Security Policy

OWASP ZAP API Scan — Baseline Report

Date: 2026-03-24 Tool: OWASP ZAP (ghcr.io/zaproxy/zaproxy:stable) Scan type: API Scan with OpenAPI specification Target: http://localhost:2187/api/v1/OpenAPI spec: docs/api/openapi.yamlContext: Pre-release security scan for v2.0.0

Summary

CategoryCount
Total scan rules tested119
PASS118
WARN1
FAIL0

Of the 119 rules, 53 are active scan rules (attack simulation) and 66 are passive scan rules (observation-based analysis).

Passive Scan Results

Security Headers & Configuration

Rule IDTestResult
10010Cookie No HttpOnly Flag✅ PASS
10011Cookie Without Secure Flag✅ PASS
10015Re-examine Cache-control Directives✅ PASS
10019Content-Type Header Missing✅ PASS
10020Anti-clickjacking Header✅ PASS
10021X-Content-Type-Options Header Missing✅ PASS
10035Strict-Transport-Security Header✅ PASS
10036HTTP Server Response Header✅ PASS
10037Server Leaks Information via "X-Powered-By"✅ PASS
10038Content Security Policy (CSP) Header Not Set✅ PASS
10039X-Backend-Server Header Information Leak✅ PASS
10054Cookie without SameSite Attribute✅ PASS
10055CSP✅ PASS
10056X-Debug-Token Information Leak✅ PASS
10061X-AspNet-Version Response Header✅ PASS
10063Permissions Policy Header Not Set✅ PASS
10098Cross-Domain Misconfiguration✅ PASS

Information Disclosure

Rule IDTestResult
10009In Page Banner Information Leak✅ PASS
10023Information Disclosure — Debug Error Messages✅ PASS
10024Information Disclosure — Sensitive Information in URL✅ PASS
10025Information Disclosure — Sensitive Information in HTTP Referrer Header✅ PASS
10027Information Disclosure — Suspicious Comments✅ PASS
10052X-ChromeLogger-Data (XCOLD) Header Information Leak✅ PASS
10057Username Hash Found✅ PASS
10062PII Disclosure✅ PASS
10096Timestamp Disclosure✅ PASS
10097Hash Disclosure✅ PASS
10099Source Code Disclosure✅ PASS
2Private IP Disclosure✅ PASS

Cross-Site & Redirect Attacks

Rule IDTestResult
10017Cross-Domain JavaScript Source File Inclusion✅ PASS
10028Off-site Redirect✅ PASS
10029Cookie Poisoning✅ PASS
10030User Controllable Charset✅ PASS
10031User Controllable HTML Element Attribute (Potential XSS)✅ PASS
10043User Controllable JavaScript Event (XSS)✅ PASS
10044Big Redirect Detected (Potential Sensitive Information Leak)✅ PASS
10108Reverse Tabnabbing✅ PASS

Transport Security

Rule IDTestResult
10040Secure Pages Include Mixed Content✅ PASS
10041HTTP to HTTPS Insecure Transition in Form Post✅ PASS
10042HTTPS to HTTP Insecure Transition in Form Post✅ PASS
10047HTTPS Content Available via HTTP✅ PASS
10106HTTP Only Site✅ PASS

Authentication & Session

Rule IDTestResult
10105Weak Authentication Method✅ PASS
10111Authentication Request Identified✅ PASS
10112Session Management Response Identified✅ PASS
10113Verification Request Identified✅ PASS
10202Absence of Anti-CSRF Tokens✅ PASS

Known Vulnerabilities & Miscellaneous

Rule IDTestResult
0Directory Browsing✅ PASS
10003Vulnerable JS Library (Powered by Retire.js)✅ PASS
10026HTTP Parameter Override✅ PASS
10032Viewstate✅ PASS
10033Directory Browsing✅ PASS
10034Heartbleed OpenSSL Vulnerability (Indicative)✅ PASS
10045Source Code Disclosure — /WEB-INF Folder✅ PASS
10048Remote Code Execution — Shell Shock✅ PASS
10049Content Cacheability✅ PASS
10050Retrieved from Cache✅ PASS
10058GET for POST✅ PASS
10104User Agent Fuzzer✅ PASS
10109Modern Web Application✅ PASS
10110Dangerous JS Functions✅ PASS
10115Script Served From Malicious Domain (polyfill)✅ PASS
10116ZAP is Out of Date✅ PASS
20015Heartbleed OpenSSL Vulnerability✅ PASS
20017Source Code Disclosure — CVE-2012-1823✅ PASS

Active Scan Results

Injection Attacks

Rule IDTestResult
40018SQL Injection (Generic)✅ PASS
40019SQL Injection — MySQL (Time Based)✅ PASS
40020SQL Injection — Hypersonic SQL (Time Based)✅ PASS
40021SQL Injection — Oracle (Time Based)✅ PASS
40022SQL Injection — PostgreSQL (Time Based)✅ PASS
40027SQL Injection — MsSQL (Time Based)✅ PASS
90021XPath Injection✅ PASS
90029SOAP XML Injection✅ PASS
90017XSLT Injection✅ PASS

