Returns details of a specific OWASP ZAP finding.
Permissions required - User must have WAS module enabled. User account must have these permissions: Access Permission “API Access”. WAS Permissions- "Access OWASP ZAP Report" and "Finding read OWASP ZAP". The output includes findings for web applications in the user's scope.
The element “id” (integer) is required, where “id” identifies finding id of OWASP ZAP finding.
Let us view details for the OWASP ZAP finding with the ID 1001.
API request
curl -n -u "USERNAME:PASSWORD" "<qualys_base_url>/qps/rest/3.0/get/was/owaspzapfinding/1001"
XML response
<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="<QualysBaseURL>/qps/xsd/3.0/was/ow aspzapfinding.xsd">
<responseCode>SUCCESS</responseCode>
<count>1</count>
<data>
<OwaspZapFinding>
<id>1001</id>
<uniqueId>a2e825d4-db9d-49a9-842a-4c22fab555eb</uniqueId>
<findingType>OWASPZAP</findingType>
<pluginid>10027</pluginid>
<alertRef>10027</alertRef>
<alert>Information Disclosure - Suspicious Comments</alert>
<name>Information Disclosure - Suspicious Comments</name>
<riskcode>0</riskcode>
<confidence>1</confidence>
<riskdesc>Informational (Low)</riskdesc>
<confidencedesc>Low</confidencedesc>
<desc>The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.</desc> API affectedqps/rest/3.0/get/was/owaspzapfinding/
<id> New or Updated APIsNew OperatorGET DTD or XSD changesYes
<count>2</count>
<solution>Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.</solution>
<otherinfo>The following pattern was used: \bDB\b and was detected in the element starting with: "var aa,ba=function(a){var b=0;return function(){return b&lt;a.length?{done:!1,value:a[b++]}:{done:!0}}},ca="function&qu ot;==typeof Objec", see evidence field for the suspicious comment/snippet.</otherinfo>
<cweid>200</cweid>
<wascid>13</wascid>
<sourceid>8</sourceid>
<tags>
<list>
<OwaspZapTag>
<tag>OWASP_2017_A03</tag>
<link>https://owasp.org/www-project-topten/2017/A3_2017-Sensitive_Data_Exposure.html</link>
</OwaspZapTag>
<OwaspZapTag>
<tag>OWASP_2021_A01</tag>
<link>https://owasp.org/Top10/A01_2021Broken_Access_Control/</link>
</OwaspZapTag>
</list>
</tags>
<instances>
<list>
<Instance>
<uri>https://www.googletagservices.com/tag/js/gpt.js</uri>
<method>GET</method>
<evidence>query</evidence>
<requestheader>GET https://www.googletagservices.com/tag/js/gpt.js HTTP/1.1 Host: www.googletagservices.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: */* Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://jsonlint.com/ Accept-Language: en-US,en;q=0.9 </requestheader>
<responseheader>HTTP/1.1 200 OK Vary: Accept-Encoding Content-Type: text/javascript Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="adsgpt-scs" Report-To: {"group":"ads-gptscs","max_age":2592000,"endpoints":[{"url&q uot;:"https://csp.withgoogle.com/csp/report-to/ads-gpt-scs"}]} Timing-Allow-Origin: * Content-Length: 80512 Date: Thu, 17 Nov 2022 05:20:21 GMT Expires: Thu, 17 Nov 2022 05:20:21 GMT Cache-Control: private, max-age=900, stale-while-revalidate=3600 ETag: "1394 / 793 of 1000 / last-modified: 1668639967" X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" </responseheader>
</Instance>
<Instance>
<uri>https://www.googletagservices.com/tag/js/gpt.js</uri>
<method>GET</method>
<evidence>db</evidence>
<requestheader>GET https://www.googletagservices.com/tag/js/gpt.js HTTP/1.1 Host: www.googletagservices.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="107", "Chromium";v="107", "Not=A?Brand";v="24" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: */* Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: script Referer: https://jsonlint.com/ Accept-Language: en-US,en;q=0.9 </requestheader>
<responseheader>HTTP/1.1 200 OK Vary: Accept-Encoding Content-Type: text/javascript Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="adsgpt-scs" Report-To: {"group":"ads-gptscs","max_age":2592000,"endpoints":[{"url&q uot;:"https://csp.withgoogle.com/csp/report-to/ads-gpt-scs"}]} Timing-Allow-Origin: * Content-Length: 80512 Date: Thu, 17 Nov 2022 05:20:21 GMT Expires: Thu, 17 Nov 2022 05:20:21 GMT Cache-Control: private, max-age=900, stale-while-revalidate=3600 ETag: "1394 / 793 of 1000 / last-modified: 1668639967" X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" </responseheader>
</Instance>
</list>
</instances>
</OwaspZapFinding>
</data>
</ServiceResponse>
<platform API server>/qps/xsd/3.0/was/owaspzapfinding.xsd