ZAP by Checkmarx Scanning Report

Generated with ZAP on Tue 28 Oct 2025, at 13:43:05

ZAP Version: 2.16.1

ZAP by Checkmarx

Contents

About This Report

Report Parameters

Contexts

No contexts were selected, so all contexts were included by default.

Sites

The following sites were included:

  • https://shavar.services.mozilla.com

(If no sites were selected, all sites were included by default.)

An included site must also be within one of the included contexts for its data to be included in the report.

Risk levels

Included: High, Medium, Low, Informational

Excluded: None

Confidence levels

Included: User Confirmed, High, Medium, Low

Excluded: User Confirmed, High, Medium, Low, False Positive

Summaries

Alert Counts by Risk and Confidence

This table shows the number of alerts for each level of risk and confidence included in the report.

(The percentages in brackets represent the count as a percentage of the total number of alerts included in the report, rounded to one decimal place.)
Confidence
User Confirmed High Medium Low Total
Risk High 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)
Medium 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)		 0
(0.0%)
Low 0
(0.0%)		 0
(0.0%)		 2
(33.3%)		 1
(16.7%)		 3
(50.0%)
Informational 0
(0.0%)		 1
(16.7%)		 2
(33.3%)		 0
(0.0%)		 3
(50.0%)
Total 0
(0.0%)		 1
(16.7%)		 4
(66.7%)		 1
(16.7%)		 6
(100%)

Alert Counts by Site and Risk

This table shows, for each site for which one or more alerts were raised, the number of alerts raised at each risk level.

Alerts with a confidence level of "False Positive" have been excluded from these counts.

(The numbers in brackets are the number of alerts raised for the site at or above that risk level.)
Risk
High
(= High) 		Medium
(>= Medium) 		Low
(>= Low) 		Informational
(>= Informational)
Site https://shavar.services.mozilla.com 0
(0)		 0
(0)		 1
(1)		 0
(1)

Alert Counts by Alert Type

This table shows the number of alerts of each alert type, together with the alert type's risk level.

(The percentages in brackets represent each count as a percentage, rounded to one decimal place, of the total number of alerts included in this report.)
Alert type Risk Count
Insufficient Site Isolation Against Spectre Vulnerability Low 1
(16.7%)
Timestamp Disclosure - Unix Low 2
(33.3%)
X-Content-Type-Options Header Missing Low 1
(16.7%)
Sec-Fetch-User Header is Missing Informational 1
(16.7%)
Storable and Cacheable Content Informational 1
(16.7%)
Tech Detected - HSTS Informational 1
(16.7%)
Total 6

Alerts

  1. Risk=Low, Confidence=Medium (2)

    1. https://shavar.services.mozilla.com (1)

      1. X-Content-Type-Options Header Missing (1)
        1. POST https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=128.10&pver=2.2
          Alert tags
          Alert description

          The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.
          Other info

          This issue still applies to error type pages (401, 403, 500, etc.) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.

          At "High" threshold this scan rule will not alert on client or server error responses.
          Request
          Request line and header section (472 bytes) 
          POST https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=128.10&pver=2.2 HTTP/1.1
host: shavar.services.mozilla.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: text/plain
Content-Length: 426
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: none
Priority: u=4
Pragma: no-cache
Cache-Control: no-cache
          Request body (426 bytes) 
          ads-track-digest256;
social-track-digest256;
analytics-track-digest256;
content-track-digest256;
mozstd-trackwhite-digest256;
google-trackwhite-digest256;
base-fingerprinting-track-digest256;
base-cryptomining-track-digest256;
social-tracking-protection-facebook-digest256;
social-tracking-protection-linkedin-digest256;
social-tracking-protection-twitter-digest256;
base-email-track-digest256;
content-email-track-digest256;
          Response
          Status line and header section (201 bytes) 
          HTTP/1.1 200 OK
Content-Type: application/octet-stream
Date: Mon, 27 Oct 2025 13:18:00 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 1575
Connection: Close
          Response body (1575 bytes) 
          n:21600
i:ads-track-digest256
u:tracking-protection.cdn.mozilla.net/ads-track-digest256/128.0/1754651396
i:social-track-digest256
u:tracking-protection.cdn.mozilla.net/social-track-digest256/128.0/1754651396
i:analytics-track-digest256
u:tracking-protection.cdn.mozilla.net/analytics-track-digest256/128.0/1754651396
i:content-track-digest256
u:tracking-protection.cdn.mozilla.net/content-track-digest256/128.0/1754651396
i:mozstd-trackwhite-digest256
u:tracking-protection.cdn.mozilla.net/mozstd-trackwhite-digest256/128.0/1754651396
i:google-trackwhite-digest256
u:tracking-protection.cdn.mozilla.net/google-trackwhite-digest256/128.0/1754651396
i:base-fingerprinting-track-digest256
u:tracking-protection.cdn.mozilla.net/base-fingerprinting-track-digest256/128.0/1754651396
i:base-cryptomining-track-digest256
u:tracking-protection.cdn.mozilla.net/base-cryptomining-track-digest256/128.0/1754651396
i:social-tracking-protection-facebook-digest256
u:tracking-protection.cdn.mozilla.net/social-tracking-protection-facebook-digest256/128.0/1718977977
i:social-tracking-protection-linkedin-digest256
u:tracking-protection.cdn.mozilla.net/social-tracking-protection-linkedin-digest256/128.0/1718977977
i:social-tracking-protection-twitter-digest256
u:tracking-protection.cdn.mozilla.net/social-tracking-protection-twitter-digest256/128.0/1718977977
i:base-email-track-digest256
u:tracking-protection.cdn.mozilla.net/base-email-track-digest256/128.0/1754651396
i:content-email-track-digest256
u:tracking-protection.cdn.mozilla.net/content-email-track-digest256/128.0/1754651396
          Parameter 
          x-content-type-options
          Solution

          Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.

          If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.

  2. Risk=Low, Confidence=Low (1)

  3. Risk=Informational, Confidence=High (1)

  4. Risk=Informational, Confidence=Medium (2)

Appendix

Alert Types

This section contains additional information on the types of alerts in the report.

  1. Insufficient Site Isolation Against Spectre Vulnerability

    Source raised by a passive scanner (Insufficient Site Isolation Against Spectre Vulnerability)
    CWE ID 693
    WASC ID 14
    Reference
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy

  2. Timestamp Disclosure - Unix

    Source raised by a passive scanner (Timestamp Disclosure)
    CWE ID 497
    WASC ID 13
    Reference
    1. https://cwe.mitre.org/data/definitions/200.html

  3. X-Content-Type-Options Header Missing

    Source raised by a passive scanner (X-Content-Type-Options Header Missing)
    CWE ID 693
    WASC ID 15
    Reference
    1. https://learn.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622941(v=vs.85)
    2. https://owasp.org/www-community/Security_Headers

  4. Sec-Fetch-User Header is Missing

    Source raised by a passive scanner (Fetch Metadata Request Headers)
    CWE ID 352
    WASC ID 9
    Reference
    1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User

  5. Storable and Cacheable Content

    Source raised by a passive scanner (Content Cacheability)
    CWE ID 524
    WASC ID 13
    Reference
    1. https://datatracker.ietf.org/doc/html/rfc7234
    2. https://datatracker.ietf.org/doc/html/rfc7231
    3. https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html

  6. Tech Detected - HSTS

    Source raised by other tools/functionalities in ZAP (for example, fuzzer, HTTPS Info add-on, custom scripts...) (plugin ID: 10004)
    WASC ID 13
    Reference
    1. https://www.rfc-editor.org/rfc/rfc6797#section-6.1