Merge branch '258203-add-api-fuzzing-report' into 'master'

Add API Fuzzing report type to backend See merge request gitlab-org/gitlab!43763

Merge branch '258203-add-api-fuzzing-report' into 'master'
Add API Fuzzing report type to backend See merge request gitlab-org/gitlab!43763
ffdf2f23 · Stan Hu · 2c3abd36 · 3d743738 · ffdf2f23 · ffdf2f23
Commit ffdf2f23 authored Oct 07, 2020 by Stan Hu
34 changed files
--- a/app/models/ci/job_artifact.rb
+++ b/app/models/ci/job_artifact.rb
@@ -46,7 +46,8 @@ module Ci
      terraform: 'tfplan.json',
      cluster_applications: 'gl-cluster-applications.json',
      requirements: 'requirements.json',
-      coverage_fuzzing: 'gl-coverage-fuzzing.json'
+      coverage_fuzzing: 'gl-coverage-fuzzing.json',
+      api_fuzzing: 'gl-api-fuzzing-report.json'
    }.freeze

    INTERNAL_TYPES = {
@@ -82,11 +83,13 @@ module Ci
      load_performance: :raw,
      terraform: :raw,
      requirements: :raw,
-      coverage_fuzzing: :raw
+      coverage_fuzzing: :raw,
+      api_fuzzing: :raw
    }.freeze

    DOWNLOADABLE_TYPES = %w[
      accessibility
+      api_fuzzing
      archive
      cobertura
      codequality
@@ -194,7 +197,8 @@ module Ci
      requirements: 22, ## EE-specific
      coverage_fuzzing: 23, ## EE-specific
      browser_performance: 24, ## EE-specific
-      load_performance: 25 ## EE-specific
+      load_performance: 25, ## EE-specific
+      api_fuzzing: 26 ## EE-specific
    }

    # `file_location` indicates where actual files are stored.

--- a/doc/api/graphql/reference/gitlab_schema.graphql
+++ b/doc/api/graphql/reference/gitlab_schema.graphql
@@ -16654,6 +16654,11 @@ type ScannedResourceEdge {
 Represents summary of a security report
 """
 type SecurityReportSummary {
+  """
+  Aggregated counts for the api_fuzzing scan
+  """
+  apiFuzzing: SecurityReportSummarySection
+
  """
  Aggregated counts for the container_scanning scan
  """
@@ -16734,6 +16739,7 @@ type SecurityReportSummarySection {
 The type of the security scanner
 """
 enum SecurityScannerType {
+  API_FUZZING
  CONTAINER_SCANNING
  COVERAGE_FUZZING
  DAST
@@ -20173,7 +20179,7 @@ type Vulnerability implements Noteable {
  """
  Type of the security report that found the vulnerability (SAST,
  DEPENDENCY_SCANNING, CONTAINER_SCANNING, DAST, SECRET_DETECTION,
-  COVERAGE_FUZZING)
+  COVERAGE_FUZZING, API_FUZZING)
  """
  reportType: VulnerabilityReportType

@@ -20636,6 +20642,7 @@ type VulnerabilityPermissions {
 The type of the security scan that found the vulnerability
 """
 enum VulnerabilityReportType {
+  API_FUZZING
  CONTAINER_SCANNING
  COVERAGE_FUZZING
  DAST

--- a/doc/api/graphql/reference/gitlab_schema.json
+++ b/doc/api/graphql/reference/gitlab_schema.json
@@ -48143,6 +48143,20 @@
          "name": "SecurityReportSummary",
          "description": "Represents summary of a security report",
          "fields": [
+            {
+              "name": "apiFuzzing",
+              "description": "Aggregated counts for the api_fuzzing scan",
+              "args": [
+
+              ],
+              "type": {
+                "kind": "OBJECT",
+                "name": "SecurityReportSummarySection",
+                "ofType": null
+              },
+              "isDeprecated": false,
+              "deprecationReason": null
+            },
            {
              "name": "containerScanning",
              "description": "Aggregated counts for the container_scanning scan",
@@ -48386,6 +48400,12 @@
              "description": null,
              "isDeprecated": false,
              "deprecationReason": null
+            },
+            {
+              "name": "API_FUZZING",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
            }
          ],
          "possibleTypes": null
@@ -58532,7 +58552,7 @@
            },
            {
              "name": "reportType",
-              "description": "Type of the security report that found the vulnerability (SAST, DEPENDENCY_SCANNING, CONTAINER_SCANNING, DAST, SECRET_DETECTION, COVERAGE_FUZZING)",
+              "description": "Type of the security report that found the vulnerability (SAST, DEPENDENCY_SCANNING, CONTAINER_SCANNING, DAST, SECRET_DETECTION, COVERAGE_FUZZING, API_FUZZING)",
              "args": [

              ],
@@ -59983,6 +60003,12 @@
              "description": null,
              "isDeprecated": false,
              "deprecationReason": null
+            },
+            {
+              "name": "API_FUZZING",
+              "description": null,
+              "isDeprecated": false,
+              "deprecationReason": null
            }
          ],
          "possibleTypes": null
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -2246,6 +2246,7 @@ Represents summary of a security report.

 | Field | Type | Description |
 | ----- | ---- | ----------- |
+| `apiFuzzing` | SecurityReportSummarySection | Aggregated counts for the api_fuzzing scan |
 | `containerScanning` | SecurityReportSummarySection | Aggregated counts for the container_scanning scan |
 | `coverageFuzzing` | SecurityReportSummarySection | Aggregated counts for the coverage_fuzzing scan |
 | `dast` | SecurityReportSummarySection | Aggregated counts for the dast scan |
@@ -2817,7 +2818,7 @@ Represents a vulnerability.
 | `location` | VulnerabilityLocation | Location metadata for the vulnerability. Its fields depend on the type of security scan that found the vulnerability |
 | `primaryIdentifier` | VulnerabilityIdentifier | Primary identifier of the vulnerability. |
 | `project` | Project | The project on which the vulnerability was found |
-| `reportType` | VulnerabilityReportType | Type of the security report that found the vulnerability (SAST, DEPENDENCY_SCANNING, CONTAINER_SCANNING, DAST, SECRET_DETECTION, COVERAGE_FUZZING) |
+| `reportType` | VulnerabilityReportType | Type of the security report that found the vulnerability (SAST, DEPENDENCY_SCANNING, CONTAINER_SCANNING, DAST, SECRET_DETECTION, COVERAGE_FUZZING, API_FUZZING) |
 | `resolvedOnDefaultBranch` | Boolean! | Indicates whether the vulnerability is fixed on the default branch or not |
 | `scanner` | VulnerabilityScanner | Scanner metadata for the vulnerability. |
 | `severity` | VulnerabilitySeverity | Severity of the vulnerability (INFO, UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL) |
@@ -3551,6 +3552,7 @@ The type of the security scanner.

 | Value | Description |
 | ----- | ----------- |
+| `API_FUZZING` |  |
 | `CONTAINER_SCANNING` |  |
 | `COVERAGE_FUZZING` |  |
 | `DAST` |  |
@@ -3735,6 +3737,7 @@ The type of the security scan that found the vulnerability.

 | Value | Description |
 | ----- | ----------- |
+| `API_FUZZING` |  |
 | `CONTAINER_SCANNING` |  |
 | `COVERAGE_FUZZING` |  |
 | `DAST` |  |

--- a/ee/app/controllers/ee/projects/merge_requests_controller.rb
+++ b/ee/app/controllers/ee/projects/merge_requests_controller.rb
@@ -15,7 +15,9 @@ module EE

        before_action :whitelist_query_limiting_ee_merge, only: [:merge]
        before_action :authorize_read_pipeline!, only: [:container_scanning_reports, :dependency_scanning_reports,
-                                                        :sast_reports, :secret_detection_reports, :dast_reports, :metrics_reports, :coverage_fuzzing_reports]
+                                                        :sast_reports, :secret_detection_reports, :dast_reports,
+                                                        :metrics_reports, :coverage_fuzzing_reports,
+                                                        :api_fuzzing_reports]
        before_action :authorize_read_licenses!, only: [:license_scanning_reports]

        feature_category :code_review, [:delete_description_version, :description_diff]
@@ -60,6 +62,10 @@ module EE
        reports_response(merge_request.compare_coverage_fuzzing_reports(current_user), head_pipeline)
      end

+      def api_fuzzing_reports
+        reports_response(merge_request.compare_api_fuzzing_reports(current_user), head_pipeline)
+      end
+
      private

      def whitelist_query_limiting_ee_merge

--- a/ee/app/finders/security/security_jobs_finder.rb
+++ b/ee/app/finders/security/security_jobs_finder.rb
@@ -13,7 +13,7 @@
 module Security
  class SecurityJobsFinder < JobsFinder
    def self.allowed_job_types
-      [:sast, :dast, :dependency_scanning, :container_scanning, :secret_detection, :coverage_fuzzing]
+      [:sast, :dast, :dependency_scanning, :container_scanning, :secret_detection, :coverage_fuzzing, :api_fuzzing]
    end
  end
 end
--- a/ee/app/graphql/types/vulnerability_location_type.rb
+++ b/ee/app/graphql/types/vulnerability_location_type.rb
@@ -20,7 +20,7 @@ module Types
        VulnerabilityLocation::ContainerScanningType
      when 'dependency_scanning'
        VulnerabilityLocation::DependencyScanningType
-      when 'dast'
+      when 'dast', 'api_fuzzing'
        VulnerabilityLocation::DastType
      when 'sast'
        VulnerabilityLocation::SastType

