4/5/2021 Cargill Web Application Scanning Report

Cargill Web Application Scanning Report

Vulnerability scan report for the Safety IOTRL web application (https://cargill.fleetconnect.io/login?iotrl=true).

Site: https://cargill.fleetconnect.io

Summary of Alerts Generated on Mon, 5 Apr 2021 14:40:38

Risk Level Number of Alerts

High 1
Medium 4
Low 8
Informational 6

Alerts

Number of
Name Risk Level
Instances
Cross Site Scripting (DOM Based) High 1
Content Security Policy (CSP) Header Not Set Medium 4
Proxy Disclosure Medium 1
Sub Resource Integrity Attribute Missing Medium 2
Vulnerable JS Library Medium 2
Absence of Anti-CSRF Tokens Low 2
Big Redirect Detected (Potential Sensitive
Low 1
Information Leak)
Cookie Slack Detector Low 1
Dangerous JS Functions Low 1
Feature Policy Header Not Set Low 16
Incomplete or No Cache-control and Pragma HTTP
Low 13
Header Set
Server Leaks Version Information via "Server" HTTP
Low 30
Response Header Field
X-Content-Type-Options Header Missing Low 26
Base64 Disclosure Informational 15
Information Disclosure - Suspicious Comments Informational 12
Modern Web Application Informational 1
Non-Storable Content Informational 6
Storable and Cacheable Content Informational 24
Timestamp Disclosure - Unix Informational 4

Alert Detail

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 1/27
4/5/2021 Cargill Web Application Scanning Report
High Cross Site Scripting (DOM Based)
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code
into a user's browser instance. A browser instance can be a standard web browser client, or a
browser object embedded in a software product such as the browser within WinAmp, an RSS
reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also
extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.

When an attacker gets a user's browser to execute his/her code, the code will run within the
security context (or zone) of the hosting web site. With this level of privilege, the code has the
ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site
Scripted user could have his/her account hijacked (cookie theft), their browser redirected to
another location, or possibly shown fraudulent content delivered by the web site they are
visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a
user and the web site. Applications utilizing browser object instances which load content from
the file system may execute code under the local machine zone allowing for system
compromise.

There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-
Description
based.

Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted
link laced with malicious code, or visit a malicious web page containing a web form, which
when posted to the vulnerable site, will mount the attack. Using a malicious form will
oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In
such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by
using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the
XSS payload will get echoed back and will get interpreted by the user's browser and execute.
Another technique to send almost arbitrary requests (GET and POST) is by using an
embedded client, such as Adobe Flash.

Persistent attacks occur when the malicious code is submitted to a web site where it's stored
for a period of time. Examples of an attacker's favorite targets often include message board
posts, web mail messages, and web chat software. The unsuspecting user is not required to
interact with any additional site/link (e.g. an attacker site or a malicious link sent via email),
just simply view the web page containing the code.

https://cargill.fleetconnect.io/login?iotrl=true#jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
URL )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/-
-!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
Method GET
#jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
Attack )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/-
-!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
Evidence
Instances 1
Solution Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides
constructs that make this weakness easier to avoid.

Examples of libraries and frameworks that make it easier to generate properly encoded output
include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache
Wicket.

Phases: Implementation; Architecture and Design

Understand the context in which your data will be used and the encoding that will be expected.
This is especially important when transmitting data between different components, or when
generating outputs that can contain multiple encodings at the same time, such as web pages
or multi-part mail messages. Study all expected communication protocols and data
representations to determine the required encoding strategies.

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 2/27
4/5/2021 Cargill Web Application Scanning Report
For any data that will be output to another web page, especially any data that was received
from external inputs, use the appropriate encoding on all non-alphanumeric characters.

Consult the XSS Prevention Cheat Sheet for more details on the types of encoding and
escaping that are needed.

Phase: Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are
duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side
checks by modifying values after the checks have been performed, or by changing the client to
remove the client-side checks entirely. Then, these modified values would be submitted to the
server.

If available, use structured mechanisms that automatically enforce the separation between data
and code. These mechanisms may be able to provide the relevant quoting, encoding, and
validation automatically, instead of relying on the developer to provide this capability at every
point where output is generated.

Phase: Implementation

For every web page that is generated, use and specify a character encoding such as ISO-
8859-1 or UTF-8. When an encoding is not specified, the web browser may choose a different
encoding by guessing which encoding is actually being used by the web page. This can cause
the web browser to treat certain sequences as special, opening up the client to subtle XSS
attacks. See CWE-116 for more mitigations related to encoding/escaping.

To help mitigate XSS attacks against the user's session cookie, set the session cookie to be
HttpOnly. In browsers that support the HttpOnly feature (such as more recent versions of
Internet Explorer and Firefox), this attribute can prevent the user's session cookie from being
accessible to malicious client-side scripts that use document.cookie. This is not a complete
solution, since HttpOnly is not supported by all browsers. More importantly, XMLHTTPRequest
and other powerful browser technologies provide read access to HTTP headers, including the
Set-Cookie header in which the HttpOnly flag is set.

Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use
an allow list of acceptable inputs that strictly conform to specifications. Reject any input that
does not strictly conform to specifications, or transform it into something that does. Do not rely
exclusively on looking for malicious or malformed inputs (i.e., do not rely on a deny list).
However, deny lists can be useful for detecting potential attacks or determining which inputs
are so malformed that they should be rejected outright.

