links have been found while there are scripts, which is an indication that this is a modern web application.
URL https://app.4shar3.pro/newapp/onedrive-callback.html
Node Name https://app.4shar3.pro/newapp/onedrive-callback.html
Method GET
Parameter
Attack
Evidence <script src="https://cdn.jsdelivr.net/npm/js-sha256@0.9.0/src/sha256.min.js" integrity="sha384-SuB7WKMIvlhvl2mlvYVIz6tj6HaybY+6SbVCKXUeH7OnIIIywXTz1YIGyb9ZBED5" crossorigin="anonymous"> </script>
Other Info
No links have been found while there are scripts, which is an indication that this is a modern web application.
Instances 2
Solution
This is an informational alert and so no changes are required.
Reference
CWE Id
WASC Id
Plugin Id 10109
Informational
Re-examine Cache-control Directives
Description
The cache-control header has not been set properly or is missing, allowing the browser and proxies to cache content. For static assets like css, js, or image files this might be intended, however, the resources should be reviewed to ensure that no sensitive content will be cached.
URL https://app.4shar3.pro/4repo/manifest.json
Node Name https://app.4shar3.pro/4repo/manifest.json
Method GET
Parameter cache-control
Attack
Evidence
Other Info
URL https://app.4shar3.pro/newapp/onedrive-callback.html
Node Name https://app.4shar3.pro/newapp/onedrive-callback.html
Method GET
Parameter cache-control
Attack
Evidence
Other Info
Instances 2
Solution
For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".
Reference https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#web-content-caching
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cache-Control
https://grayduck.mn/2021/09/13/cache-control-recommendations/
CWE Id 525
WASC Id 13
Plugin Id 10015
Informational
User Agent Fuzzer
Description
Check for differences in response based on fuzzed User Agent (eg. mobile sites, access as a Search Engine Crawler). Compares the response statuscode and the hashcode of the response body with the original response.
URL https://app.4shar3.pro/4repo
Node Name https://app.4shar3.pro/4repo
Method GET
Parameter Header User-Agent
Attack Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Evidence
Other Info
URL https://app.4shar3.pro/4repo
Node Name https://app.4shar3.pro/4repo
Method GET
Parameter Header User-Agent
Attack Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Evidence
Other Info
URL https://app.4shar3.pro/4repo/icons
Node Name https://app.4shar3.pro/4repo/icons
Method GET
Parameter Header User-Agent
Attack Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Evidence
Other Info
Instances Systemic
Solution
Reference https://owasp.org/wstg
CWE Id
WASC Id
Plugin Id 10104

Sequence Details

With the associated active scan results.