github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-12 10:39:38 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Fix zap pen testing warnings #447

New Issue
Closed
opened 2025-11-02 03:23:45 -06:00 by GiteaMirror · 4 comments
GiteaMirror commented 2025-11-02 03:23:45 -06:00
Owner
Copy Link

Originally created by @tboerger on GitHub (Mar 9, 2017).

Some community user tried some simple pen testing and there we have some warning we should fix. Looks like all of them are mostly related to simple headers:

# docker run -t owasp/zap2docker-stable zap-baseline.py -t https://try.gitea.io/explore/repos
Mar 09, 2017 11:15:07 AM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Total of 238 URLs
PASS: Password Autocomplete in Browser [10012]
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Session ID in URL Rewrite [3]
PASS: Script passive scan rules [50001]
PASS: Application Error Disclosure [90022]
WARN: Cookie No HttpOnly Flag [10010] x 352
	https://try.gitea.io/explore/repos
	https://try.gitea.io/robots.txt
	https://try.gitea.io/sitemap.xml
	https://try.gitea.io/
	https://try.gitea.io/user/sign_up
WARN: Cookie Without Secure Flag [10011] x 754
	https://try.gitea.io/explore/repos
	https://try.gitea.io/explore/repos
	https://try.gitea.io/explore/repos
	https://try.gitea.io/robots.txt
	https://try.gitea.io/robots.txt
WARN: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 344
	https://try.gitea.io/explore/repos
	https://try.gitea.io/sitemap.xml
	https://try.gitea.io/
	https://try.gitea.io/user/sign_up
	https://try.gitea.io/user/login?redirect_to=%2fexplore%2frepos
WARN: Web Browser XSS Protection Not Enabled [10016] x 346
	https://try.gitea.io/explore/repos
	https://try.gitea.io/sitemap.xml
	https://try.gitea.io/
	https://try.gitea.io/user/sign_up
	https://try.gitea.io/user/login?redirect_to=%2fexplore%2frepos
WARN: X-Frame-Options Header Not Set [10020] x 150
	https://try.gitea.io/sitemap.xml?lang=zh-CN
	https://try.gitea.io/sitemap.xml?lang=zh-HK
	https://try.gitea.io/sitemap.xml?lang=zh-TW
	https://try.gitea.io/sitemap.xml?lang=de-DE
	https://try.gitea.io/sitemap.xml?lang=fr-FR
WARN: X-Content-Type-Options Header Missing [10021] x 346
	https://try.gitea.io/explore/repos
	https://try.gitea.io/sitemap.xml
	https://try.gitea.io/
	https://try.gitea.io/user/sign_up
	https://try.gitea.io/user/login?redirect_to=%2fexplore%2frepos
WARN: Secure Pages Include Mixed Content [10040] x 5
	https://try.gitea.io/spacetimeme/gitea
	https://try.gitea.io/lunny/gitea
	https://try.gitea.io/gitea/gitea
	https://try.gitea.io/bervianto.leo/Hyperdoku-Solver
	https://try.gitea.io/Daviey/IRM
WARN: Private IP Disclosure [2] x 1
	https://try.gitea.io/Daviey/Leeson
FAIL: 0	WARN: 8	IGNORE: 0	PASS: 6
  • Cookie No HttpOnly Flag
  • Cookie Without Secure Flag
  • Incomplete or No Cache-control and Pragma HTTP Header Set
  • Web Browser XSS Protection Not Enabled
  • X-Frame-Options Header Not Set
  • X-Content-Type-Options Header Missing
  • Secure Pages Include Mixed Content
  • Private IP Disclosure
Originally created by @tboerger on GitHub (Mar 9, 2017). Some community user tried some simple pen testing and there we have some warning we should fix. Looks like all of them are mostly related to simple headers: ``` # docker run -t owasp/zap2docker-stable zap-baseline.py -t https://try.gitea.io/explore/repos Mar 09, 2017 11:15:07 AM java.util.prefs.FileSystemPreferences$1 run INFO: Created user preferences directory. Total of 238 URLs PASS: Password Autocomplete in Browser [10012] PASS: Cross-Domain JavaScript Source File Inclusion [10017] PASS: Content-Type Header Missing [10019] PASS: Session ID in URL Rewrite [3] PASS: Script passive scan rules [50001] PASS: Application Error Disclosure [90022] WARN: Cookie No HttpOnly Flag [10010] x 352 https://try.gitea.io/explore/repos https://try.gitea.io/robots.txt https://try.gitea.io/sitemap.xml https://try.gitea.io/ https://try.gitea.io/user/sign_up WARN: Cookie Without Secure Flag [10011] x 754 https://try.gitea.io/explore/repos https://try.gitea.io/explore/repos https://try.gitea.io/explore/repos https://try.gitea.io/robots.txt https://try.gitea.io/robots.txt WARN: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 344 https://try.gitea.io/explore/repos https://try.gitea.io/sitemap.xml https://try.gitea.io/ https://try.gitea.io/user/sign_up https://try.gitea.io/user/login?redirect_to=%2fexplore%2frepos WARN: Web Browser XSS Protection Not Enabled [10016] x 346 https://try.gitea.io/explore/repos https://try.gitea.io/sitemap.xml https://try.gitea.io/ https://try.gitea.io/user/sign_up https://try.gitea.io/user/login?redirect_to=%2fexplore%2frepos WARN: X-Frame-Options Header Not Set [10020] x 150 https://try.gitea.io/sitemap.xml?lang=zh-CN https://try.gitea.io/sitemap.xml?lang=zh-HK https://try.gitea.io/sitemap.xml?lang=zh-TW https://try.gitea.io/sitemap.xml?lang=de-DE https://try.gitea.io/sitemap.xml?lang=fr-FR WARN: X-Content-Type-Options Header Missing [10021] x 346 https://try.gitea.io/explore/repos https://try.gitea.io/sitemap.xml https://try.gitea.io/ https://try.gitea.io/user/sign_up https://try.gitea.io/user/login?redirect_to=%2fexplore%2frepos WARN: Secure Pages Include Mixed Content [10040] x 5 https://try.gitea.io/spacetimeme/gitea https://try.gitea.io/lunny/gitea https://try.gitea.io/gitea/gitea https://try.gitea.io/bervianto.leo/Hyperdoku-Solver https://try.gitea.io/Daviey/IRM WARN: Private IP Disclosure [2] x 1 https://try.gitea.io/Daviey/Leeson FAIL: 0 WARN: 8 IGNORE: 0 PASS: 6 ``` * [ ] Cookie No HttpOnly Flag * [ ] Cookie Without Secure Flag * [ ] Incomplete or No Cache-control and Pragma HTTP Header Set * [ ] Web Browser XSS Protection Not Enabled * [ ] X-Frame-Options Header Not Set * [ ] X-Content-Type-Options Header Missing * [ ] Secure Pages Include Mixed Content * [ ] Private IP Disclosure
GiteaMirror added the type/enhancementtopic/security labels 2025-11-02 03:23:45 -06:00
GiteaMirror commented 2025-11-02 03:23:46 -06:00
Author
Owner
Copy Link