When performing input validation, consider all potentially relevant properties, including length,
type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency
across related fields, and conformance to business rules. As an example of business rule
logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but
it is not valid if you are expecting colors such as "red" or "blue."

Ensure that you perform input validation at well-defined interfaces within the application. This
will help protect the application even if a component is reused or moved elsewhere.
http://projects.webappsec.org/Cross-Site-Scripting
Reference
http://cwe.mitre.org/data/definitions/79.html
CWE Id 79
WASC Id 8
Plugin Id 40026

Medium Content Security Policy (CSP) Header Not Set

Description Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate
certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These
attacks are used for everything from data theft to site defacement or distribution of malware.
CSP provides a set of standard HTTP headers that allow website owners to declare approved
sources of content that browsers should be allowed to load on that page � covered types are
file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 3/27
4/5/2021 Cargill Web Application Scanning Report
JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets,
ActiveX, audio and video files.

URL https://cargill.fleetconnect.io/login
Method GET
Attack
Evidence

URL https://cargill.fleetconnect.io/login?iotrl=true
Method GET
Attack
Evidence
URL https://cargill.fleetconnect.io/sitemap.xml
Method GET
Attack
Evidence
URL https://cargill.fleetconnect.io/index.html
Method POST
Attack
Evidence
Instances 4
Ensure that your web server, application server, load balancer, etc. is configured to set the
Content-Security-Policy header, to achieve optimal browser support: "Content-Security-Policy"
Solution
for Chrome 25+, Firefox 23+ and Safari 7+, "X-Content-Security-Policy" for Firefox 4.0+ and
Internet Explorer 10+, and "X-WebKit-CSP" for Chrome 14+ and Safari 6+.
https://developer.mozilla.org/en-
US/docs/Web/Security/CSP/Introducing_Content_Security_Policy
https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
http://www.w3.org/TR/CSP/
Reference
http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
http://caniuse.com/#feat=contentsecuritypolicy
http://content-security-policy.com/
CWE Id 16
WASC Id 15
Plugin Id 10038

Medium Proxy Disclosure

1 proxy server(s) were detected or fingerprinted. This information helps a potential attacker to
determine

- A list of targets for an attack against the application.

Description
- Potential vulnerabilities on the proxy servers that service the application.

- The presence or absence of any proxy-based components that might cause attacks against
the application to be detected, prevented, or mitigated.

URL https://cargill.fleetconnect.io/login?iotrl=true
Method GET
Attack TRACE, OPTIONS methods with 'Max-Forwards' header. TRACK method.

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 4/27
4/5/2021 Cargill Web Application Scanning Report
Evidence
Instances 1
Disable the 'TRACE' method on the proxy servers, as well as the origin web/application server.

Disable the 'OPTIONS' method on the proxy servers, as well as the origin web/application
server, if it is not required for other purposes, such as 'CORS' (Cross Origin Resource Sharing).

Solution Configure the web and application servers with custom error pages, to prevent 'fingerprintable'
product-specific error pages being leaked to the user in the event of HTTP errors, such as
'TRACK' requests for non-existent pages.

Configure all proxies, application servers, and web servers to prevent disclosure of the
technology and version information in the 'Server' and 'X-Powered-By' HTTP response headers.
Reference https://tools.ietf.org/html/rfc7231#section-5.1.2
CWE Id 200
WASC Id 45
Plugin Id 40025

Medium Sub Resource Integrity Attribute Missing

The integrity attribute is missing on a script or link tag served by an external server. The
Description integrity tag prevents an attacker who have gained access to this server from injecting a
malicious content.

URL https://cargill.fleetconnect.io/sitemap.xml
Method GET
Attack
<link href="https://fonts.googleapis.com/css?family=Raleway:100,600" rel="stylesheet"
Evidence
type="text/css">
URL https://cargill.fleetconnect.io/index.html
Method POST
Attack
<link href="https://fonts.googleapis.com/css?family=Raleway:100,600" rel="stylesheet"
Evidence
type="text/css">
Instances 2
Solution Provide a valid integrity attribute to the tag.
Reference https://developer.mozilla.org/en/docs/Web/Security/Subresource_Integrity
CWE Id 16
WASC Id 15
Plugin Id 90003

Medium Vulnerable JS Library

Description The identified library jquery, version 1.12.1 is vulnerable.

URL https://cargill.fleetconnect.io/js/bootstrap.min.js
Method GET
Attack
Evidence * Bootstrap v3.3.6

URL https://cargill.fleetconnect.io/js/jquery.min.js
Method GET

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 5/27
4/5/2021 Cargill Web Application Scanning Report
Attack
Evidence /*! jQuery v1.12.1
Instances 2
Solution Please upgrade to the latest version of jquery.
https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
https://nvd.nist.gov/vuln/detail/CVE-2019-11358
Reference
https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
CWE Id 829
WASC Id
Plugin Id 10003

Low Absence of Anti-CSRF Tokens

No Anti-CSRF tokens were found in a HTML submission form.

A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request
to a target destination without their knowledge or intent in order to perform an action as the
victim. The underlying cause is application functionality using predictable URL/form actions in a
repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for
a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site.
Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request
forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and
sea surf.

CSRF attacks are effective in a number of situations, including:

Description
* The victim has an active session on the target site.

* The victim is authenticated via HTTP auth on the target site.