Cross-Site Scripting (XSS)

Rule IDTestResult
40012Cross Site Scripting (Reflected)✅ PASS
40014Cross Site Scripting (Persistent)✅ PASS
40016Cross Site Scripting (Persistent) — Prime✅ PASS
40017Cross Site Scripting (Persistent) — Spider✅ PASS
40026Cross Site Scripting (DOM Based)✅ PASS

Remote Code Execution

Rule IDTestResult
20018Remote Code Execution — CVE-2012-1823✅ PASS
40048Remote Code Execution (React2Shell)✅ PASS
90019Server Side Code Injection✅ PASS
90020Remote OS Command Injection✅ PASS
90037Remote OS Command Injection (Time Based)✅ PASS

Server-Side Attacks

Rule IDTestResult
90023XML External Entity Attack✅ PASS
40009Server Side Include✅ PASS
90035Server Side Template Injection✅ PASS
90036Server Side Template Injection (Blind)✅ PASS
90026SOAP Action Spoofing✅ PASS
40044Exponential Entity Expansion (Billion Laughs)✅ PASS

Path & File Attacks

Rule IDTestResult
6Path Traversal✅ PASS
7Remote File Inclusion✅ PASS
40032.htaccess Information Leak✅ PASS
40034.env Information Leak✅ PASS
40035Hidden File Finder✅ PASS

Authentication & Session

Rule IDTestResult
3Session ID in URL Rewrite✅ PASS
20019External Redirect✅ PASS
90033Loosely Scoped Cookie✅ PASS

Known CVEs

Rule IDTestResult
40043Log4Shell✅ PASS
40045Spring4Shell✅ PASS
90001Insecure JSF ViewState✅ PASS
90002Java Serialization Object✅ PASS

Infrastructure

Rule IDTestResult
30001Buffer Overflow✅ PASS
30002Format String Error✅ PASS
40003CRLF Injection✅ PASS
40008Parameter Tampering✅ PASS
40028ELMAH Information Leak✅ PASS
40029Trace.axd Information Leak✅ PASS
40042Spring Actuator Information Leak✅ PASS
90004Insufficient Site Isolation Against Spectre✅ PASS
90011Charset Mismatch✅ PASS
90022Application Error Disclosure✅ PASS
90024Generic Padding Oracle✅ PASS
90030WSDL File Detection✅ PASS
90034Cloud Metadata Potentially Exposed✅ PASS
90003Sub Resource Integrity Attribute Missing✅ PASS
50000Script Active Scan Rules✅ PASS
50001Script Passive Scan Rules✅ PASS

Warnings

Rule IDTestResultDetails
100001Unexpected Content-Type⚠️ WARN14 instances — SPA fallback returns text/html for unknown paths (including cloud metadata probe paths like /computeMetadata/v1/, /latest/meta-data/, /metadata/instance, /metadata/v1, /opc/v1/instance/, /opc/v2/instance/). This is expected behavior: Vue Router handles client-side routing, so the server returns the SPA shell for any unrecognized path. Not a security issue.

Informational Alerts (No Action Required)

AlertRisk LevelInstancesNotes
Client Error response code (401, 404)Informational5Expected — unauthenticated API requests correctly return 401 Unauthorized; cloud metadata probe /openstack/latest/meta_data.json returns 404
Non-Storable ContentInformational1401 responses are correctly non-cacheable

Comparison with Previous Scan (2026-03-23)

Metric2026-03-232026-03-24Change
Rules tested119119No change
PASS118118No change
WARN11No change
FAIL00No change
Content-Type WARN instances1414No change

No new vulnerabilities, regressions, or security findings since the previous baseline. This scan serves as the final pre-release DAST baseline for v2.0.0.

How to Reproduce

# Start Capacitarr
make build

# Run ZAP API scan
make security:zap

# Reports generated:
#   zap-report.html  — full HTML report
#   zap-report.md    — markdown summary

OWASP ZAP API Scan — Baseline Report

Date: 2026-03-23 Tool: OWASP ZAP (ghcr.io/zaproxy/zaproxy:stable) Scan type: API Scan with OpenAPI specification Target: http://localhost:2187/api/v1/OpenAPI spec: docs/api/openapi.yaml

OWASP ZAP API Scan — Baseline Report

Date: 2026-04-06 Tool: OWASP ZAP (ghcr.io/zaproxy/zaproxy:stable) Scan type: API Scan with OpenAPI specification Target: http://localhost:2187/api/v1/OpenAPI spec: docs/reference/api/openapi.yamlContext: Pre-release security scan for v3.1.0