@lunny commented on GitHub (Apr 8, 2017):

➜  ~ docker run -t owasp/zap2docker-stable zap-baseline.py -t https://try.gitea.io/explore/repos
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
Apr 08, 2017 3:19:07 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Traceback (most recent call last):
  File "/zap//zap-baseline.py", line 617, in <module>
    main(sys.argv[1:])
  File "/zap//zap-baseline.py", line 580, in main
    except IOError as (errno, strerror):
ValueError: need more than 1 value to unpack

cannot test it.

@lunny commented on GitHub (Apr 8, 2017): ``` ➜ ~ docker run -t owasp/zap2docker-stable zap-baseline.py -t https://try.gitea.io/explore/repos _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created. Apr 08, 2017 3:19:07 PM java.util.prefs.FileSystemPreferences$1 run INFO: Created user preferences directory. Traceback (most recent call last): File "/zap//zap-baseline.py", line 617, in <module> main(sys.argv[1:]) File "/zap//zap-baseline.py", line 580, in main except IOError as (errno, strerror): ValueError: need more than 1 value to unpack ``` cannot test it.
GiteaMirror commented 2025-11-02 03:23:46 -06:00
Author
Owner
Copy Link

@0x5c commented on GitHub (Jan 23, 2019):

Could test against https://try.gitea.io/, which was at b9f8737 at the time of testing.