* The victim is on the same local network as the target site.

CSRF has primarily been used to perform an action against a target site using the victim's
privileges, but recent techniques have been discovered to disclose information by gaining
access to the response. The risk of information disclosure is dramatically increased when the
target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing
the attack to operate within the bounds of the same-origin policy.

URL https://cargill.fleetconnect.io/login?iotrl=true

Method GET

Attack
<form class="login-form" action="" method="post" name="login_form" id="login_form"
Evidence
style="">
URL https://cargill.fleetconnect.io/login?iotrl=true
Method GET

Attack
<form class="forget-form" action="index.html" method="post" id="forget_form"
Evidence
name="forget_form">
Instances 2
Solution Phase: Architecture and Design

Use a vetted library or framework that does not allow this weakness to occur or provides
constructs that make this weakness easier to avoid.

For example, use anti-CSRF packages such as the OWASP CSRFGuard.

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 6/27
4/5/2021 Cargill Web Application Scanning Report

Phase: Implementation

Ensure that your application is free of cross-site scripting issues, because most CSRF
defenses can be bypassed using attacker-controlled script.

Phase: Architecture and Design

Generate a unique nonce for each form, place the nonce into the form, and verify the nonce
upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).

Note that this can be bypassed using XSS.

Identify especially dangerous operations. When the user performs a dangerous operation, send
a separate confirmation request to ensure that the user intended to perform that operation.

Note that this can be bypassed using XSS.

Use the ESAPI Session Management control.

This control includes a component for CSRF.

Do not use the GET method for any request that triggers a state change.

Phase: Implementation

Check the HTTP Referer header to see if the request originated from an expected page. This
could break legitimate functionality, because users or proxies may have disabled sending the
Referer for privacy reasons.
http://projects.webappsec.org/Cross-Site-Request-Forgery
Reference
http://cwe.mitre.org/data/definitions/352.html
CWE Id 352
WASC Id 9
Plugin Id 10202

Low Big Redirect Detected (Potential Sensitive Information Leak)

The server has responded with a redirect that seems to provide a large response. This may
Description indicate that although the server sent a redirect it also responded with body content (which
may include sensitive details, PII, etc.).

URL https://cargill.fleetconnect.io/

Method GET
Attack

Evidence
Instances 1
Ensure that no sensitive information is leaked via redirect responses. Redirect responses
Solution
should have almost no content.
Reference
CWE Id 201
WASC Id 13
Plugin Id 10044

Low Cookie Slack Detector

Repeated GET requests: drop a different cookie each time, followed by normal request with all
Description cookies to stabilize session, compare responses against original baseline GET. This can
reveal areas where cookie based authentication/attributes are not actually enforced.

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 7/27
4/5/2021 Cargill Web Application Scanning Report

URL https://cargill.fleetconnect.io/login?iotrl=true

Method GET

Attack
Evidence
Instances 1
Solution
Reference http://projects.webappsec.org/Fingerprinting
CWE Id 200
WASC Id 45
Plugin Id 90027

Low Dangerous JS Functions

Description A dangerous JS function seems to be in use that would leave the site vulnerable.

URL https://cargill.fleetconnect.io/js/jquery.min.js
Method GET

Attack
Evidence Eval
Instances 1
Solution See the references for security advice on the use of these functions.
Reference https://angular.io/guide/security
CWE Id 749
WASC Id
Plugin Id 10110

Low Feature Policy Header Not Set

Feature Policy Header is an added layer of security that helps to restrict from unauthorized
access or usage of browser/client features by web resources. This policy ensures the user
privacy by limiting or specifying the features of the browsers can be used by the web
Description
resources. Feature Policy provides a set of standard HTTP headers that allow website owners
to limit which features of browsers can be used by the page such as camera, microphone,
location, full screen etc.

URL https://cargill.fleetconnect.io/js/additional-methods.min.js

Method GET
Attack

Evidence
URL https://cargill.fleetconnect.io/js/app.min.js

Method GET
Attack

Evidence
URL https://cargill.fleetconnect.io/js/bootstrap-hover-dropdown.min.js

Method GET

Attack
Evidence

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 8/27
4/5/2021 Cargill Web Application Scanning Report
URL https://cargill.fleetconnect.io/js/bootstrap-switch.min.js
Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/js/bootstrap.min.js

Method GET
Attack

Evidence
URL https://cargill.fleetconnect.io/js/jquery.blockui.min.js

Method GET
Attack

Evidence
URL https://cargill.fleetconnect.io/js/jquery.min.js

Method GET
Attack

Evidence
URL https://cargill.fleetconnect.io/js/jquery.slimscroll.min.js

Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/js/jquery.validate.min.js
Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/js/js.cookie.min.js
Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/js/login.min.js

Method GET
Attack

Evidence
URL https://cargill.fleetconnect.io/js/select2.full.min.js

Method GET
Attack

Evidence
URL https://cargill.fleetconnect.io/login

Method GET
Attack

Evidence

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 9/27
4/5/2021 Cargill Web Application Scanning Report
URL https://cargill.fleetconnect.io/login?iotrl=true

Method GET
Attack

Evidence
URL https://cargill.fleetconnect.io/sitemap.xml

Method GET
Attack

Evidence

URL https://cargill.fleetconnect.io/index.html
Method POST

Attack
Evidence
Instances 16
Ensure that your web server, application server, load balancer, etc. is configured to set the
Solution
Feature-Policy header.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
https://developers.google.com/web/updates/2018/06/feature-policy
Reference https://scotthelme.co.uk/a-new-security-header-feature-policy/
https://w3c.github.io/webappsec-feature-policy/
https://www.smashingmagazine.com/2018/12/feature-policy/
CWE Id 16
WASC Id 15
Plugin Id 10063

Low Incomplete or No Cache-control and Pragma HTTP Header Set

The cache-control and pragma HTTP header have not been set properly or are missing allowing
Description
the browser and proxies to cache content.