--- a/ee/app/models/ee/ci/build.rb
+++ b/ee/app/models/ee/ci/build.rb
@@ -16,7 +16,8 @@ module EE
        dependency_scanning: :dependency_scanning,
        container_scanning: :container_scanning,
        dast: :dast,
-        coverage_fuzzing: :coverage_fuzzing
+        coverage_fuzzing: :coverage_fuzzing,
+        api_fuzzing: :api_fuzzing
      }.with_indifferent_access.freeze

      EE_RUNNER_FEATURES = {

--- a/ee/app/models/ee/ci/job_artifact.rb
+++ b/ee/app/models/ee/ci/job_artifact.rb
@@ -12,7 +12,7 @@ module EE
    prepended do
      after_destroy :log_geo_deleted_event

-      SECURITY_REPORT_FILE_TYPES = %w[sast secret_detection dependency_scanning container_scanning dast coverage_fuzzing].freeze
+      SECURITY_REPORT_FILE_TYPES = %w[sast secret_detection dependency_scanning container_scanning dast coverage_fuzzing api_fuzzing].freeze
      LICENSE_SCANNING_REPORT_FILE_TYPES = %w[license_management license_scanning].freeze
      DEPENDENCY_LIST_REPORT_FILE_TYPES = %w[dependency_scanning].freeze
      METRICS_REPORT_FILE_TYPES = %w[metrics].freeze
@@ -22,6 +22,7 @@ module EE
      DAST_REPORT_TYPES = %w[dast].freeze
      REQUIREMENTS_REPORT_FILE_TYPES = %w[requirements].freeze
      COVERAGE_FUZZING_REPORT_TYPES = %w[coverage_fuzzing].freeze
+      API_FUZZING_REPORT_TYPES = %w[api_fuzzing].freeze
      BROWSER_PERFORMANCE_REPORT_FILE_TYPES = %w[browser_performance performance].freeze

      scope :project_id_in, ->(ids) { where(project_id: ids) }
@@ -64,6 +65,10 @@ module EE
      scope :coverage_fuzzing_reports, -> do
        with_file_types(COVERAGE_FUZZING_REPORT_TYPES)
      end
+
+      scope :api_fuzzing_reports, -> do
+        with_file_types(API_FUZZING_REPORT_TYPES)
+      end
    end

    class_methods do

--- a/ee/app/models/ee/ci/pipeline.rb
+++ b/ee/app/models/ee/ci/pipeline.rb
@@ -51,7 +51,8 @@ module EE
          license_scanning: %i[license_scanning],
          metrics: %i[metrics_reports],
          requirements: %i[requirements],
-          coverage_fuzzing: %i[coverage_fuzzing]
+          coverage_fuzzing: %i[coverage_fuzzing],
+          api_fuzzing: %i[api_fuzzing]
        }.freeze

        state_machine :status do

--- a/ee/app/models/ee/merge_request.rb
+++ b/ee/app/models/ee/merge_request.rb
@@ -164,7 +164,8 @@ module EE
        dependency_scanning: report_type_enabled?(:dependency_scanning),
        license_scanning: report_type_enabled?(:license_scanning),
        coverage_fuzzing: report_type_enabled?(:coverage_fuzzing),
-        secret_detection: report_type_enabled?(:secret_detection)
+        secret_detection: report_type_enabled?(:secret_detection),
+        api_fuzzing: report_type_enabled?(:api_fuzzing)
      }
    end

@@ -248,6 +249,12 @@ module EE
      compare_reports(::Ci::CompareSecurityReportsService, current_user, 'coverage_fuzzing')
    end

+    def compare_api_fuzzing_reports(current_user)
+      return missing_report_error('api fuzzing') unless has_api_fuzzing_reports?
+
+      compare_reports(::Ci::CompareSecurityReportsService, current_user, 'api_fuzzing')
+    end
+
    def synchronize_approval_rules_from_target_project
      return if merged?


--- a/ee/app/models/ee/namespace.rb
+++ b/ee/app/models/ee/namespace.rb
@@ -338,7 +338,8 @@ module EE
      feature_available?(:dependency_scanning) ||
      feature_available?(:container_scanning) ||
      feature_available?(:dast) ||
-      feature_available?(:coverage_fuzzing)
+      feature_available?(:coverage_fuzzing) ||
+      feature_available?(:api_fuzzing)
    end

    def free_plan?

--- a/ee/app/models/security/scan.rb
+++ b/ee/app/models/security/scan.rb
@@ -19,7 +19,8 @@ module Security
      container_scanning: 3,
      dast: 4,
      secret_detection: 5,
-      coverage_fuzzing: 6
+      coverage_fuzzing: 6,
+      api_fuzzing: 7
    }

    delegate :project, to: :build

--- a/ee/app/models/vulnerabilities/feedback.rb
+++ b/ee/app/models/vulnerabilities/feedback.rb
@@ -15,7 +15,7 @@ module Vulnerabilities
    attr_accessor :vulnerability_data

    enum feedback_type: { dismissal: 0, issue: 1, merge_request: 2 }, _prefix: :for
-    enum category: { sast: 0, dependency_scanning: 1, container_scanning: 2, dast: 3, secret_detection: 4, coverage_fuzzing: 5 }
+    enum category: { sast: 0, dependency_scanning: 1, container_scanning: 2, dast: 3, secret_detection: 4, coverage_fuzzing: 5, api_fuzzing: 6 }

    validates :project, presence: true
    validates :author, presence: true

--- a/ee/app/models/vulnerabilities/finding.rb
+++ b/ee/app/models/vulnerabilities/finding.rb
@@ -59,7 +59,8 @@ module Vulnerabilities
      container_scanning: 2,
      dast: 3,
      secret_detection: 4,
-      coverage_fuzzing: 5
+      coverage_fuzzing: 5,
+      api_fuzzing: 6
    }.with_indifferent_access.freeze

    enum confidence: CONFIDENCE_LEVELS, _prefix: :confidence

--- a/ee/app/presenters/projects/security/configuration_presenter.rb
+++ b/ee/app/presenters/projects/security/configuration_presenter.rb
@@ -18,7 +18,8 @@ module Projects
        license_scanning: 'user/compliance/license_compliance/index',
        sast: 'user/application_security/sast/index',
        secret_detection: 'user/application_security/secret_detection/index',
-        coverage_fuzzing: 'user/application_security/coverage_fuzzing/index'
+        coverage_fuzzing: 'user/application_security/coverage_fuzzing/index',
+        api_fuzzing: 'user/application_security/api_fuzzing/index'
      }.freeze

      def self.localized_scan_descriptions
@@ -31,7 +32,8 @@ module Projects
          license_scanning: _('Search your project dependencies for their licenses and apply policies.'),
          sast: _('Analyze your source code for known vulnerabilities.'),
          secret_detection: _('Analyze your source code and git history for secrets.'),
-          coverage_fuzzing: _('Find bugs in your code with coverage-guided fuzzing.')
+          coverage_fuzzing: _('Find bugs in your code with coverage-guided fuzzing.'),
+          api_fuzzing: _('Find bugs in your code with API fuzzing.')
        }.freeze
      end

@@ -45,7 +47,8 @@ module Projects
          license_scanning: _('License Compliance'),
          sast: _('Static Application Security Testing (SAST)'),
          secret_detection: _('Secret Detection'),
-          coverage_fuzzing: _('Coverage Fuzzing')
+          coverage_fuzzing: _('Coverage Fuzzing'),
+          api_fuzzing: _('API Fuzzing')
        }.freeze
      end


--- a/ee/changelogs/unreleased/258203-add-api-fuzzing-report.yml
+++ b/ee/changelogs/unreleased/258203-add-api-fuzzing-report.yml
+---
+title: Add API Fuzzing report type (backend)
+merge_request: 43763
+author:
+type: added
--- a/ee/lib/ee/gitlab/ci/parsers.rb
+++ b/ee/lib/ee/gitlab/ci/parsers.rb
@@ -15,6 +15,7 @@ module EE
                container_scanning: ::Gitlab::Ci::Parsers::Security::ContainerScanning,
                dast: ::Gitlab::Ci::Parsers::Security::Dast,
                sast: ::Gitlab::Ci::Parsers::Security::Sast,
+                api_fuzzing: ::Gitlab::Ci::Parsers::Security::Dast,
                coverage_fuzzing: ::Gitlab::Ci::Parsers::Security::CoverageFuzzing,
                secret_detection: ::Gitlab::Ci::Parsers::Security::SecretDetection,
                metrics: ::Gitlab::Ci::Parsers::Metrics::Generic,

--- a/ee/spec/controllers/projects/security/configuration_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/configuration_controller_spec.rb
@@ -29,7 +29,7 @@ RSpec.describe Projects::Security::ConfigurationController do
      it 'responds in json format when requested' do
        get :show, params: { namespace_id: project.namespace, project_id: project, format: :json }