root@teapot:~# docker run -t owasp/zap2docker-stable zap-baseline.py -t https://try.gitea.io/
_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created.
Jan 23, 2019 9:46:09 PM java.util.prefs.FileSystemPreferences$1 run
INFO: Created user preferences directory.
Total of 792 URLs
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: Information Disclosure - Sensitive Informations in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Viewstate Scanner [10032]
PASS: Weak Authentication Method [10105]
PASS: Private IP Disclosure [2]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Insecure JSF ViewState [90001]
PASS: Charset Mismatch [90011]
PASS: Loosely Scoped Cookie [90033]
WARN-NEW: Cookie No HttpOnly Flag [10010] x 326
        https://try.gitea.io/
        https://try.gitea.io/robots.txt
        https://try.gitea.io/?lang=zh-CN
        https://try.gitea.io/?lang=zh-HK
        https://try.gitea.io/?lang=zh-TW
WARN-NEW: Cookie Without Secure Flag [10011] x 352
        https://try.gitea.io/
        https://try.gitea.io/
        https://try.gitea.io/
        https://try.gitea.io/robots.txt
        https://try.gitea.io/robots.txt
WARN-NEW: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 552
        https://try.gitea.io/
        https://try.gitea.io/user/sign_up
        https://try.gitea.io/explore/repos
        https://try.gitea.io/user/login?redirect_to
        https://try.gitea.io/user/login?redirect_to=%2fsitemap.xml
WARN-NEW: Web Browser XSS Protection Not Enabled [10016] x 560
        https://try.gitea.io/
        https://try.gitea.io/robots.txt
        https://try.gitea.io/sitemap.xml
        https://try.gitea.io/user/sign_up
        https://try.gitea.io/explore/repos
WARN-NEW: X-Frame-Options Header Not Set [10020] x 1
        https://try.gitea.io/vendor/librejs.html
WARN-NEW: X-Content-Type-Options Header Missing [10021] x 617
        https://try.gitea.io/
        https://try.gitea.io/user/sign_up
        https://try.gitea.io/explore/repos
        https://try.gitea.io/user/login?redirect_to
        https://try.gitea.io/user/login?redirect_to=%2fsitemap.xml
WARN-NEW: Information Disclosure - Debug Error Messages [10023] x 4
        https://try.gitea.io/ulm0/negroni
        https://try.gitea.io/ligh0721/negroni
        https://try.gitea.io/kaeptmblaubaer1000/cpython
        https://try.gitea.io/davidak/nixpkgs
WARN-NEW: HTTP Parameter Override [10026] x 181
        https://try.gitea.io/explore/repos
        https://try.gitea.io/explore/organizations
        https://try.gitea.io/explore/repos?q&sort=newest&tab
        https://try.gitea.io/explore/repos?q&sort=oldest&tab
        https://try.gitea.io/explore/repos?q&sort=alphabetically&tab
WARN-NEW: Secure Pages Include Mixed Content [10040] x 3
        https://try.gitea.io/ulm0/mux
        https://try.gitea.io/go-gitea/go-sdk
        https://try.gitea.io/go-gitea/git
WARN-NEW: Absence of Anti-CSRF Tokens [10202] x 395
        https://try.gitea.io/user/sign_up
        https://try.gitea.io/explore/repos
        https://try.gitea.io/user/login?redirect_to
        https://try.gitea.io/user/login?redirect_to=%2fsitemap.xml
        https://try.gitea.io/user/login?redirect_to=%2fuser%2fsign_up
WARN-NEW: Application Error Disclosure [90022] x 2
        https://try.gitea.io/ulm0/negroni
        https://try.gitea.io/ligh0721/negroni
FAIL-NEW: 0     FAIL-INPROG: 0  WARN-NEW: 11    WARN-INPROG: 0  INFO: 0 IGNORE: 0       PASS: 13

Edit, clarification:
All errors on specific repo pages are from user content (README.md, issues, committed logs, etc).
That being said, it could probably be mitigated in some way by the server.