URL https://cargill.fleetconnect.io/css/bootstrap-switch.min.css
Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/css/bootstrap.min.css
Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/css/components-md.min.css
Method GET

Attack

Evidence
URL https://cargill.fleetconnect.io/css/font-awesome.min.css

Method GET
Attack

Evidence

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 10/27
4/5/2021 Cargill Web Application Scanning Report
URL https://cargill.fleetconnect.io/css/login.min.css
Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/css/plugins-md.min.css
Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/css/select2-bootstrap.min.css
Method GET

Attack

Evidence
URL https://cargill.fleetconnect.io/css/select2.min.css

Method GET
Attack

Evidence
URL https://cargill.fleetconnect.io/css/simple-line-icons.min.css

Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/login

Method GET

Attack

Evidence no-cache, private

URL https://cargill.fleetconnect.io/login?iotrl=true

Method GET

Attack

Evidence no-cache, private

URL https://cargill.fleetconnect.io/robots.txt

Method GET

Attack

Evidence
URL https://cargill.fleetconnect.io/login?iotrl=true

Method POST

Attack

Evidence no-cache, private

Instances 13
Whenever possible ensure the cache-control HTTP header is set with no-cache, no-store,
Solution
must-revalidate; and that the pragma HTTP header is set with no-cache.
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#we
Reference
b-content-caching

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 11/27
4/5/2021 Cargill Web Application Scanning Report
CWE Id 525
WASC Id 13
Plugin Id 10015

Low Server Leaks Version Information via "Server" HTTP Response Header Field
The web/application server is leaking version information via the "Server" HTTP response
Description header. Access to such information may facilitate attackers identifying other vulnerabilities your
web/application server is subject to.

URL https://cargill.fleetconnect.io/

Method GET
Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/css/bootstrap-switch.min.css

Method GET
Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/css/bootstrap.min.css

Method GET

Attack
Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/css/components-md.min.css

Method GET

Attack
Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/css/font-awesome.min.css

Method GET

Attack
Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/css/login.min.css

Method GET

Attack

Evidence nginx/1.16.1
URL https://cargill.fleetconnect.io/css/plugins-md.min.css

Method GET

Attack

Evidence nginx/1.16.1
URL https://cargill.fleetconnect.io/css/select2-bootstrap.min.css

Method GET

Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/css/select2.min.css

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 12/27
4/5/2021 Cargill Web Application Scanning Report
Method GET

Attack

Evidence nginx/1.16.1
URL https://cargill.fleetconnect.io/css/simple-line-icons.min.css

Method GET

Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/favicon.ico
Method GET

Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/img/logo.png
Method GET

Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/js/additional-methods.min.js
Method GET

Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/js/app.min.js

Method GET
Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/js/bootstrap-hover-dropdown.min.js

Method GET
Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/js/bootstrap-switch.min.js

Method GET

Attack
Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/js/bootstrap.min.js

Method GET

Attack
Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/js/jquery.blockui.min.js

Method GET

Attack
Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/js/jquery.min.js

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 13/27
4/5/2021 Cargill Web Application Scanning Report
Method GET

Attack
Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/js/jquery.slimscroll.min.js

Method GET

Attack
Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/js/jquery.validate.min.js

Method GET

Attack

Evidence nginx/1.16.1
URL https://cargill.fleetconnect.io/js/js.cookie.min.js

Method GET

Attack

Evidence nginx/1.16.1
URL https://cargill.fleetconnect.io/js/login.min.js

Method GET

Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/js/select2.full.min.js
Method GET

Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/login
Method GET

Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/login?iotrl=true
Method GET

Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/robots.txt

Method GET
Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/sitemap.xml

Method GET
Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/index.html

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 14/27
4/5/2021 Cargill Web Application Scanning Report
Method POST
Attack

Evidence nginx/1.16.1

URL https://cargill.fleetconnect.io/login?iotrl=true

Method POST
Attack

Evidence nginx/1.16.1
Instances 30
Ensure that your web server, application server, load balancer, etc. is configured to suppress
Solution
the "Server" header or provide generic details.
http://httpd.apache.org/docs/current/mod/core.html#servertokens
http://msdn.microsoft.com/en-us/library/ff648552.aspx#ht_urlscan_007
Reference http://blogs.msdn.com/b/varunm/archive/2013/04/23/remove-unwanted-http-response-
headers.aspx
http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
CWE Id 200
WASC Id 13
Plugin Id 10036

Low X-Content-Type-Options Header Missing

The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows
older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body,
Description potentially causing the response body to be interpreted and displayed as a content type other
than the declared content type. Current (early 2014) and legacy versions of Firefox will use the
declared content type (if one is set), rather than performing MIME-sniffing.