-        types = %w(sast dast dast_profiles dependency_scanning container_scanning secret_detection coverage_fuzzing license_scanning)
+        types = %w(sast dast dast_profiles dependency_scanning container_scanning secret_detection coverage_fuzzing license_scanning api_fuzzing)

        expect(response).to have_gitlab_http_status(:ok)
        expect(json_response['features'].map { |f| f['type'] }).to match_array(types)

--- a/ee/spec/factories/ci/builds.rb
+++ b/ee/spec/factories/ci/builds.rb
@@ -6,7 +6,7 @@ FactoryBot.define do
      failure_reason { Ci::Build.failure_reasons[:protected_environment_failure] }
    end

-    %i[codequality container_scanning dast dependency_scanning license_management license_scanning performance browser_performance load_performance sast secret_detection coverage_fuzzing].each do |report_type|
+    %i[api_fuzzing codequality container_scanning dast dependency_scanning license_management license_scanning performance browser_performance load_performance sast secret_detection coverage_fuzzing].each do |report_type|
      trait "legacy_#{report_type}".to_sym do
        success
        artifacts
@@ -133,5 +133,11 @@ FactoryBot.define do
        build.job_artifacts << create(:ee_ci_job_artifact, :coverage_fuzzing, job: build)
      end
    end
+
+    trait :api_fuzzing_report do
+      after(:build) do |build|
+        build.job_artifacts << create(:ee_ci_job_artifact, :api_fuzzing, job: build)
+      end
+    end
  end
 end
--- a/ee/spec/factories/ci/job_artifacts.rb
+++ b/ee/spec/factories/ci/job_artifacts.rb
@@ -413,5 +413,16 @@ FactoryBot.define do
          'application/json')
      end
    end
+
+    trait :api_fuzzing do
+      file_format { :raw }
+      file_type { :api_fuzzing }
+
+      after(:build) do |artifact, _|
+        artifact.file = fixture_file_upload(
+          Rails.root.join('ee/spec/fixtures/security_reports/master/gl-api-fuzzing-report.json'),
+          'application/json')
+      end
+    end
  end
 end
--- a/ee/spec/factories/ci/pipelines.rb
+++ b/ee/spec/factories/ci/pipelines.rb
@@ -2,7 +2,7 @@

 FactoryBot.define do
  factory :ee_ci_pipeline, class: 'Ci::Pipeline', parent: :ci_pipeline do
-    %i[browser_performance codequality container_scanning coverage_fuzzing dast dependency_list dependency_scanning license_management license_scanning load_performance sast secret_detection].each do |report_type|
+    %i[api_fuzzing browser_performance codequality container_scanning coverage_fuzzing dast dependency_list dependency_scanning license_management license_scanning load_performance sast secret_detection].each do |report_type|
      trait "with_#{report_type}_report".to_sym do
        status { :success }


--- a/ee/spec/fixtures/api/schemas/vulnerability_feedback.json
+++ b/ee/spec/fixtures/api/schemas/vulnerability_feedback.json
@@ -32,7 +32,7 @@
    },
    "category": {
      "type": "string",
-      "enum": ["sast", "dependency_scanning", "container_scanning", "dast", "coverage_fuzzing"]
+      "enum": ["sast", "dependency_scanning", "container_scanning", "dast", "coverage_fuzzing", "api_fuzzing"]
    },
    "project_fingerprint": { "type": "string" },
    "branch": { "type": ["string", "null"] },

