HARU 站台健檢

外觀

動態掃描(已登入)

以 customer 角色登入後的 OWASP ZAP 被動掃描結果,涵蓋登入後可見的會員頁面、訂單頁面等前台區域。

摘要結論

  • ZAP 被動掃描偵測到 7 個中風險告警

共 1 項 / 1 中

中風險告警

  • 問題:ZAP 被動掃描偵測到 7 個中風險告警
  • 原因:站台缺少部分安全防護設定(CSP、Anti-CSRF、Cookie 屬性等)
  • 建議:依告警清單調整安全標頭與 Cookie 設定
  • 影響:此項影響等級:中
  • 驗收:中風險告警 = 0

風險摘要

等級數量
7
8
資訊9

告警清單

Absence of Anti-CSRF Tokens

  • CWE:352
  • 影響 URL:5 個
  • 修復建議:Phase: Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.For example, use anti-CSRF packages such as the OWASP CSRFGuard.Phase: ImplementationEnsure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.Phase: Architecture and DesignGenerate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).Note that this can be bypassed using XSS.Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.Note that this can be bypassed using XSS.Use the ESAPI Session Management control.This control includes a component for CSRF.Do not use the GET method for any request that triggers a state change.Phase: ImplementationCheck the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.
受影響 URL(2)
  • https://letsharu.com/
  • https://letsharu.com/my-account/

CSP: Failure to Define Directive with No Fallback

  • CWE:693
  • 影響 URL:3 個
  • 修復建議:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
受影響 URL(3)
  • https://letsharu.com/
  • https://letsharu.com/sitemap.xml
  • https://letsharu.com/my-account/

CSP: Wildcard Directive

  • CWE:693
  • 影響 URL:3 個
  • 修復建議:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
受影響 URL(3)
  • https://letsharu.com/
  • https://letsharu.com/sitemap.xml
  • https://letsharu.com/my-account/

CSP: script-src unsafe-inline

  • CWE:693
  • 影響 URL:3 個
  • 修復建議:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
受影響 URL(3)
  • https://letsharu.com/
  • https://letsharu.com/sitemap.xml
  • https://letsharu.com/my-account/

CSP: style-src unsafe-inline

  • CWE:693
  • 影響 URL:3 個
  • 修復建議:Ensure that your web server, application server, load balancer, etc. is properly configured to set the Content-Security-Policy header.
受影響 URL(3)
  • https://letsharu.com/
  • https://letsharu.com/sitemap.xml
  • https://letsharu.com/my-account/

Multiple X-Frame-Options Header Entries

  • CWE:1021
  • 影響 URL:5 個
  • 修復建議:Ensure only a single X-Frame-Options header is present in the response.
受影響 URL(4)
  • https://letsharu.com/my-account/
  • https://letsharu.com/my-account/?action=register
  • https://letsharu.com/my-account/lost-password/
  • https://letsharu.com/register/

Sub Resource Integrity Attribute Missing

  • CWE:345
  • 影響 URL:5 個
  • 修復建議:Provide a valid integrity attribute to the tag.
受影響 URL(2)
  • https://letsharu.com/
  • https://letsharu.com/my-account/

Cookie without SameSite Attribute

  • CWE:1275
  • 影響 URL:1 個
  • 修復建議:Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
受影響 URL(1)
  • https://letsharu.com/cart/

Cross-Domain JavaScript Source File Inclusion

  • CWE:829
  • 影響 URL:5 個
  • 修復建議:Ensure JavaScript source files are loaded from only trusted sources, and the sources can't be controlled by end users of the application.
受影響 URL(3)
  • https://letsharu.com
  • https://letsharu.com/
  • https://letsharu.com/my-account/

Cross-Origin-Embedder-Policy Header Missing or Invalid

  • CWE:693
  • 影響 URL:3 個
  • 修復建議:Ensure that the application/web server sets the Cross-Origin-Embedder-Policy header appropriately, and that it sets the Cross-Origin-Embedder-Policy header to 'require-corp' for documents.If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Embedder-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-embedder-policy).
受影響 URL(3)
  • https://letsharu.com
  • https://letsharu.com/
  • https://letsharu.com/my-account/

Cross-Origin-Opener-Policy Header Missing or Invalid

  • CWE:693
  • 影響 URL:3 個
  • 修復建議:Ensure that the application/web server sets the Cross-Origin-Opener-Policy header appropriately, and that it sets the Cross-Origin-Opener-Policy header to 'same-origin' for documents.'same-origin-allow-popups' is considered as less secured and should be avoided.If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Opener-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-opener-policy).
受影響 URL(3)
  • https://letsharu.com
  • https://letsharu.com/
  • https://letsharu.com/my-account/