URL https://cargill.fleetconnect.io/css/bootstrap-switch.min.css

Method GET
Attack

Evidence

URL https://cargill.fleetconnect.io/css/bootstrap.min.css

Method GET
Attack

Evidence

URL https://cargill.fleetconnect.io/css/components-md.min.css

Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/css/font-awesome.min.css

Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/css/login.min.css

Method GET

Attack

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 15/27
4/5/2021 Cargill Web Application Scanning Report
Evidence

URL https://cargill.fleetconnect.io/css/plugins-md.min.css

Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/css/select2-bootstrap.min.css

Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/css/select2.min.css

Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/css/simple-line-icons.min.css

Method GET

Attack

Evidence
URL https://cargill.fleetconnect.io/img/logo.png

Method GET

Attack

Evidence
URL https://cargill.fleetconnect.io/js/additional-methods.min.js

Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/js/app.min.js
Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/js/bootstrap-hover-dropdown.min.js
Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/js/bootstrap-switch.min.js
Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/js/bootstrap.min.js

Method GET
Attack

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 16/27
4/5/2021 Cargill Web Application Scanning Report
Evidence

URL https://cargill.fleetconnect.io/js/jquery.blockui.min.js
Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/js/jquery.min.js

Method GET
Attack

Evidence

URL https://cargill.fleetconnect.io/js/jquery.slimscroll.min.js

Method GET
Attack

Evidence

URL https://cargill.fleetconnect.io/js/jquery.validate.min.js

Method GET
Attack

Evidence

URL https://cargill.fleetconnect.io/js/js.cookie.min.js

Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/js/login.min.js

Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/js/select2.full.min.js

Method GET

Attack

Evidence
URL https://cargill.fleetconnect.io/login

Method GET

Attack

Evidence
URL https://cargill.fleetconnect.io/login?iotrl=true

Method GET

Attack

Evidence
URL https://cargill.fleetconnect.io/robots.txt

Method GET

Attack

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 17/27
4/5/2021 Cargill Web Application Scanning Report
Evidence
URL https://cargill.fleetconnect.io/login?iotrl=true

Method POST

Attack

Evidence
Instances 26
Ensure that the application/web server sets the Content-Type header appropriately, and that it
sets the X-Content-Type-Options header to 'nosniff' for all web pages.
Solution
If possible, ensure that the end user uses a standards-compliant and modern web browser that
does not perform MIME-sniffing at all, or that can be directed by the web application/web server
to not perform MIME-sniffing.
http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx
Reference
https://owasp.org/www-community/Security_Headers
CWE Id 16
WASC Id 15
Plugin Id 10021

Informational Base64 Disclosure

Base64 encoded data was disclosed by the application/web server. Note: in the interests of
Description performance not all base64 strings in the response were analyzed individually, the entire
response should be looked at by the analyst/security team/developer(s).

URL https://cargill.fleetconnect.io/

Method GET

Attack
eyJpdiI6ImFreUFlcUdLWVNGT2xrZ3RtV0ppM2c9PSIsInZhbHVlIjoiN1BqUkI2Z3NYYW1uWUlQ
NXQ2WW13V3NqYXEwM1lxcCtCdEIyenNtaE9wNks3cElaMndOVVBDTTkxTnhUV005cXJcLzl1
Evidence
aWZvb0k1ZThBMFh1TWd5VjZnPT0iLCJtYWMiOiI4OGVlNjEyOTAyNmRhZTFmYzFjYmM1NzI5
MTFhYzU2MTNkODdiM2MyNDU5OTBhZjE2YWZiN2E2MTM3ZGI4MWEzIn0
URL https://cargill.fleetconnect.io/

Method GET
Attack
eyJpdiI6IlZtaGJOQmE4Wk1GMGM3WUY5NklWUFE9PSIsInZhbHVlIjoiZGtzbUQzbUZ1TGRCN
HVVck9zYTl5U2lRMkd1YTQ3SHpUM2YrYkpJbU5uaXpSMmp0elVJTGtzbjMwN0taeDU2M25oN
Evidence
WEwTkYyS0szR1IxTEtzS1hHY3c9PSIsIm1hYyI6ImRjMjZiZTM0ZDZkMDIwZjY1MGNkOGI4YjU
5ODEzY2I0NGEwNjJiOGNlOTg4OGU2YzUwYjE4MmUwMzVlNTRmM2QifQ
URL https://cargill.fleetconnect.io/css/components-md.min.css
Method GET

Attack
iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAAGXRFWHRTb2Z0d2FyZ
Evidence QBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAA5JREFUeNpiYGBgAAgwAAAEAAGbA+oJAAAAA
ElFTkSuQmCC
URL https://cargill.fleetconnect.io/js/jquery.min.js

Method GET

Attack
Evidence D27CDB6E-AE6D-11cf-96B8-444553540000

URL https://cargill.fleetconnect.io/js/select2.full.min.js

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 18/27
4/5/2021 Cargill Web Application Scanning Report
Method GET

Attack

Evidence com/select2/select2/blob/master/LICENSE

URL https://cargill.fleetconnect.io/login
Method GET

Attack
eyJpdiI6IjR2SWpkNDM4WUk3ZWtFaGtXWFI5enc9PSIsInZhbHVlIjoieFwvcHpTWEFDZU80R1N
VKzJHZnozMFUwQWZEREpYdWNDdjR4RHRcL2hJNWpMY3pjK1VrNTRLV1haM0NWR2ttV1R
Evidence
BMDVibmxwVVhkdGNjSXppbVFiYUFTUT09IiwibWFjIjoiODE2OTdhZWEwMmU1OWRkZjllZGF
kZTQ5N2UxNDhmZWVjM2FhMDUxZDdlZmU3ZWIyMmE5MDVkMTQ5ODg4ZTQwZCJ9
URL https://cargill.fleetconnect.io/login