--- a/ee/spec/fixtures/lib/gitlab/import_export/complex/project.json
+++ b/ee/spec/fixtures/lib/gitlab/import_export/complex/project.json
@@ -31,6 +31,7 @@
    "auto_fix_dast": true,
    "auto_fix_dependency_scanning": false,
    "auto_fix_sast": false,
-    "auto_fix_coverage_fuzzing": false
+    "auto_fix_coverage_fuzzing": false,
+    "auto_fix_api_fuzzing": false
  }
 }
--- a/ee/spec/fixtures/lib/gitlab/import_export/complex/tree/project.json
+++ b/ee/spec/fixtures/lib/gitlab/import_export/complex/tree/project.json
-{"security_setting": {"auto_fix_container_scanning": true,"auto_fix_dast": true,"auto_fix_dependency_scanning": false,"auto_fix_sast": false, "auto_fix_coverage":  false}}
+{"security_setting": {"auto_fix_container_scanning": true,"auto_fix_dast": true,"auto_fix_dependency_scanning": false,"auto_fix_sast": false, "auto_fix_coverage":  false, "auto_fix_api_fuzzing": false}}
--- a/ee/spec/fixtures/security_reports/master/gl-api-fuzzing-report.json
+++ b/ee/spec/fixtures/security_reports/master/gl-api-fuzzing-report.json
+{
+  "@generated": "Fri, 13 Apr 2018 09:22:01",
+  "@version": "2.7.0",
+  "scan": {
+    "scanned_resources": [
+      {
+        "method": "GET",
+        "type": "url",
+        "url": "http://api-server/"
+      },
+      {
+        "method": "GET",
+        "type": "url",
+        "url": "http://api-server/v1"
+      },
+      {
+        "method": "DELETE",
+        "type": "url",
+        "url": "http://api-server/v1/tree/10"
+      },
+      {
+        "method": "GET",
+        "type": "url",
+        "url": "http://api-server/v1/tree/10"
+      },
+      {
+        "method": "GET",
+        "type": "url",
+        "url": "http://api-server/v1/trees"
+      },
+      {
+        "method": "POST",
+        "type": "url",
+        "url": "http://api-server/v1/trees"
+      }
+    ]
+  },
+  "site": [
+    {
+      "@host": "goat",
+      "@name": "http://goat:8080",
+      "@port": "8080",
+      "@ssl": "false",
+      "alerts": [
+        {
+          "alert": "Anti CSRF Tokens Scanner",
+          "confidence": "2",
+          "count": "4",
+          "cweid": "352",
+          "desc": "<p>A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.</p><p></p><p>CSRF attacks are effective in a number of situations, including:</p><p>    * The victim has an active session on the target site.</p><p>    * The victim is authenticated via HTTP auth on the target site.</p><p>    * The victim is on the same local network as the target site.</p><p></p><p>CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.</p>",
+          "instances": [
+            {
+              "attack": "",
+              "evidence": "<form method=\"POST\" style=\"width: 200px;\" action=\"/WebGoat/login\">",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/login"
+            },
+            {
+              "attack": "",
+              "evidence": "<form method=\"POST\" style=\"width: 200px;\" action=\"/WebGoat/login\">",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/login?error"
+            },
+            {
+              "attack": "",
+              "evidence": "<form class=\"form-horizontal\" action=\"/WebGoat/register.mvc\" method=\"POST\">",
+              "method": "POST",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/register.mvc"
+            },
+            {
+              "attack": "",
+              "evidence": "<form class=\"form-horizontal\" action=\"/WebGoat/register.mvc\" method=\"POST\">",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/registration"
+            }
+          ],
+          "name": "Anti CSRF Tokens Scanner",
+          "otherinfo": "",
+          "pluginid": "20012",
+          "reference": "<p>http://projects.webappsec.org/Cross-Site-Request-Forgery</p><p>http://cwe.mitre.org/data/definitions/352.html</p>",
+          "riskcode": "3",
+          "riskdesc": "High (Medium)",
+          "solution": "<p>Phase: Architecture and Design</p><p>Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.</p><p>For example, use anti-CSRF packages such as the OWASP CSRFGuard.</p><p></p><p>Phase: Implementation</p><p>Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.</p><p></p><p>Phase: Architecture and Design</p><p>Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).</p><p>Note that this can be bypassed using XSS.</p><p></p><p>Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.</p><p>Note that this can be bypassed using XSS.</p><p></p><p>Use the ESAPI Session Management control.</p><p>This control includes a component for CSRF.</p><p></p><p>Do not use the GET method for any request that triggers a state change.</p><p></p><p>Phase: Implementation</p><p>Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.</p>",
+          "sourceid": "1",
+          "wascid": "9"
+        },
+        {
+          "alert": "Absence of Anti-CSRF Tokens",
+          "confidence": "2",
+          "count": "4",
+          "cweid": "352",
+          "desc": "<p>No Anti-CSRF tokens were found in a HTML submission form.</p><p>A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.</p><p></p><p>CSRF attacks are effective in a number of situations, including:</p><p>    * The victim has an active session on the target site.</p><p>    * The victim is authenticated via HTTP auth on the target site.</p><p>    * The victim is on the same local network as the target site.</p><p></p><p>CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.</p>",
+          "instances": [
+            {
+              "attack": "",
+              "evidence": "<form method=\"POST\" style=\"width: 200px;\" action=\"/WebGoat/login\">",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/login"
+            },
+            {
+              "attack": "",
+              "evidence": "<form method=\"POST\" style=\"width: 200px;\" action=\"/WebGoat/login\">",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/login?error"
+            },
+            {
+              "attack": "",
+              "evidence": "<form class=\"form-horizontal\" action=\"/WebGoat/register.mvc\" method=\"POST\">",
+              "method": "POST",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/register.mvc"
+            },
+            {
+              "attack": "",
+              "evidence": "<form class=\"form-horizontal\" action=\"/WebGoat/register.mvc\" method=\"POST\">",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/registration"
+            }
+          ],
+          "name": "Absence of Anti-CSRF Tokens",
+          "otherinfo": "<p>No known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret] was found in the following HTML form: [Form 1: \"exampleInputEmail1\" \"exampleInputPassword1\" ].</p>",
+          "pluginid": "10202",
+          "reference": "<p>http://projects.webappsec.org/Cross-Site-Request-Forgery</p><p>http://cwe.mitre.org/data/definitions/352.html</p>",
+          "riskcode": "1",
+          "riskdesc": "Low (Medium)",
+          "solution": "<p>Phase: Architecture and Design</p><p>Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.</p><p>For example, use anti-CSRF packages such as the OWASP CSRFGuard.</p><p></p><p>Phase: Implementation</p><p>Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.</p><p></p><p>Phase: Architecture and Design</p><p>Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).</p><p>Note that this can be bypassed using XSS.</p><p></p><p>Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.</p><p>Note that this can be bypassed using XSS.</p><p></p><p>Use the ESAPI Session Management control.</p><p>This control includes a component for CSRF.</p><p></p><p>Do not use the GET method for any request that triggers a state change.</p><p></p><p>Phase: Implementation</p><p>Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.</p>",
+          "sourceid": "3",
+          "wascid": "9"
+        },
+        {
+          "alert": "Cookie No HttpOnly Flag",
+          "confidence": "2",
+          "count": "2",
+          "cweid": "16",
+          "desc": "<p>A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.</p>",
+          "instances": [
+            {
+              "attack": "",
+              "evidence": "Set-Cookie: JSESSIONID",
+              "method": "GET",
+              "param": "JSESSIONID",
+              "uri": "http://goat:8080/WebGoat/login?logout"
+            },
+            {
+              "attack": "",
+              "evidence": "Set-Cookie: JSESSIONID",
+              "method": "GET",
+              "param": "JSESSIONID",
+              "uri": "http://goat:8080/WebGoat/logout"
+            }
+          ],
+          "name": "Cookie No HttpOnly Flag",
+          "otherinfo": "",
+          "pluginid": "10010",
+          "reference": "<p>http://www.owasp.org/index.php/HttpOnly</p>",
+          "riskcode": "1",
+          "riskdesc": "Low (Medium)",
+          "solution": "<p>Ensure that the HttpOnly flag is set for all cookies.</p>",
+          "sourceid": "3",
+          "wascid": "13"
+        },
+        {
+          "alert": "Cookie Without SameSite Attribute",
+          "confidence": "2",
+          "count": "2",
+          "cweid": "16",
+          "desc": "<p>A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.</p>",
+          "instances": [
+            {
+              "attack": "",
+              "evidence": "Set-Cookie: JSESSIONID",
+              "method": "GET",
+              "param": "JSESSIONID",
+              "uri": "http://goat:8080/WebGoat/login?logout"
+            },
+            {
+              "attack": "",
+              "evidence": "Set-Cookie: JSESSIONID",
+              "method": "GET",
+              "param": "JSESSIONID",
+              "uri": "http://goat:8080/WebGoat/logout"
+            }
+          ],
+          "name": "Cookie Without SameSite Attribute",
+          "otherinfo": "",
+          "pluginid": "10054",
+          "reference": "<p>https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site</p>",
+          "riskcode": "1",
+          "riskdesc": "Low (Medium)",
+          "solution": "<p>Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.</p>",
+          "sourceid": "3",
+          "wascid": "13"
+        },
+        {
+          "alert": "Charset Mismatch (Header Versus Meta Content-Type Charset)",
+          "confidence": "1",
+          "count": "1",
+          "cweid": "16",
+          "desc": "<p>This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there's a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content's correct character set.</p><p></p><p>An attacker could manipulate content on the page to be interpreted in an encoding of their choice. For example, if an attacker can control content at the beginning of the page, they could inject script using UTF-7 encoded text and manipulate some browsers into interpreting that text.</p>",
+          "instances": [
+            {
+              "attack": "",
+              "evidence": "",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/start.mvc"
+            }
+          ],
+          "name": "Charset Mismatch (Header Versus Meta Content-Type Charset)",
+          "otherinfo": "<p>There was a charset mismatch between the HTTP Header and the META content-type encoding declarations: [UTF-8] and [ISO-8859-1] do not match.</p>",
+          "pluginid": "90011",
+          "reference": "<p>http://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection</p>",
+          "riskcode": "0",
+          "riskdesc": "Informational (Low)",
+          "solution": "<p>Force UTF-8 for all text content in both the HTTP header and meta tags in HTML or encoding declarations in XML.</p>",
+          "sourceid": "3",
+          "wascid": "15"
+        },
+        {
+          "alert": "Information Disclosure - Suspicious Comments",
+          "confidence": "2",
+          "count": "4",
+          "cweid": "200",
+          "desc": "<p>The response appears to contain suspicious comments which may help an attacker.</p>",
+          "instances": [
+            {
+              "attack": "",
+              "evidence": "",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/js/html5shiv.js"
+            },
+            {
+              "attack": "",
+              "evidence": "",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/js/modernizr-2.6.2.min.js"
+            },
+            {
+              "attack": "",
+              "evidence": "",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/js/respond.min.js"
+            },
+            {
+              "attack": "",
+              "evidence": "",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/start.mvc"
+            }
+          ],
+          "name": "Information Disclosure - Suspicious Comments",
+          "otherinfo": "<p><!--<button type=\"button\" id=\"admin-button\" class=\"btn btn-default right_nav_button\" title=\"Administrator\">--></p><p><!--<button type=\"button\" id=\"user-management\" class=\"btn btn-default right_nav_button\"--></p><p><!--title=\"User management\">--></p><p></p>",
+          "pluginid": "10027",
+          "reference": "<p></p>",
+          "riskcode": "0",
+          "riskdesc": "Informational (Medium)",
+          "solution": "<p>Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.</p>",
+          "sourceid": "3",
+          "wascid": "13"
+        },
+        {
+          "alert": "Loosely Scoped Cookie",
+          "confidence": "1",
+          "count": "2",
+          "cweid": "565",
+          "desc": "<p>Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.</p>",
+          "instances": [
+            {
+              "attack": "",
+              "evidence": "",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/login?logout"
+            },
+            {
+              "attack": "",
+              "evidence": "",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/logout"
+            }
+          ],
+          "name": "Loosely Scoped Cookie",
+          "otherinfo": "<p>The origin domain used for comparison was: </p><p>goat</p><p>JSESSIONID=78EC2C9D7CE583610DCC7826EE416D7F</p><p></p>",
+          "pluginid": "90033",
+          "reference": "<p>https://tools.ietf.org/html/rfc6265#section-4.1</p><p>https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)</p><p>http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies</p>",
+          "riskcode": "0",
+          "riskdesc": "Informational (Low)",
+          "solution": "<p>Always scope cookies to a FQDN (Fully Qualified Domain Name).</p>",
+          "sourceid": "3",
+          "wascid": "15"
+        },
+        {
+          "alert": "Timestamp Disclosure - Unix",
+          "confidence": "1",
+          "count": "5",
+          "cweid": "200",
+          "desc": "<p>A timestamp was disclosed by the application/web server - Unix</p>",
+          "instances": [
+            {
+              "attack": "",
+              "evidence": "00000000",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/plugins/bootstrap/css/bootstrap.min.css"
+            },
+            {
+              "attack": "",
+              "evidence": "33333333",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/plugins/bootstrap/css/bootstrap.min.css"
+            },
+            {
+              "attack": "",
+              "evidence": "42857143",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/plugins/bootstrap/css/bootstrap.min.css"
+            },
+            {
+              "attack": "",
+              "evidence": "80000000",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/plugins/bootstrap/css/bootstrap.min.css"
+            },
+            {
+              "attack": "",
+              "evidence": "66666667",
+              "method": "GET",
+              "param": "",
+              "uri": "http://goat:8080/WebGoat/plugins/bootstrap/css/bootstrap.min.css"
+            }
+          ],
+          "name": "Timestamp Disclosure - Unix",
+          "otherinfo": "<p>00000000, which evaluates to: 1970-01-01 00:00:00</p>",
+          "pluginid": "10096",
+          "reference": "<p>https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure</p><p>http://projects.webappsec.org/w/page/13246936/Information%20Leakage</p>",
+          "riskcode": "0",
+          "riskdesc": "Informational (Low)",
+          "solution": "<p>Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.</p>",
+          "sourceid": "3",
+          "wascid": "13"
+        }
+      ]
+    }
+  ],
+  "spider": {
+    "progress": "100",
+    "result": {
+      "urlsInScope": [
+        {
+          "method": "GET",
+          "processed": "false",
+          "reasonNotProcessed": "Not Text",
+          "statusCode": "404",
+          "statusReason": "",
+          "url": "http://goat:8080/"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "302",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "302",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/attack"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/css/animate.css"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/css/coderay.css"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/css/font-awesome.min.css"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/css/lessons.css"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/css/main.css"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "404",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/images/favicon.ico"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/js/html5shiv.js"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/js/libs/require.min.js"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/js/modernizr-2.6.2.min.js"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/js/respond.min.js"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/login"
+        },
+        {
+          "method": "POST",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "302",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/login"
+        },
+        {
+          "method": "GET",
+          "processed": "false",
+          "reasonNotProcessed": "Max Depth",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/login?error"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "302",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/login?logout"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "302",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/logout"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/plugins/bootstrap/css/bootstrap.min.css"
+        },
+        {
+          "method": "POST",
+          "processed": "false",
+          "reasonNotProcessed": "Max Depth",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/register.mvc"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/registration"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "200",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/start.mvc"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "302",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat/welcome.mvc"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "302",
