54 lines
1.4 KiB
Markdown
54 lines
1.4 KiB
Markdown
|
### MEDIUM RISK
|
||
|
|
|
||
|
|
## 1. CSP: Wildcard Directive
|
||
|
|
# Eric response: Can't we updated the apache config to add trusted source?
|
||
|
|
|
||
|
|
## 2. CSP: style-src 'unsafe-inline'
|
||
|
|
# Eric response: Accept the risk
|
||
|
|
|
||
|
|
## 3. CSP Header Not Set
|
||
|
|
# Eric response: This is zabbix it's for internal use. Accept the risk
|
||
|
|
|
||
|
|
## 4. CSP: script-src 'unsafe-inline'
|
||
|
|
# Eric response: This is zabbix it's for internal use. Accept the risk
|
||
|
|
|
||
|
|
## 5. Absence of Anti-CSRF Tokens
|
||
|
|
# Eric response: accept the risk
|
||
|
|
|
||
|
|
## 6. Source Code Disclosure - SQL
|
||
|
|
# Eric response: what source code is exposed?
|
||
|
|
|
||
|
|
## 7. Sub Resource Integrity Attribute Missing
|
||
|
|
# Eric response: nothink currently. Can you provide the integrity tag for the concerned external script
|
||
|
|
|
||
|
|
## 8. Vulnerable JavaScript Library
|
||
|
|
# Eric response: What's the concerne library?
|
||
|
|
|
||
|
|
## 9. Missing Anti-clickjacking Header
|
||
|
|
# Eric response:
|
||
|
|
|
||
|
|
## 10. Cross-Domain Misconfiguration
|
||
|
|
# Eric response:
|
||
|
|
|
||
|
|
### LOW RISK
|
||
|
|
|
||
|
|
## 1. Strict-Transport-Security Header Not Set
|
||
|
|
# Eric response: accept risk
|
||
|
|
|
||
|
|
## 2. Dangerous JavaScript Functions
|
||
|
|
# Eric response: Accept the risk
|
||
|
|
|
||
|
|
## 3. Server Leaks Version Information via 'Server' HTTP Response Header
|
||
|
|
# Eric response: Accept the risk
|
||
|
|
|
||
|
|
## 4. CSP: X-Content-Type-Options Header Missing
|
||
|
|
# Eric response: Accept risk
|
||
|
|
|
||
|
|
## 5. Cross-Domain JavaScript Source File Inclusion
|
||
|
|
# Eric response: accept the risk
|
||
|
|
|
||
|
|
## 6. Cookie Without Secure Flag
|
||
|
|
# Eric response: accept the risk
|
||
|
|
|
||
|
|
## 7. Cookie with SameSite Attribute None
|
||
|
|
# Eric response: accept the risk
|