Method GET

Attack
eyJpdiI6ImIrZWdsNVRrRWxOQk04cHltTVNxT0E9PSIsInZhbHVlIjoiQ1RDVFBjcGp5ZCs1ZXFqR
VlyanNBMUZzUGJENW5wd0h3bFhlRUJZemdJWFdncGd0TmdndTJoaURobFJBVUZFcVAzTklx
Evidence
d0xxNkFlYmg2K1BzXC9ScUdBPT0iLCJtYWMiOiJkNDYzOTAxNmExODA1ZGE0MzU2OGEw
ODg0N2ZkNDcwMTlhMmU4MGY0YTJmNjUwODc1NWRlZjk0MjNlOWM3OTQwIn0
URL https://cargill.fleetconnect.io/login?iotrl=true

Method GET

Attack
eyJpdiI6IjFTVzlsclB2KzFVUHE5QmtneTBSUHc9PSIsInZhbHVlIjoiS3FmbVRReGtwc2RhSXRQ
SElSejFmVjFxenVHMnhSSU1vbjJYekhEXC82QVZBclJtUWdmRjdJejdKTFM3Mmdob1RBUkEw
Evidence
Z2pVNDBUK0ZGVTRtUFBiOXJ3PT0iLCJtYWMiOiJjODdlNzIwM2E3YTEzNDFhM2UzMzY5MW
UzMTIzOTRlYzY4MThjYWIyNWQxNTEwMmQ2OTZmYTZiNjBjMzlkYWNiIn0
URL https://cargill.fleetconnect.io/login?iotrl=true

Method GET
Attack
eyJpdiI6IjhTbjIzdHJJV25xN1hnVTJrTEpSNlE9PSIsInZhbHVlIjoiamhta2pIWGJhN3dYV3NXZTd4e
WJmMmZiXC83U2dKOUhZb2tEWHNjb0Z0T0RJZ21MY0pVQ2MySnF1QlwvYkRwUndySUNMR
Evidence
WthQ2pUcFl3Y1Q3NDJLb2VVZz09IiwibWFjIjoiZGUwNGRkMDI2ZjY0OGJmZDI4Zjk4NzdhNjQ4
NDQ0ZDFlYWZjZjA3NmE3YjBhNThjNGQ5ZTMxNjhkMjdhZjIwMSJ9
URL https://cargill.fleetconnect.io/login?iotrl=true
Method GET

Attack
eyJpdiI6ImtNbkxDTmRiQlRTNVRwalJzOWZuK2c9PSIsInZhbHVlIjoiNjRxVWRrcTlZem04THVjMj
RyQWhSZ3YyWU1jR1JEWjNFV3lyXC9jcWZnSFA3aDBQOVBpNmFlbkxPWks5NGVZTkNDS2
Evidence
tZVnhPdmszNXZkUEEwWnRLa0h3PT0iLCJtYWMiOiIzZDIzZjEyZDc3YTE3NjI3NDA5ZGQ0ZjVj
OTE5MzBhZjc2YzYyYWNkYTYwOWZiM2Y5ZGZiZWIwNTg0ZWM3ZGNkIn0
URL https://cargill.fleetconnect.io/login?iotrl=true

Method GET

Attack
eyJpdiI6InRhZjBpTU44czkxaWQ5YVwvRUJJMER3PT0iLCJ2YWx1ZSI6InllM3FSWmhkMGlPN
HZyMVlHbkNkT3ZwNGw4VjlwMnZTM0ZFWExPc09QTnA5QVFkOHNWbVI3TU5XMXpoSjRDYz
Evidence
ZyZG1reXNcL1pEWGhZclwvNjhPT1lvQlE9PSIsIm1hYyI6IjYyNzk5ZGIwODg2MGQ4YTA5NWE5
ZGJiODgzYjJkZjFkZDljYjY1MGFhYzliZjhhM2FiOWQ4NjYxZWE4MTlhNDMifQ
URL https://cargill.fleetconnect.io/login?iotrl=true

Method GET

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 19/27
4/5/2021 Cargill Web Application Scanning Report
Attack
eyJpdiI6IlhSM1pXXC9VdFBIRFU0ZDFtY0pJNFN3PT0iLCJ2YWx1ZSI6IlBGR0UydnhUbHhMZ2V
3UEJTSEI4amhjUE43K2Z2YzlydWV1U0JWdlVUYWtpakNRV3oxV0MwYzl5eG8rQis5Snd5Mjl0
Evidence
ZUdcL3dJVWt1dlRGa3hCZ3luQT09IiwibWFjIjoiYjNiMjI0OTRmMDIxYjNlYzU4YjU4YjMwODE1M
jViOTQwNjlmNTkzMDYwZDFiZjJmMjc0OTg5NTk1NjE5NWQyZSJ9
URL https://cargill.fleetconnect.io/login?iotrl=true