+          "statusReason": "",
+          "url": "http://goat:8080/WebGoat"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "404",
+          "statusReason": "",
+          "url": "http://goat:8080/robots.txt"
+        },
+        {
+          "method": "GET",
+          "processed": "true",
+          "reasonNotProcessed": "",
+          "statusCode": "404",
+          "statusReason": "",
+          "url": "http://goat:8080/sitemap.xml"
+        },
+        {
+          "method": "GET",
+          "processed": "false",
+          "reasonNotProcessed": "Not Text",
+          "statusCode": "404",
+          "statusReason": "",
+          "url": "http://goat:8080"
+        }
+      ],
+      "urlsIoError": [],
+      "urlsOutOfScope": [
+        "http://daneden.me/animate",
+        "http://fontawesome.io/",
+        "http://fontawesome.io/license",
+        "http://getbootstrap.com/",
+        "https://github.com/nickpettit/glide",
+        "https://github.com/twbs/bootstrap/blob/master/LICENSE"
+      ]
+    },
+    "state": "FINISHED"
+  },
+  "version": "2.5",
+  "vulnerabilities": [
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "20012",
+      "description": "A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf. CSRF attacks are effective in a number of situations, including: * The victim has an active session on the target site. * The victim is authenticated via HTTP auth on the target site. * The victim is on the same local network as the target site. CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.",
+      "identifiers": [
+        {
+          "name": "Anti CSRF Tokens Scanner",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "20012"
+        },
+        {
+          "name": "CWE-352",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/352.html",
+          "value": "352"
+        },
+        {
+          "name": "WASC-9",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Cross-Site-Request-Forgery",
+          "value": "9"
+        }
+      ],
+      "links": [
+        {
+          "url": "http://projects.webappsec.org/Cross-Site-Request-Forgery"
+        },
+        {
+          "url": "http://cwe.mitre.org/data/definitions/352.html"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/login"
+      },
+      "message": "Anti CSRF Tokens Scanner",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "high",
+      "solution": "Phase: Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, use anti-CSRF packages such as the OWASP CSRFGuard. Phase: Implementation Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script. Phase: Architecture and Design Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). Note that this can be bypassed using XSS. Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation. Note that this can be bypassed using XSS. Use the ESAPI Session Management control. This control includes a component for CSRF. Do not use the GET method for any request that triggers a state change. Phase: Implementation Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "20012",
+      "description": "A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf. CSRF attacks are effective in a number of situations, including: * The victim has an active session on the target site. * The victim is authenticated via HTTP auth on the target site. * The victim is on the same local network as the target site. CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.",
+      "identifiers": [
+        {
+          "name": "Anti CSRF Tokens Scanner",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "20012"
+        },
+        {
+          "name": "CWE-352",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/352.html",
+          "value": "352"
+        },
+        {
+          "name": "WASC-9",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Cross-Site-Request-Forgery",
+          "value": "9"
+        }
+      ],
+      "links": [
+        {
+          "url": "http://projects.webappsec.org/Cross-Site-Request-Forgery"
+        },
+        {
+          "url": "http://cwe.mitre.org/data/definitions/352.html"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/login?error"
+      },
+      "message": "Anti CSRF Tokens Scanner",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "high",
+      "solution": "Phase: Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, use anti-CSRF packages such as the OWASP CSRFGuard. Phase: Implementation Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script. Phase: Architecture and Design Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). Note that this can be bypassed using XSS. Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation. Note that this can be bypassed using XSS. Use the ESAPI Session Management control. This control includes a component for CSRF. Do not use the GET method for any request that triggers a state change. Phase: Implementation Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "20012",
+      "description": "A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf. CSRF attacks are effective in a number of situations, including: * The victim has an active session on the target site. * The victim is authenticated via HTTP auth on the target site. * The victim is on the same local network as the target site. CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.",
+      "identifiers": [
+        {
+          "name": "Anti CSRF Tokens Scanner",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "20012"
+        },
+        {
+          "name": "CWE-352",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/352.html",
+          "value": "352"
+        },
+        {
+          "name": "WASC-9",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Cross-Site-Request-Forgery",
+          "value": "9"
+        }
+      ],
+      "links": [
+        {
+          "url": "http://projects.webappsec.org/Cross-Site-Request-Forgery"
+        },
+        {
+          "url": "http://cwe.mitre.org/data/definitions/352.html"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/registration"
+      },
+      "message": "Anti CSRF Tokens Scanner",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "high",
+      "solution": "Phase: Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, use anti-CSRF packages such as the OWASP CSRFGuard. Phase: Implementation Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script. Phase: Architecture and Design Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). Note that this can be bypassed using XSS. Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation. Note that this can be bypassed using XSS. Use the ESAPI Session Management control. This control includes a component for CSRF. Do not use the GET method for any request that triggers a state change. Phase: Implementation Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "20012",
+      "description": "A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf. CSRF attacks are effective in a number of situations, including: * The victim has an active session on the target site. * The victim is authenticated via HTTP auth on the target site. * The victim is on the same local network as the target site. CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.",
+      "identifiers": [
+        {
+          "name": "Anti CSRF Tokens Scanner",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "20012"
+        },
+        {
+          "name": "CWE-352",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/352.html",
+          "value": "352"
+        },
+        {
+          "name": "WASC-9",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Cross-Site-Request-Forgery",
+          "value": "9"
+        }
+      ],
+      "links": [
+        {
+          "url": "http://projects.webappsec.org/Cross-Site-Request-Forgery"
+        },
+        {
+          "url": "http://cwe.mitre.org/data/definitions/352.html"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "POST",
+        "param": "",
+        "path": "/WebGoat/register.mvc"
+      },
+      "message": "Anti CSRF Tokens Scanner",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "high",
+      "solution": "Phase: Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, use anti-CSRF packages such as the OWASP CSRFGuard. Phase: Implementation Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script. Phase: Architecture and Design Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). Note that this can be bypassed using XSS. Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation. Note that this can be bypassed using XSS. Use the ESAPI Session Management control. This control includes a component for CSRF. Do not use the GET method for any request that triggers a state change. Phase: Implementation Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "10202",
+      "description": "No Anti-CSRF tokens were found in a HTML submission form. A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf. CSRF attacks are effective in a number of situations, including: * The victim has an active session on the target site. * The victim is authenticated via HTTP auth on the target site. * The victim is on the same local network as the target site. CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.",
+      "identifiers": [
+        {
+          "name": "Absence of Anti-CSRF Tokens",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10202"
+        },
+        {
+          "name": "CWE-352",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/352.html",
+          "value": "352"
+        },
+        {
+          "name": "WASC-9",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Cross-Site-Request-Forgery",
+          "value": "9"
+        }
+      ],
+      "links": [
+        {
+          "url": "http://projects.webappsec.org/Cross-Site-Request-Forgery"
+        },
+        {
+          "url": "http://cwe.mitre.org/data/definitions/352.html"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/login"
+      },
+      "message": "Absence of Anti-CSRF Tokens",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "low",
+      "solution": "Phase: Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, use anti-CSRF packages such as the OWASP CSRFGuard. Phase: Implementation Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script. Phase: Architecture and Design Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). Note that this can be bypassed using XSS. Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation. Note that this can be bypassed using XSS. Use the ESAPI Session Management control. This control includes a component for CSRF. Do not use the GET method for any request that triggers a state change. Phase: Implementation Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "10202",
+      "description": "No Anti-CSRF tokens were found in a HTML submission form. A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf. CSRF attacks are effective in a number of situations, including: * The victim has an active session on the target site. * The victim is authenticated via HTTP auth on the target site. * The victim is on the same local network as the target site. CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.",
+      "identifiers": [
+        {
+          "name": "Absence of Anti-CSRF Tokens",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10202"
+        },
+        {
+          "name": "CWE-352",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/352.html",
+          "value": "352"
+        },
+        {
+          "name": "WASC-9",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Cross-Site-Request-Forgery",
+          "value": "9"
+        }
+      ],
+      "links": [
+        {
+          "url": "http://projects.webappsec.org/Cross-Site-Request-Forgery"
+        },
+        {
+          "url": "http://cwe.mitre.org/data/definitions/352.html"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/login?error"
+      },
+      "message": "Absence of Anti-CSRF Tokens",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "low",
+      "solution": "Phase: Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, use anti-CSRF packages such as the OWASP CSRFGuard. Phase: Implementation Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script. Phase: Architecture and Design Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). Note that this can be bypassed using XSS. Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation. Note that this can be bypassed using XSS. Use the ESAPI Session Management control. This control includes a component for CSRF. Do not use the GET method for any request that triggers a state change. Phase: Implementation Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "10202",
+      "description": "No Anti-CSRF tokens were found in a HTML submission form. A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf. CSRF attacks are effective in a number of situations, including: * The victim has an active session on the target site. * The victim is authenticated via HTTP auth on the target site. * The victim is on the same local network as the target site. CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.",
+      "identifiers": [
+        {
+          "name": "Absence of Anti-CSRF Tokens",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10202"
+        },
+        {
+          "name": "CWE-352",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/352.html",
+          "value": "352"
+        },
+        {
+          "name": "WASC-9",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Cross-Site-Request-Forgery",
+          "value": "9"
+        }
+      ],
+      "links": [
+        {
+          "url": "http://projects.webappsec.org/Cross-Site-Request-Forgery"
+        },
+        {
+          "url": "http://cwe.mitre.org/data/definitions/352.html"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/registration"
+      },
+      "message": "Absence of Anti-CSRF Tokens",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "low",
+      "solution": "Phase: Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, use anti-CSRF packages such as the OWASP CSRFGuard. Phase: Implementation Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script. Phase: Architecture and Design Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). Note that this can be bypassed using XSS. Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation. Note that this can be bypassed using XSS. Use the ESAPI Session Management control. This control includes a component for CSRF. Do not use the GET method for any request that triggers a state change. Phase: Implementation Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "10202",
+      "description": "No Anti-CSRF tokens were found in a HTML submission form. A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf. CSRF attacks are effective in a number of situations, including: * The victim has an active session on the target site. * The victim is authenticated via HTTP auth on the target site. * The victim is on the same local network as the target site. CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.",
+      "identifiers": [
+        {
+          "name": "Absence of Anti-CSRF Tokens",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10202"
+        },
+        {
+          "name": "CWE-352",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/352.html",
+          "value": "352"
+        },
+        {
+          "name": "WASC-9",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Cross-Site-Request-Forgery",
+          "value": "9"
+        }
+      ],
+      "links": [
+        {
+          "url": "http://projects.webappsec.org/Cross-Site-Request-Forgery"
+        },
+        {
+          "url": "http://cwe.mitre.org/data/definitions/352.html"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "POST",
+        "param": "",
+        "path": "/WebGoat/register.mvc"
+      },
+      "message": "Absence of Anti-CSRF Tokens",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "low",
+      "solution": "Phase: Architecture and Design Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, use anti-CSRF packages such as the OWASP CSRFGuard. Phase: Implementation Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script. Phase: Architecture and Design Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330). Note that this can be bypassed using XSS. Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation. Note that this can be bypassed using XSS. Use the ESAPI Session Management control. This control includes a component for CSRF. Do not use the GET method for any request that triggers a state change. Phase: Implementation Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "10010",
+      "description": "A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.",
+      "identifiers": [
+        {
+          "name": "Cookie No HttpOnly Flag",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10010"
+        },
+        {
+          "name": "CWE-16",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/16.html",
+          "value": "16"
+        },
+        {
+          "name": "WASC-13",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Information-Leakage",
+          "value": "13"
+        }
+      ],
+      "links": [
+        {
+          "url": "http://www.owasp.org/index.php/HttpOnly"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "JSESSIONID",
+        "path": "/WebGoat/login?logout"
+      },
+      "message": "Cookie No HttpOnly Flag",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "low",
+      "solution": "Ensure that the HttpOnly flag is set for all cookies."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "10010",
+      "description": "A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.",
+      "evidence": {
+        "request": {
+          "headers": [
+            {
+              "name": "Accept",
+              "value": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
+            },
+            {
+              "name": "Accept-Language",
+              "value": "en-US,en;q=0.5"
+            },
+            {
+              "name": "Connection",
+              "value": "keep-alive"
+            },
+            {
+              "name": "Cookie",
+              "value": "JSESSIONID=BB38BE6D77E83FA7522D1429AA5F2EAF"
+            },
+            {
+              "name": "Host",
+              "value": "goat:8080"
+            },
+            {
+              "name": "Referer",
+              "value": "http://goat:8080/WebGoat/logout"
+            },
+            {
+              "name": "Upgrade-Insecure-Requests",
+              "value": "1"
+            },
+            {
