DevSecOps MCP Server

{ "tool": "OWASP ZAP (Docker)", "scan_id": "dast-zap-1770171428833", "status": "completed", "target_url": "http://localhost:3000/api", "vulnerabilities": [ { "id": "ZAP-10098", "name": "Cross-Domain Misconfiguration", "severity": "medium", "confidence": "2", "description": "<p>Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.</p>", "url": "http://host.docker.internal:3000/", "method": "GET", "attack": "Access-Control-Allow-Origin: *", "reference": "https://www.zaproxy.org/docs/alerts/10098/", "solution": "<p>Ensure that sensitive data is not available in an unauthenticated manner (using IP address white-listing, for instance).</p><p>Configure the \"Access-Control-Allow-Origin\" HTTP header to a more restrictive set of domains, or remove all CORS headers entirely, to allow the web browser to enforce the Same Origin Policy (SOP) in a more restrictive manner.</p>", "cwe_id": 264 }, { "id": "ZAP-10037", "name": "Server Leaks Information via \"X-Powered-By\" HTTP Response Header Field(s)", "severity": "low", "confidence": "2", "description": "<p>The web/application server is leaking information via one or more \"X-Powered-By\" HTTP response headers. Access to such information may facilitate attackers identifying other frameworks/components your web application is reliant upon and the vulnerabilities such components may be subject to.</p>", "url": "http://host.docker.internal:3000/", "method": "GET", "attack": "X-Powered-By: Express", "reference": "https://www.zaproxy.org/docs/alerts/10037/", "solution": "<p>Ensure that your web server, application server, load balancer, etc. is configured to suppress \"X-Powered-By\" headers.</p>", "cwe_id": 497 }, { "id": "ZAP-10049", "name": "Storable and Cacheable Content", "severity": "low", "confidence": "2", "description": "<p>The response contents are storable by caching components such as proxy servers, and may be retrieved directly from the cache, rather than from the origin server by the caching servers, in response to similar requests from other users. If the response data is sensitive, personal or user-specific, this may result in sensitive information being leaked. In some cases, this may even result in a user gaining complete control of the session of another user, depending on the configuration of the caching components in use in their environment. This is primarily an issue where \"shared\" caching servers such as \"proxy\" caches are configured on the local network. This configuration is typically found in corporate or educational environments, for instance.</p>", "url": "http://host.docker.internal:3000/", "method": "GET", "attack": "", "reference": "https://www.zaproxy.org/docs/alerts/10049/", "solution": "<p>Validate that the response does not contain sensitive, personal or user-specific information. If it does, consider the use of the following HTTP response headers, to limit, or prevent the content being stored and retrieved from the cache by another user:</p><p>Cache-Control: no-cache, no-store, must-revalidate, private</p><p>Pragma: no-cache</p><p>Expires: 0</p><p>This configuration directs both HTTP 1.0 and HTTP 1.1 compliant caching servers to not store the response, and to not retrieve the response (without validation) from the cache, in response to a similar request.</p>", "cwe_id": 524 } ], "summary": { "total": 3, "critical": 0, "high": 0, "medium": 1, "low": 2 }, "coverage": { "urls_found": 0, "urls_tested": 3 }, "metadata": { "scan_duration": 85528, "scan_type": "baseline", "timestamp": "2026-02-04T02:18:34.202Z" }, "project_path": "c:\\Users\\Jezuz\\OneDrive\\Escritorio\\Quarksoft\\Miguel\\PruebasUnitarias" }