Method GET

Attack
eyJpdiI6InhWYXFFS0FxYjZNUTBYbGVueUNia3c9PSIsInZhbHVlIjoieFNwRlNWVDN5RStPQ1p
zSE9ralc4TDFjNjFuZkVhTmtYNlhBRTlRVXlhdVwvaDNzV05aT3BSdDU3bk1qVllCT3NZbU1rMXJ
Evidence
ZenZUak81NlhuMndqTDdRPT0iLCJtYWMiOiJiMmNkZmY0ODNlMDYxNzE1NGI5ZDM1NTUyYz
liNWM1MDlkNDU4YTZlNDFhN2Q2OTQ5MjA3ZjY5MzAxYmRhNzQzIn0
URL https://cargill.fleetconnect.io/login?iotrl=true

Method GET

Attack
eyJpdiI6InkzMVwvbVhMUWxMdjM5elJYdXJ5c3VnPT0iLCJ2YWx1ZSI6Ijg0NHlnNmQremVEUH
Zrdk1SamI5ejZZbDV3UGs3ZlhVZ01UZ0g4dTc4Qnp0eTZUcE9TeExSMHJ5NVd6MlwvaHlpWWd
Evidence
5WnhYejJwbkp2MklpQW5lZ0JNdz09IiwibWFjIjoiMzBjNjJmMzEwZGVhODI0YWNhMjdhYThkZjk
3NmVlMGU2ZjhmOTIxMWZjMjY4MWI5YWY5YTgxMGNiNjFmOGE3MSJ9
URL https://cargill.fleetconnect.io/login?iotrl=true
Method POST

Attack
eyJpdiI6Ilh0dWVnRllUZkxUKytXRlZxdXdEMHc9PSIsInZhbHVlIjoicVBXSTFWQjlzcWFqaFwvT1
wvTnpobGlTbHZwZDFjNlRaTHJCQXltMFQrZjNzTUx2TnBxQ2syMUVoS0FTakdieXdoUUIrckdUN
Evidence
2dxWXpnaW9oZDhPVVU2Zz09IiwibWFjIjoiZjg4ZjQ4MDFhMmVjOGI5MmFiOGMzMTM3OGRh
NjNkOWIxMTkyYjg0OTk0YWE2ZGMxNzg3ZTY1NTFmNzFiODkxOSJ9
Instances 15
Manually confirm that the Base64 data does not leak sensitive information, and that the data
Solution
cannot be aggregated/used to exploit other vulnerabilities.
Reference http://projects.webappsec.org/w/page/13246936/Information%20Leakage
CWE Id 200
WASC Id 13
Plugin Id 10094

Informational Information Disclosure - Suspicious Comments

The response appears to contain suspicious comments which may help an attacker. Note:
Description
Matches made within script blocks or files are against the entire content not only comments.

URL https://cargill.fleetconnect.io/js/app.min.js

Method GET

Attack
Evidence Select

URL https://cargill.fleetconnect.io/js/bootstrap-hover-dropdown.min.js

Method GET

Attack

Evidence user
URL https://cargill.fleetconnect.io/js/jquery.blockui.min.js

Method GET
file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 20/27
4/5/2021 Cargill Web Application Scanning Report

Attack

Evidence later
URL https://cargill.fleetconnect.io/js/jquery.min.js

Method GET

Attack

Evidence db
URL https://cargill.fleetconnect.io/js/jquery.min.js

Method GET

Attack

Evidence select

URL https://cargill.fleetconnect.io/js/jquery.validate.min.js
Method GET

Attack

Evidence select

URL https://cargill.fleetconnect.io/js/login.min.js
Method GET

Attack

Evidence username

URL https://cargill.fleetconnect.io/js/select2.full.min.js
Method GET

Attack

Evidence query

URL https://cargill.fleetconnect.io/login

Method GET
Attack

Evidence username

URL https://cargill.fleetconnect.io/login?iotrl=true

Method GET
Attack

Evidence username

URL https://cargill.fleetconnect.io/login

Method GET

Attack
Evidence Admin

URL https://cargill.fleetconnect.io/login?iotrl=true

Method GET

Attack

Evidence Admin
Instances 12
Solution Remove all comments that return information that may help an attacker and fix any underlying

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 21/27
4/5/2021 Cargill Web Application Scanning Report
problems they refer to.
Reference
CWE Id 200
WASC Id 13
Plugin Id 10027

Informational Modern Web Application

The application appears to be a modern web application. If you need to explore it automatically
Description
then the Ajax Spider may well be more effective than the standard one.

URL https://cargill.fleetconnect.io/js/jquery.min.js

Method GET
Attack

Evidence <a id='"+u+"'></a>

Instances 1
Solution This is an informational alert and so no changes are required.
Reference
CWE Id
WASC Id
Plugin Id 10109

Informational Non-Storable Content

The response contents are not storable by caching components such as proxy servers. If the
Description response does not contain sensitive, personal or user-specific information, it may benefit from
being stored and cached, to improve performance.

