DevSecOps MCP Server

dast-zap-1770171428833-report.json•11.2 KiB

{ "@programName": "ZAP", "@version": "2.17.0", "@generated": "Wed, 4 Feb 2026 02:18:26", "created": "2026-02-04T02:18:26.439561649Z", "insights":[ { "level": "Info", "reason": "Informational", "site": "http://host.docker.internal:3000", "key": "insight.code.4xx", "description": "Percentage of responses with status code 4xx", "statistic": "100" }, { "level": "Info", "reason": "Informational", "site": "http://host.docker.internal:3000", "key": "insight.endpoint.ctype.application/json", "description": "Percentage of endpoints with content type application/json", "statistic": "100" }, { "level": "Info", "reason": "Informational", "site": "http://host.docker.internal:3000", "key": "insight.endpoint.method.GET", "description": "Percentage of endpoints with method GET", "statistic": "100" }, { "level": "Info", "reason": "Informational", "site": "http://host.docker.internal:3000", "key": "insight.endpoint.total", "description": "Count of total endpoints", "statistic": "4" } ], "site":[ { "@name": "http://host.docker.internal:3000", "@host": "host.docker.internal", "@port": "3000", "@ssl": "false", "alerts": [ { "pluginid": "10098", "alertRef": "10098", "alert": "Cross-Domain Misconfiguration", "name": "Cross-Domain Misconfiguration", "riskcode": "2", "confidence": "2", "riskdesc": "Medium (Medium)", "desc": "Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.", "instances":[ { "id": "2", "uri": "http://host.docker.internal:3000/", "nodeName": "http:\/\/host.docker.internal:3000\/", "method": "GET", "param": "", "attack": "", "evidence": "Access-Control-Allow-Origin: *", "otherinfo": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing." }, { "id": "5", "uri": "http://host.docker.internal:3000/api", "nodeName": "http:\/\/host.docker.internal:3000\/api", "method": "GET", "param": "", "attack": "", "evidence": "Access-Control-Allow-Origin: *", "otherinfo": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing." }, { "id": "1", "uri": "http://host.docker.internal:3000/sitemap.xml", "nodeName": "http:\/\/host.docker.internal:3000\/sitemap.xml", "method": "GET", "param": "", "attack": "", "evidence": "Access-Control-Allow-Origin: *", "otherinfo": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing." } ], "count": "3", "systemic": true, "solution": "Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).Configure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.", "otherinfo": "The CORS misconfiguration on the web server permits cross-domain read requests from arbitrary third party domains, using unauthenticated APIs on this domain. Web browser implementations do not permit arbitrary third parties to read the response from authenticated APIs, however. This reduces the risk somewhat. This misconfiguration could be used by an attacker to access data that is available in an unauthenticated manner, but which uses some other form of security, such as IP address white-listing.", "reference": "https://vulncat.fortify.com/en/detail?category=HTML5&subcategory=Overly%20Permissive%20CORS%20Policy", "cweid": "264", "wascid": "14", "sourceid": "3" }, { "pluginid": "10037", "alertRef": "10037", "alert": "Server Leaks Information via \"X-Powered-By\" HTTP Response Header Field(s)", "name": "Server Leaks Information via \"X-Powered-By\" HTTP Response Header Field(s)", "riskcode": "1", "confidence": "2", "riskdesc": "Low (Medium)", "desc": "The web/application server is leaking information via one or more \"X-Powered-By\" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.", "instances":[ { "id": "6", "uri": "http://host.docker.internal:3000/", "nodeName": "http:\/\/host.docker.internal:3000\/", "method": "GET", "param": "", "attack": "", "evidence": "X-Powered-By: Express", "otherinfo": "" }, { "id": "7", "uri": "http://host.docker.internal:3000/api", "nodeName": "http:\/\/host.docker.internal:3000\/api", "method": "GET", "param": "", "attack": "", "evidence": "X-Powered-By: Express", "otherinfo": "" }, { "id": "9", "uri": "http://host.docker.internal:3000/robots.txt", "nodeName": "http:\/\/host.docker.internal:3000\/robots.txt", "method": "GET", "param": "", "attack": "", "evidence": "X-Powered-By: Express", "otherinfo": "" }, { "id": "11", "uri": "http://host.docker.internal:3000/sitemap.xml", "nodeName": "http:\/\/host.docker.internal:3000\/sitemap.xml", "method": "GET", "param": "", "attack": "", "evidence": "X-Powered-By: Express", "otherinfo": "" } ], "count": "4", "systemic": true, "solution": "Ensure that your web server, application server, load balancer, etc. is configured to suppress \"X-Powered-By\" headers.", "otherinfo": "", "reference": "https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/08-Fingerprint_Web_Application_Frameworkhttps://www.troyhunt.com/shhh-dont-let-your-response-headers/", "cweid": "497", "wascid": "13", "sourceid": "3" }, { "pluginid": "10049", "alertRef": "10049-3", "alert": "Storable and Cacheable Content", "name": "Storable and Cacheable Content", "riskcode": "0", "confidence": "2", "riskdesc": "Informational (Medium)", "desc": "The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where \"shared\" caching servers such as \"proxy\" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.", "instances":[ { "id": "13", "uri": "http://host.docker.internal:3000/", "nodeName": "http:\/\/host.docker.internal:3000\/", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234." }, { "id": "14", "uri": "http://host.docker.internal:3000/api", "nodeName": "http:\/\/host.docker.internal:3000\/api", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234." }, { "id": "16", "uri": "http://host.docker.internal:3000/robots.txt", "nodeName": "http:\/\/host.docker.internal:3000\/robots.txt", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234." }, { "id": "12", "uri": "http://host.docker.internal:3000/sitemap.xml", "nodeName": "http:\/\/host.docker.internal:3000\/sitemap.xml", "method": "GET", "param": "", "attack": "", "evidence": "", "otherinfo": "In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234." } ], "count": "4", "systemic": true, "solution": "Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:Cache-Control: no-cache, no-store, must-revalidate, privatePragma: no-cacheExpires: 0This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.", "otherinfo": "In the absence of an explicitly specified caching lifetime directive in the response, a liberal lifetime heuristic of 1 year was assumed. This is permitted by rfc7234.", "reference": "https://datatracker.ietf.org/doc/html/rfc7234https://datatracker.ietf.org/doc/html/rfc7231https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html", "cweid": "524", "wascid": "13", "sourceid": "3" } ] } ], "sequences":[ ] }

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/JesusDavidQuarksoft/MCP_Security'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

dast-zap-1770171428833-report.json•11.2 KiB