@0x5c commented on GitHub (Jan 23, 2019): Could test against https://try.gitea.io/, which was at b9f8737 at the time of testing. ```none root@teapot:~# docker run -t owasp/zap2docker-stable zap-baseline.py -t https://try.gitea.io/ _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be created. Jan 23, 2019 9:46:09 PM java.util.prefs.FileSystemPreferences$1 run INFO: Created user preferences directory. Total of 792 URLs PASS: Cross-Domain JavaScript Source File Inclusion [10017] PASS: Content-Type Header Missing [10019] PASS: Information Disclosure - Sensitive Informations in URL [10024] PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025] PASS: Information Disclosure - Suspicious Comments [10027] PASS: Viewstate Scanner [10032] PASS: Weak Authentication Method [10105] PASS: Private IP Disclosure [2] PASS: Session ID in URL Rewrite [3] PASS: Script Passive Scan Rules [50001] PASS: Insecure JSF ViewState [90001] PASS: Charset Mismatch [90011] PASS: Loosely Scoped Cookie [90033] WARN-NEW: Cookie No HttpOnly Flag [10010] x 326 https://try.gitea.io/ https://try.gitea.io/robots.txt https://try.gitea.io/?lang=zh-CN https://try.gitea.io/?lang=zh-HK https://try.gitea.io/?lang=zh-TW WARN-NEW: Cookie Without Secure Flag [10011] x 352 https://try.gitea.io/ https://try.gitea.io/ https://try.gitea.io/ https://try.gitea.io/robots.txt https://try.gitea.io/robots.txt WARN-NEW: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 552 https://try.gitea.io/ https://try.gitea.io/user/sign_up https://try.gitea.io/explore/repos https://try.gitea.io/user/login?redirect_to https://try.gitea.io/user/login?redirect_to=%2fsitemap.xml WARN-NEW: Web Browser XSS Protection Not Enabled [10016] x 560 https://try.gitea.io/ https://try.gitea.io/robots.txt https://try.gitea.io/sitemap.xml https://try.gitea.io/user/sign_up https://try.gitea.io/explore/repos WARN-NEW: X-Frame-Options Header Not Set [10020] x 1 https://try.gitea.io/vendor/librejs.html WARN-NEW: X-Content-Type-Options Header Missing [10021] x 617 https://try.gitea.io/ https://try.gitea.io/user/sign_up https://try.gitea.io/explore/repos https://try.gitea.io/user/login?redirect_to https://try.gitea.io/user/login?redirect_to=%2fsitemap.xml WARN-NEW: Information Disclosure - Debug Error Messages [10023] x 4 https://try.gitea.io/ulm0/negroni https://try.gitea.io/ligh0721/negroni https://try.gitea.io/kaeptmblaubaer1000/cpython https://try.gitea.io/davidak/nixpkgs WARN-NEW: HTTP Parameter Override [10026] x 181 https://try.gitea.io/explore/repos https://try.gitea.io/explore/organizations https://try.gitea.io/explore/repos?q&sort=newest&tab https://try.gitea.io/explore/repos?q&sort=oldest&tab https://try.gitea.io/explore/repos?q&sort=alphabetically&tab WARN-NEW: Secure Pages Include Mixed Content [10040] x 3 https://try.gitea.io/ulm0/mux https://try.gitea.io/go-gitea/go-sdk https://try.gitea.io/go-gitea/git WARN-NEW: Absence of Anti-CSRF Tokens [10202] x 395 https://try.gitea.io/user/sign_up https://try.gitea.io/explore/repos https://try.gitea.io/user/login?redirect_to https://try.gitea.io/user/login?redirect_to=%2fsitemap.xml https://try.gitea.io/user/login?redirect_to=%2fuser%2fsign_up WARN-NEW: Application Error Disclosure [90022] x 2 https://try.gitea.io/ulm0/negroni https://try.gitea.io/ligh0721/negroni FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 11 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 13 ``` Edit, clarification: All errors on specific repo pages are from user content (README.md, issues, committed logs, etc). That being said, it could probably be mitigated in some way by the server.
GiteaMirror commented 2025-11-02 03:23:46 -06:00
Author
Owner
Copy Link

@6543 commented on GitHub (Sep 7, 2020):