+              "name": "User-Agent",
+              "value": "Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
+            }
+          ],
+          "method": "GET",
+          "url": "http://goat:8080/WebGoat/logout"
+        },
+        "response": {
+          "headers": [
+            {
+              "name": "Connection",
+              "value": "keep-alive"
+            },
+            {
+              "name": "Content-Length",
+              "value": "0"
+            },
+            {
+              "name": "Date",
+              "value": "Thu, 07 May 2020 07:18:06 GMT"
+            },
+            {
+              "name": "Gitlab-DAST-Permission",
+              "value": "allow"
+            },
+            {
+              "name": "Location",
+              "value": "http://goat:8080/WebGoat/login"
+            },
+            {
+              "name": "Server",
+              "value": "nginx/1.17.6"
+            },
+            {
+              "name": "Set-Cookie",
+              "value": "JSESSIONID=1624E8274D30BB5A029F5A18BB7E4400; Path=/WebGoat"
+            },
+            {
+              "name": "X-Content-Type-Options",
+              "value": "nosniff"
+            },
+            {
+              "name": "X-Frame-Options",
+              "value": "DENY"
+            },
+            {
+              "name": "X-XSS-Protection",
+              "value": "1; mode=block"
+            }
+          ],
+          "reason_phrase": "Found",
+          "status_code": 302
+        },
+        "summary": "Set-Cookie: JSESSIONID"
+      },
+      "identifiers": [
+        {
+          "name": "Cookie No HttpOnly Flag",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10010"
+        },
+        {
+          "name": "CWE-16",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/16.html",
+          "value": "16"
+        },
+        {
+          "name": "WASC-13",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Information-Leakage",
+          "value": "13"
+        }
+      ],
+      "links": [
+        {
+          "url": "http://www.owasp.org/index.php/HttpOnly"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "JSESSIONID",
+        "path": "/WebGoat/logout"
+      },
+      "message": "Cookie No HttpOnly Flag",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "low",
+      "solution": "Ensure that the HttpOnly flag is set for all cookies."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "10054",
+      "description": "A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.",
+      "identifiers": [
+        {
+          "name": "Cookie Without SameSite Attribute",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10054"
+        },
+        {
+          "name": "CWE-16",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/16.html",
+          "value": "16"
+        },
+        {
+          "name": "WASC-13",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Information-Leakage",
+          "value": "13"
+        }
+      ],
+      "links": [
+        {
+          "url": "https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "JSESSIONID",
+        "path": "/WebGoat/login?logout"
+      },
+      "message": "Cookie Without SameSite Attribute",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "low",
+      "solution": "Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "10054",
+      "description": "A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.",
+      "identifiers": [
+        {
+          "name": "Cookie Without SameSite Attribute",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10054"
+        },
+        {
+          "name": "CWE-16",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/16.html",
+          "value": "16"
+        },
+        {
+          "name": "WASC-13",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Information-Leakage",
+          "value": "13"
+        }
+      ],
+      "links": [
+        {
+          "url": "https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "JSESSIONID",
+        "path": "/WebGoat/logout"
+      },
+      "message": "Cookie Without SameSite Attribute",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "low",
+      "solution": "Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies."
+    },
+    {
+      "category": "dast",
+      "confidence": "low",
+      "cve": "90011",
+      "description": "This check identifies responses where the HTTP Content-Type header declares a charset different from the charset defined by the body of the HTML or XML. When there's a charset mismatch between the HTTP header and content body Web browsers can be forced into an undesirable content-sniffing mode to determine the content's correct character set. An attacker could manipulate content on the page to be interpreted in an encoding of their choice. For example, if an attacker can control content at the beginning of the page, they could inject script using UTF-7 encoded text and manipulate some browsers into interpreting that text.",
+      "identifiers": [
+        {
+          "name": "Charset Mismatch (Header Versus Meta Content-Type Charset)",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "90011"
+        },
+        {
+          "name": "CWE-16",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/16.html",
+          "value": "16"
+        },
+        {
+          "name": "WASC-15",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Application-Misconfiguration",
+          "value": "15"
+        }
+      ],
+      "links": [
+        {
+          "url": "http://code.google.com/p/browsersec/wiki/Part2#Character_set_handling_and_detection"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/start.mvc"
+      },
+      "message": "Charset Mismatch (Header Versus Meta Content-Type Charset)",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "info",
+      "solution": "Force UTF-8 for all text content in both the HTTP header and meta tags in HTML or encoding declarations in XML."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "10027",
+      "description": "The response appears to contain suspicious comments which may help an attacker.",
+      "identifiers": [
+        {
+          "name": "Information Disclosure - Suspicious Comments",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10027"
+        },
+        {
+          "name": "CWE-200",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/200.html",
+          "value": "200"
+        },
+        {
+          "name": "WASC-13",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Information-Leakage",
+          "value": "13"
+        }
+      ],
+      "links": [],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/js/html5shiv.js"
+      },
+      "message": "Information Disclosure - Suspicious Comments",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "info",
+      "solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "10027",
+      "description": "The response appears to contain suspicious comments which may help an attacker.",
+      "identifiers": [
+        {
+          "name": "Information Disclosure - Suspicious Comments",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10027"
+        },
+        {
+          "name": "CWE-200",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/200.html",
+          "value": "200"
+        },
+        {
+          "name": "WASC-13",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Information-Leakage",
+          "value": "13"
+        }
+      ],
+      "links": [],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/js/modernizr-2.6.2.min.js"
+      },
+      "message": "Information Disclosure - Suspicious Comments",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "info",
+      "solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "10027",
+      "description": "The response appears to contain suspicious comments which may help an attacker.",
+      "identifiers": [
+        {
+          "name": "Information Disclosure - Suspicious Comments",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10027"
+        },
+        {
+          "name": "CWE-200",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/200.html",
+          "value": "200"
+        },
+        {
+          "name": "WASC-13",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Information-Leakage",
+          "value": "13"
+        }
+      ],
+      "links": [],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/js/respond.min.js"
+      },
+      "message": "Information Disclosure - Suspicious Comments",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "info",
+      "solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to."
+    },
+    {
+      "category": "dast",
+      "confidence": "medium",
+      "cve": "10027",
+      "description": "The response appears to contain suspicious comments which may help an attacker.",
+      "identifiers": [
+        {
+          "name": "Information Disclosure - Suspicious Comments",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10027"
+        },
+        {
+          "name": "CWE-200",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/200.html",
+          "value": "200"
+        },
+        {
+          "name": "WASC-13",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Information-Leakage",
+          "value": "13"
+        }
+      ],
+      "links": [],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/start.mvc"
+      },
+      "message": "Information Disclosure - Suspicious Comments",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "info",
+      "solution": "Remove all comments that return information that may help an attacker and fix any underlying problems they refer to."
+    },
+    {
+      "category": "dast",
+      "confidence": "low",
+      "cve": "90033",
+      "description": "Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.",
+      "identifiers": [
+        {
+          "name": "Loosely Scoped Cookie",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "90033"
+        },
+        {
+          "name": "CWE-565",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/565.html",
+          "value": "565"
+        },
+        {
+          "name": "WASC-15",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Application-Misconfiguration",
+          "value": "15"
+        }
+      ],
+      "links": [
+        {
+          "url": "https://tools.ietf.org/html/rfc6265#section-4.1"
+        },
+        {
+          "url": "https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)"
+        },
+        {
+          "url": "http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/login?logout"
+      },
+      "message": "Loosely Scoped Cookie",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "info",
+      "solution": "Always scope cookies to a FQDN (Fully Qualified Domain Name)."
+    },
+    {
+      "category": "dast",
+      "confidence": "low",
+      "cve": "90033",
+      "description": "Cookies can be scoped by domain or path. This check is only concerned with domain scope.The domain scope applied to a cookie determines which domains can access it. For example, a cookie can be scoped strictly to a subdomain e.g. www.nottrusted.com, or loosely scoped to a parent domain e.g. nottrusted.com. In the latter case, any subdomain of nottrusted.com can access the cookie. Loosely scoped cookies are common in mega-applications like google.com and live.com. Cookies set from a subdomain like app.foo.bar are transmitted only to that domain by the browser. However, cookies scoped to a parent-level domain may be transmitted to the parent, or any subdomain of the parent.",
+      "identifiers": [
+        {
+          "name": "Loosely Scoped Cookie",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "90033"
+        },
+        {
+          "name": "CWE-565",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/565.html",
+          "value": "565"
+        },
+        {
+          "name": "WASC-15",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Application-Misconfiguration",
+          "value": "15"
+        }
+      ],
+      "links": [
+        {
+          "url": "https://tools.ietf.org/html/rfc6265#section-4.1"
+        },
+        {
+          "url": "https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)"
+        },
+        {
+          "url": "http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/logout"
+      },
+      "message": "Loosely Scoped Cookie",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "info",
+      "solution": "Always scope cookies to a FQDN (Fully Qualified Domain Name)."
+    },
+    {
+      "category": "dast",
+      "confidence": "low",
+      "cve": "10096",
+      "description": "A timestamp was disclosed by the application/web server - Unix",
+      "identifiers": [
+        {
+          "name": "Timestamp Disclosure - Unix",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10096"
+        },
+        {
+          "name": "CWE-200",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/200.html",
+          "value": "200"
+        },
+        {
+          "name": "WASC-13",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Information-Leakage",
+          "value": "13"
+        }
+      ],
+      "links": [
+        {
+          "url": "https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure"
+        },
+        {
+          "url": "http://projects.webappsec.org/w/page/13246936/Information%20Leakage"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/plugins/bootstrap/css/bootstrap.min.css"
+      },
+      "message": "Timestamp Disclosure - Unix",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "info",
+      "solution": "Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns."
+    },
+    {
+      "category": "dast",
+      "confidence": "low",
+      "cve": "10096",
+      "description": "A timestamp was disclosed by the application/web server - Unix",
+      "identifiers": [
+        {
+          "name": "Timestamp Disclosure - Unix",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10096"
+        },
+        {
+          "name": "CWE-200",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/200.html",
+          "value": "200"
+        },
+        {
+          "name": "WASC-13",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Information-Leakage",
+          "value": "13"
+        }
+      ],
+      "links": [
+        {
+          "url": "https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure"
+        },
+        {
+          "url": "http://projects.webappsec.org/w/page/13246936/Information%20Leakage"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/plugins/bootstrap/css/bootstrap.min.css"
+      },
+      "message": "Timestamp Disclosure - Unix",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "info",
+      "solution": "Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns."
+    },
+    {
+      "category": "dast",
+      "confidence": "low",
+      "cve": "10096",
+      "description": "A timestamp was disclosed by the application/web server - Unix",
+      "identifiers": [
+        {
+          "name": "Timestamp Disclosure - Unix",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10096"
+        },
+        {
+          "name": "CWE-200",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/200.html",
+          "value": "200"
+        },
+        {
+          "name": "WASC-13",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Information-Leakage",
+          "value": "13"
+        }
+      ],
+      "links": [
+        {
+          "url": "https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure"
+        },
+        {
+          "url": "http://projects.webappsec.org/w/page/13246936/Information%20Leakage"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/plugins/bootstrap/css/bootstrap.min.css"
+      },
+      "message": "Timestamp Disclosure - Unix",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "info",
+      "solution": "Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns."
+    },
+    {
+      "category": "dast",
+      "confidence": "low",
+      "cve": "10096",
+      "description": "A timestamp was disclosed by the application/web server - Unix",
+      "identifiers": [
+        {
+          "name": "Timestamp Disclosure - Unix",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10096"
+        },
+        {
+          "name": "CWE-200",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/200.html",
+          "value": "200"
+        },
+        {
+          "name": "WASC-13",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Information-Leakage",
+          "value": "13"
+        }
+      ],
+      "links": [
+        {
+          "url": "https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure"
+        },
+        {
+          "url": "http://projects.webappsec.org/w/page/13246936/Information%20Leakage"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/plugins/bootstrap/css/bootstrap.min.css"
+      },
+      "message": "Timestamp Disclosure - Unix",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "info",
+      "solution": "Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns."
+    },
+    {
+      "category": "dast",
+      "confidence": "low",
+      "cve": "10096",
+      "description": "A timestamp was disclosed by the application/web server - Unix",
+      "identifiers": [
+        {
+          "name": "Timestamp Disclosure - Unix",
+          "type": "ZAProxy_PluginId",
+          "url": "https://github.com/zaproxy/zaproxy/blob/w2019-01-14/docs/scanners.md",
+          "value": "10096"
+        },
+        {
+          "name": "CWE-200",
+          "type": "CWE",
+          "url": "https://cwe.mitre.org/data/definitions/200.html",
+          "value": "200"
+        },
+        {
+          "name": "WASC-13",
+          "type": "WASC",
+          "url": "https://projects.webappsec.org/Information-Leakage",
+          "value": "13"
+        }
+      ],
+      "links": [
+        {
+          "url": "https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure"
+        },
+        {
+          "url": "http://projects.webappsec.org/w/page/13246936/Information%20Leakage"
+        }
+      ],
+      "location": {
+        "hostname": "http://goat:8080",
+        "method": "GET",
+        "param": "",
+        "path": "/WebGoat/plugins/bootstrap/css/bootstrap.min.css"
+      },
+      "message": "Timestamp Disclosure - Unix",
+      "scanner": {
+        "id": "zaproxy",
+        "name": "ZAProxy"
+      },
+      "severity": "info",
+      "solution": "Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns."
+    }
+  ]
+}
\ No newline at end of file
--- a/ee/spec/graphql/types/security_scanner_type_enum_spec.rb
+++ b/ee/spec/graphql/types/security_scanner_type_enum_spec.rb
@@ -4,6 +4,6 @@ require 'spec_helper'

