Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OWASP ZAP scan results

    General pfSense Questions
    2
    6
    844
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nqirer
      last edited by

      For an installation with the latest version of pfSense Plus, an OWASP ZAP scan returns the following potential vulnerabilities:

      • SQL Injection - MsSQL (first detected 12 days ago)
      • SQL Injection - MySQL (first detected 40 days ago)
      • SQL Injection - Hypersonic SQL - Time Based (first detected 47 days ago)
      • SQL Injection - Oracle - Time Based (first detected 47 days ago)
      • SQL Injection - PostgreSQL - Time Based (first detected 47 days ago)
      • Content Security Policy (CSP) Header Not Set (first detected 47 days ago)
      • Strict-Transport-Security Header Not Set (first detected 47 days ago)
      • Cookie without SameSite Attribute (first detected 174 days ago)

      Questions:

      • Can any of these results be resolved by updating certain settings within our pfSense installation?
      • Are some or all of these results false positives?

      Please advise, thank you!

      N 1 Reply Last reply Reply Quote 0
      • N
        nqirer @nqirer
        last edited by

        The following where somehow automatically closed by the scanner today:

        • SQL Injection - MsSQL (first detected 12 days ago)
        • SQL Injection - MySQL (first detected 40 days ago)
        • SQL Injection - Hypersonic SQL - Time Based (first detected 47 days ago)
        • SQL Injection - Oracle - Time Based (first detected 47 days ago)
        • SQL Injection - PostgreSQL - Time Based (first detected 47 days ago)

        These remain open:

        • Content Security Policy (CSP) Header Not Set (first detected 47 days ago)
        • Strict-Transport-Security Header Not Set (first detected 47 days ago)
        • Cookie without SameSite Attribute (first detected 174 days ago)

        Is there any way to update header and cookies within pfSense?

        Thanks

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          How are you test that?

          Like where are you testing from? What are you testing against? How is pfSense configured?

          Steve

          1 Reply Last reply Reply Quote 1
          • N
            nqirer
            last edited by

            Thank you for your kind reply.

            Here is the info you requested:

            • For testing we are using a third-party service: we give them a URL as target, which they scan with OWASP ZAP.
            • For pfSense we are using the standard configuration of an EC2 AMI (https://aws.amazon.com/marketplace/pp/prodview-gzywopzvznrr4).

            Thanks again.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              How do you have that configured though? Are you forwarding traffic to other instances in the VPC behind it?
              The alerts it's showing there all look like http(s) issues. Do you still have the firewall webgui open to any source? You should lock that down to known source IPs only. Or better block external access entirely and connect to the firewall using a VPN.

              Steve

              N 1 Reply Last reply Reply Quote 1
              • N
                nqirer @stephenw10
                last edited by

                Thank you for your kind reply.

                I forwarded your suggestions to our dev team.

                For now this ticket is closed.

                Thanks again.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.