Cross-Origin-Resource-Policy Header Missing or Invalid

  • CWE:693
  • 影響 URL:4 個
  • 修復建議:Ensure that the application/web server sets the Cross-Origin-Resource-Policy header appropriately, and that it sets the Cross-Origin-Resource-Policy header to 'same-origin' for all web pages.'same-site' is considered as less secured and should be avoided.If resources must be shared, set the header to 'cross-origin'.If possible, ensure that the end user uses a standards-compliant and modern web browser that supports the Cross-Origin-Resource-Policy header (https://caniuse.com/mdn-http_headers_cross-origin-resource-policy).
受影響 URL(4)
  • https://letsharu.com
  • https://letsharu.com/
  • https://letsharu.com/robots.txt
  • https://letsharu.com/my-account/

Permissions Policy Header Not Set

  • CWE:693
  • 影響 URL:5 個
  • 修復建議:Ensure that your web server, application server, load balancer, etc. is configured to set the Permissions-Policy header.
受影響 URL(4)
  • https://letsharu.com
  • https://letsharu.com/
  • https://letsharu.com/my-account/
  • https://letsharu.com/wp-content/uploads/wpforms/

Strict-Transport-Security Header Not Set

  • CWE:319
  • 影響 URL:5 個
  • 修復建議:Ensure that your web server, application server, load balancer, etc. is configured to enforce Strict-Transport-Security.
受影響 URL(5)
  • https://letsharu.com
  • https://letsharu.com/
  • https://letsharu.com/robots.txt
  • https://letsharu.com/wp-content/uploads/wpforms/
  • https://letsharu.com/my-account/

Timestamp Disclosure - Unix

  • CWE:497
  • 影響 URL:5 個
  • 修復建議:Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.
受影響 URL(1)
  • https://letsharu.com/my-account/

Authentication Request Identified 資訊

  • CWE:-1
  • 影響 URL:1 個
  • 修復建議:This is an informational alert rather than a vulnerability and so there is nothing to fix.
受影響 URL(1)
  • https://letsharu.com/my-account/

Information Disclosure - Suspicious Comments 資訊

  • CWE:615
  • 影響 URL:7 個
  • 修復建議:Remove all comments that return information that may help an attacker and fix any underlying problems they refer to.
受影響 URL(5)
  • https://letsharu.com
  • https://letsharu.com/
  • https://letsharu.com/login/
  • https://letsharu.com/my-account/
  • https://letsharu.com/register/

Modern Web Application 資訊

  • CWE:-1
  • 影響 URL:5 個
  • 修復建議:This is an informational alert and so no changes are required.
受影響 URL(4)
  • https://letsharu.com
  • https://letsharu.com/
  • https://letsharu.com/login/
  • https://letsharu.com/my-account/

Re-examine Cache-control Directives 資訊

  • CWE:525
  • 影響 URL:5 個
  • 修復建議:For secure content, ensure the cache-control HTTP header is set with "no-cache, no-store, must-revalidate". If an asset should be cached consider setting the directives "public, max-age, immutable".
受影響 URL(5)
  • https://letsharu.com
  • https://letsharu.com/
  • https://letsharu.com/login/
  • https://letsharu.com/my-account/
  • https://letsharu.com/robots.txt

Retrieved from Cache 資訊

  • CWE:525
  • 影響 URL:9 個
  • 修復建議:Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:Cache-Control: no-cache, no-store, must-revalidate, privatePragma: no-cacheExpires: 0This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.
受影響 URL(9)
  • https://letsharu.com
  • https://letsharu.com/
  • https://letsharu.com/admin/
  • https://letsharu.com/api/
  • https://letsharu.com/register/
  • https://letsharu.com/robots.txt
  • https://letsharu.com/sitemap.xml
  • https://letsharu.com/user/
  • https://letsharu.com/wp-content/uploads/wpforms/

Session Management Response Identified 資訊

  • CWE:-1
  • 影響 URL:1 個
  • 修復建議:This is an informational alert rather than a vulnerability and so there is nothing to fix.
受影響 URL(1)
  • https://letsharu.com/cart/

Storable and Cacheable Content 資訊

  • CWE:524
  • 影響 URL:3 個
  • 修復建議:Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:Cache-Control: no-cache, no-store, must-revalidate, privatePragma: no-cacheExpires: 0This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.
受影響 URL(3)
  • https://letsharu.com/my-account
  • https://letsharu.com/robots.txt
  • https://letsharu.com/sitemap.xml

Storable but Non-Cacheable Content 資訊

  • CWE:524
  • 影響 URL:5 個
受影響 URL(5)
  • https://letsharu.com
  • https://letsharu.com/
  • https://letsharu.com/wp-admin/
  • https://letsharu.com/wp-content/uploads/wpforms/
  • https://letsharu.com/my-account/

User Controllable HTML Element Attribute (Potential XSS) 資訊

  • CWE:20
  • 影響 URL:2 個
  • 修復建議:Validate all input and sanitize output it before writing to any HTML attributes.
受影響 URL(1)
  • https://letsharu.com/my-account/

相關頁

動態掃描(未登入)已知漏洞風險總覽

© 2026 cloudwp