 RSpec.describe GitlabSchema.types['SecurityScannerType'] do
  it 'exposes all security scanner types' do
-    expect(described_class.values.keys).to contain_exactly(*%w[CONTAINER_SCANNING COVERAGE_FUZZING DAST DEPENDENCY_SCANNING SAST SECRET_DETECTION])
+    expect(described_class.values.keys).to match_array(%w[API_FUZZING CONTAINER_SCANNING COVERAGE_FUZZING DAST DEPENDENCY_SCANNING SAST SECRET_DETECTION])
  end
 end
--- a/ee/spec/graphql/types/vulnerability_report_type_enum_spec.rb
+++ b/ee/spec/graphql/types/vulnerability_report_type_enum_spec.rb
@@ -4,6 +4,6 @@ require 'spec_helper'

 RSpec.describe GitlabSchema.types['VulnerabilityReportType'] do
  it 'exposes all vulnerability report types' do
-    expect(described_class.values.keys).to contain_exactly(*%w[SAST SECRET_DETECTION DAST CONTAINER_SCANNING DEPENDENCY_SCANNING COVERAGE_FUZZING])
+    expect(described_class.values.keys).to match_array(%w[SAST SECRET_DETECTION DAST CONTAINER_SCANNING DEPENDENCY_SCANNING COVERAGE_FUZZING API_FUZZING])
  end
 end
--- a/ee/spec/lib/ee/gitlab/usage_data_spec.rb
+++ b/ee/spec/lib/ee/gitlab/usage_data_spec.rb
@@ -535,6 +535,8 @@ RSpec.describe Gitlab::UsageData do
        secret_detection_scans: 0,
        coverage_fuzzing_pipeline: 0,
        coverage_fuzzing_scans: 0,
+        api_fuzzing_pipeline: 0,
+        api_fuzzing_scans: 0,
        user_unique_users_all_secure_scanners: 1
      )
    end
@@ -586,13 +588,15 @@ RSpec.describe Gitlab::UsageData do
        dast_pipeline: 0,
        secret_detection_pipeline: 1,
        coverage_fuzzing_pipeline: 0,
+        api_fuzzing_pipeline: 0,
        user_unique_users_all_secure_scanners: 1,
        sast_scans: 0,
        dependency_scanning_scans: 2,
        container_scanning_scans: 1,
        dast_scans: 0,
        secret_detection_scans: 1,
-        coverage_fuzzing_scans: 0
+        coverage_fuzzing_scans: 0,
+        api_fuzzing_scans: 0
      )
    end