URL https://cargill.fleetconnect.io/

Method GET

Attack

Evidence private

URL https://cargill.fleetconnect.io/login

Method GET
Attack

Evidence private

URL https://cargill.fleetconnect.io/login?iotrl=true

Method GET

Attack

Evidence private

URL https://cargill.fleetconnect.io/sitemap.xml

Method GET
Attack

Evidence private

URL https://cargill.fleetconnect.io/index.html

Method POST

Attack
file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 22/27
4/5/2021 Cargill Web Application Scanning Report

Evidence private

URL https://cargill.fleetconnect.io/login?iotrl=true

Method POST

Attack
Evidence private
Instances 6
The content may be marked as storable by ensuring that the following conditions are satisfied:

The request method must be understood by the cache and defined as being cacheable ("GET",
"HEAD", and "POST" are currently defined as cacheable)

The response status code must be understood by the cache (one of the 1XX, 2XX, 3XX, 4XX, or
5XX response classes are generally understood)

The "no-store" cache directive must not appear in the request or response header fields

For caching by "shared" caches such as "proxy" caches, the "private" response directive must
not appear in the response

For caching by "shared" caches such as "proxy" caches, the "Authorization" header field must
not appear in the request, unless the response explicitly allows it (using one of the "must-
Solution
revalidate", "public", or "s-maxage" Cache-Control response directives)

In addition to the conditions above, at least one of the following conditions must also be
satisfied by the response:

It must contain an "Expires" header field

It must contain a "max-age" response directive

For "shared" caches such as "proxy" caches, it must contain a "s-maxage" response directive

It must contain a "Cache Control Extension" that allows it to be cached

It must have a status code that is defined as cacheable by default (200, 203, 204, 206, 300,
301, 404, 405, 410, 414, 501).
https://tools.ietf.org/html/rfc7234
Reference https://tools.ietf.org/html/rfc7231
http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (obsoleted by rfc7234)
CWE Id 524
WASC Id 13
Plugin Id 10049

Informational Storable and Cacheable Content

The response contents are storable by caching components such as proxy servers, and may
be retrieved directly from the cache, rather than from the origin server by the caching servers, in
response to similar requests from other users. If the response data is sensitive, personal or
user-specific, this may result in sensitive information being leaked. In some cases, this may
Description
even result in a user gaining complete control of the session of another user, depending on the
configuration of the caching components in use in their environment. This is primarily an issue
where "shared" caching servers such as "proxy" caches are configured on the local network.
This configuration is typically found in corporate or educational environments, for instance.

URL https://cargill.fleetconnect.io/css/bootstrap-switch.min.css

Method GET

Attack

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 23/27
4/5/2021 Cargill Web Application Scanning Report
Evidence

URL https://cargill.fleetconnect.io/css/bootstrap.min.css

Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/css/components-md.min.css

Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/css/font-awesome.min.css

Method GET

Attack

Evidence
URL https://cargill.fleetconnect.io/css/login.min.css

Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/css/plugins-md.min.css

Method GET

Attack

Evidence
URL https://cargill.fleetconnect.io/css/select2-bootstrap.min.css

Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/css/select2.min.css

Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/css/simple-line-icons.min.css
Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/favicon.ico

Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/img/logo.png

Method GET
Attack

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 24/27
4/5/2021 Cargill Web Application Scanning Report
Evidence

URL https://cargill.fleetconnect.io/js/additional-methods.min.js
Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/js/app.min.js

Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/js/bootstrap-hover-dropdown.min.js

Method GET
Attack

Evidence

URL https://cargill.fleetconnect.io/js/bootstrap-switch.min.js

Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/js/bootstrap.min.js

Method GET

Attack
Evidence

URL https://cargill.fleetconnect.io/js/jquery.blockui.min.js

Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/js/jquery.min.js

Method GET

Attack

Evidence
URL https://cargill.fleetconnect.io/js/jquery.slimscroll.min.js

Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/js/jquery.validate.min.js

Method GET

Attack

Evidence
URL https://cargill.fleetconnect.io/js/js.cookie.min.js

Method GET

Attack

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 25/27
4/5/2021 Cargill Web Application Scanning Report
Evidence
URL https://cargill.fleetconnect.io/js/login.min.js

Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/js/select2.full.min.js

Method GET

Attack

Evidence

URL https://cargill.fleetconnect.io/robots.txt
Method GET

Attack

Evidence
Instances 24
Validate that the response does not contain sensitive, personal or user-specific information. If it
does, consider the use of the following HTTP response headers, to limit, or prevent the content
being stored and retrieved from the cache by another user:

Cache-Control: no-cache, no-store, must-revalidate, private

Solution Pragma: no-cache

Expires: 0

This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store
the response, and to not retrieve the response (without validation) from the cache, in response
to a similar request.
https://tools.ietf.org/html/rfc7234
Reference https://tools.ietf.org/html/rfc7231
http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html (obsoleted by rfc7234)
CWE Id 524
WASC Id 13
Plugin Id 10049

Informational Timestamp Disclosure - Unix

Description A timestamp was disclosed by the application/web server - Unix

URL https://cargill.fleetconnect.io/css/bootstrap.min.css

Method GET

Attack
Evidence 00000000

URL https://cargill.fleetconnect.io/css/bootstrap.min.css

Method GET

Attack

Evidence 80000000

URL https://cargill.fleetconnect.io/css/components-md.min.css

Method GET

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 26/27
4/5/2021 Cargill Web Application Scanning Report
Attack

Evidence 42857143

URL https://cargill.fleetconnect.io/js/jquery.validate.min.js

Method GET

Attack

Evidence 2147483647
Instances 4
Manually confirm that the timestamp data is not sensitive, and that the data cannot be
Solution
aggregated to disclose exploitable patterns.
Reference http://projects.webappsec.org/w/page/13246936/Information%20Leakage
CWE Id 200
WASC Id 13
Plugin Id 10096

file:///C:/Users/sqayoom/2021-04-05-ZAP-Report-.html 27/27