@@ -624,6 +628,8 @@ RSpec.describe Gitlab::UsageData do
        secret_detection_scans: 0,
        coverage_fuzzing_pipeline: 0,
        coverage_fuzzing_scans: 0,
+        api_fuzzing_pipeline: 0,
+        api_fuzzing_scans: 0,
        user_unique_users_all_secure_scanners: 3
      )
    end
@@ -654,6 +660,8 @@ RSpec.describe Gitlab::UsageData do
        secret_detection_scans: 0,
        coverage_fuzzing_pipeline: 0,
        coverage_fuzzing_scans: 0,
+        api_fuzzing_pipeline: 0,
+        api_fuzzing_scans: 0,
        user_unique_users_all_secure_scanners: 1
      )
    end
@@ -684,6 +692,8 @@ RSpec.describe Gitlab::UsageData do
        secret_detection_scans: -1,
        coverage_fuzzing_pipeline: -1,
        coverage_fuzzing_scans: -1,
+        api_fuzzing_pipeline: -1,
+        api_fuzzing_scans: -1,
        user_unique_users_all_secure_scanners: -1
      )
    end

--- a/ee/spec/models/ee/vulnerability_spec.rb
+++ b/ee/spec/models/ee/vulnerability_spec.rb
@@ -16,7 +16,8 @@ RSpec.describe Vulnerability do
      container_scanning: 2,
      dast: 3,
      secret_detection: 4,
-      coverage_fuzzing: 5 }
+      coverage_fuzzing: 5,
+      api_fuzzing: 6 }
  end

  it { is_expected.to define_enum_for(:state).with_values(state_values) }
@@ -306,12 +307,13 @@ RSpec.describe Vulnerability do
    let_it_be(:vulnerability_secret_detection) { create(:vulnerability, :secret_detection) }
    let_it_be(:vulnerability_sast) { create(:vulnerability, :sast) }
    let_it_be(:vulnerability_coverage_fuzzing) { create(:vulnerability, :coverage_fuzzing) }
+    let_it_be(:vulnerability_api_fuzzing) { create(:vulnerability, :api_fuzzing) }

    describe 'asc' do
      subject { described_class.order_report_type_asc }

      it 'returns vulnerabilities ordered by report_type' do
-        is_expected.to eq([vulnerability_coverage_fuzzing, vulnerability_dast, vulnerability_sast, vulnerability_secret_detection])
+        is_expected.to eq([vulnerability_api_fuzzing, vulnerability_coverage_fuzzing, vulnerability_dast, vulnerability_sast, vulnerability_secret_detection])
      end
    end

@@ -319,7 +321,7 @@ RSpec.describe Vulnerability do
      subject { described_class.order_report_type_desc }

      it 'returns vulnerabilities ordered by report_type' do
-        is_expected.to eq([vulnerability_secret_detection, vulnerability_sast, vulnerability_dast, vulnerability_coverage_fuzzing])
+        is_expected.to eq([vulnerability_secret_detection, vulnerability_sast, vulnerability_dast, vulnerability_coverage_fuzzing, vulnerability_api_fuzzing])
      end
    end
  end

--- a/ee/spec/presenters/projects/security/configuration_presenter_spec.rb
+++ b/ee/spec/presenters/projects/security/configuration_presenter_spec.rb
@@ -72,7 +72,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
          security_scan(:dependency_scanning, configured: false, auto_dev_ops_enabled: true),
          security_scan(:license_scanning, configured: false, auto_dev_ops_enabled: true),
          security_scan(:secret_detection, configured: true, auto_dev_ops_enabled: true),
-          security_scan(:coverage_fuzzing, configured: false, auto_dev_ops_enabled: true)
+          security_scan(:coverage_fuzzing, configured: false, auto_dev_ops_enabled: true),
+          security_scan(:api_fuzzing, configured: false, auto_dev_ops_enabled: true)
        )
      end
    end
@@ -95,7 +96,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
          security_scan(:dependency_scanning, configured: false),
          security_scan(:license_scanning, configured: false),
          security_scan(:secret_detection, configured: false),
-          security_scan(:coverage_fuzzing, configured: false)
+          security_scan(:coverage_fuzzing, configured: false),
+          security_scan(:api_fuzzing, configured: false)
        )
      end
    end
@@ -125,7 +127,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
          security_scan(:dependency_scanning, configured: false),
          security_scan(:license_scanning, configured: false),
          security_scan(:secret_detection, configured: true),
-          security_scan(:coverage_fuzzing, configured: false)
+          security_scan(:coverage_fuzzing, configured: false),
+          security_scan(:api_fuzzing, configured: false)
        )
      end

@@ -142,7 +145,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
          security_scan(:dependency_scanning, configured: false),
          security_scan(:license_scanning, configured: false),
          security_scan(:secret_detection, configured: false),
-          security_scan(:coverage_fuzzing, configured: false)
+          security_scan(:coverage_fuzzing, configured: false),
+          security_scan(:api_fuzzing, configured: false)
        )
      end

@@ -165,7 +169,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
          security_scan(:dependency_scanning, configured: false),
          security_scan(:license_scanning, configured: false),
          security_scan(:secret_detection, configured: false),
-          security_scan(:coverage_fuzzing, configured: false)
+          security_scan(:coverage_fuzzing, configured: false),
+          security_scan(:api_fuzzing, configured: false)
        )
      end

@@ -180,7 +185,8 @@ RSpec.describe Projects::Security::ConfigurationPresenter do
          security_scan(:dependency_scanning, configured: false),
          security_scan(:license_scanning, configured: true),
          security_scan(:secret_detection, configured: true),
-          security_scan(:coverage_fuzzing, configured: false)
+          security_scan(:coverage_fuzzing, configured: false),
+          security_scan(:api_fuzzing, configured: false)
        )
      end


--- a/lib/gitlab/ci/config/entry/reports.rb
+++ b/lib/gitlab/ci/config/entry/reports.rb
@@ -15,7 +15,7 @@ module Gitlab
            %i[junit codequality sast secret_detection dependency_scanning container_scanning
               dast performance browser_performance load_performance license_management license_scanning metrics lsif
               dotenv cobertura terraform accessibility cluster_applications
-               requirements coverage_fuzzing].freeze
+               requirements coverage_fuzzing api_fuzzing].freeze

          attributes ALLOWED_KEYS

@@ -25,6 +25,7 @@ module Gitlab

            with_options allow_nil: true do
              validates :junit, array_of_strings_or_string: true
+              validates :api_fuzzing, array_of_strings_or_string: true
              validates :coverage_fuzzing, array_of_strings_or_string: true
              validates :sast, array_of_strings_or_string: true
              validates :sast, array_of_strings_or_string: true

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -1305,6 +1305,9 @@ msgstr ""
 msgid "ACTION REQUIRED: Something went wrong while obtaining the Let's Encrypt certificate for GitLab Pages domain '%{domain}'"
 msgstr ""

+msgid "API Fuzzing"
+msgstr ""
+
 msgid "API Help"
 msgstr ""

@@ -11365,6 +11368,9 @@ msgstr ""
 msgid "Find File"
 msgstr ""

+msgid "Find bugs in your code with API fuzzing."
+msgstr ""
+
 msgid "Find bugs in your code with coverage-guided fuzzing."
 msgstr ""


--- a/spec/services/ci/retry_build_service_spec.rb
+++ b/spec/services/ci/retry_build_service_spec.rb
@@ -46,7 +46,8 @@ RSpec.describe Ci::RetryBuildService do
       job_variables waiting_for_resource_at job_artifacts_metrics_referee
       job_artifacts_network_referee job_artifacts_dotenv
       job_artifacts_cobertura needs job_artifacts_accessibility
-       job_artifacts_requirements job_artifacts_coverage_fuzzing].freeze
+       job_artifacts_requirements job_artifacts_coverage_fuzzing
+       job_artifacts_api_fuzzing].freeze

  ignore_accessors =
    %i[type lock_version target_url base_tags trace_sections