Gitea Version: 1.13.0+dev-569-g91e7ad569

INFO: Created user preferences directory.
Total of 566 URLs
PASS: Cross-Domain JavaScript Source File Inclusion [10017]
PASS: Content-Type Header Missing [10019]
PASS: X-Frame-Options Header Scanner [10020]
PASS: Information Disclosure - Sensitive Information in URL [10024]
PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]
PASS: HTTP Parameter Override [10026]
PASS: Information Disclosure - Suspicious Comments [10027]
PASS: Open Redirect [10028]
PASS: Cookie Poisoning [10029]
PASS: User Controllable Charset [10030]
PASS: User Controllable HTML Element Attribute (Potential XSS) [10031]
PASS: Viewstate Scanner [10032]
PASS: Directory Browsing [10033]
PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034]
PASS: HTTP Server Response Header Scanner [10036]
PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037]
PASS: X-Backend-Server Header Information Leak [10039]
PASS: HTTP to HTTPS Insecure Transition in Form Post [10041]
PASS: HTTPS to HTTP Insecure Transition in Form Post [10042]
PASS: User Controllable JavaScript Event (XSS) [10043]
PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044]
PASS: Retrieved from Cache [10050]
PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052]
PASS: CSP Scanner [10055]
PASS: X-Debug-Token Information Leak [10056]
PASS: Username Hash Found [10057]
PASS: X-AspNet-Version Response Header Scanner [10061]
PASS: Timestamp Disclosure [10096]
PASS: Hash Disclosure [10097]
PASS: Cross-Domain Misconfiguration [10098]
PASS: Weak Authentication Method [10105]
PASS: Reverse Tabnabbing [10108]
PASS: Modern Web Application [10109]
PASS: Session ID in URL Rewrite [3]
PASS: Script Passive Scan Rules [50001]
PASS: Insecure JSF ViewState [90001]
PASS: Charset Mismatch [90011]
PASS: Loosely Scoped Cookie [90033]
WARN-NEW: Cookie No HttpOnly Flag [10010] x 231 
	https://try.gitea.io/ (200 OK)
	https://try.gitea.io/robots.txt (404 Not Found)
	https://try.gitea.io/sitemap.xml?lang=zh-CN (404 Not Found)
	https://try.gitea.io/sitemap.xml?lang=zh-HK (404 Not Found)
	https://try.gitea.io/sitemap.xml?lang=zh-TW (404 Not Found)
WARN-NEW: Cookie Without Secure Flag [10011] x 342 
	https://try.gitea.io/ (200 OK)
	https://try.gitea.io/ (200 OK)
	https://try.gitea.io/ (200 OK)
	https://try.gitea.io/robots.txt (404 Not Found)
	https://try.gitea.io/robots.txt (404 Not Found)
WARN-NEW: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 717 
	https://try.gitea.io/ (200 OK)
	https://try.gitea.io/user/sign_up (200 OK)
	https://try.gitea.io/explore/repos (200 OK)
	https://try.gitea.io/user/login?redirect_to=%2f (200 OK)
	https://try.gitea.io/user/login?redirect_to=%2fsitemap.xml (200 OK)
WARN-NEW: X-Content-Type-Options Header Missing [10021] x 755 
	https://try.gitea.io/ (200 OK)
	https://try.gitea.io/user/sign_up (200 OK)
	https://try.gitea.io/explore/repos (200 OK)
	https://try.gitea.io/user/login?redirect_to=%2f (200 OK)
	https://try.gitea.io/user/login?redirect_to=%2fsitemap.xml (200 OK)
WARN-NEW: Information Disclosure - Debug Error Messages [10023] x 4 
	https://try.gitea.io/ulm0/negroni (200 OK)
	https://try.gitea.io/ligh0721/negroni (200 OK)
	https://try.gitea.io/ulm0/mux (200 OK)
WARN-NEW: Strict-Transport-Security Header Not Set [10035] x 806 
	https://try.gitea.io/ (200 OK)
	https://try.gitea.io/robots.txt (404 Not Found)
	https://try.gitea.io/sitemap.xml (404 Not Found)
	https://try.gitea.io/user/sign_up (200 OK)
	https://try.gitea.io/explore/repos (200 OK)
WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 739 
	https://try.gitea.io/ (200 OK)
	https://try.gitea.io/robots.txt (404 Not Found)
	https://try.gitea.io/sitemap.xml (404 Not Found)
	https://try.gitea.io/user/sign_up (200 OK)
	https://try.gitea.io/explore/repos (200 OK)
WARN-NEW: Secure Pages Include Mixed Content [10040] x 1 
	https://try.gitea.io/asdasd2/FLEX (200 OK)
WARN-NEW: Cookie Without SameSite Attribute [10054] x 342 
	https://try.gitea.io/ (200 OK)
	https://try.gitea.io/ (200 OK)
	https://try.gitea.io/ (200 OK)
	https://try.gitea.io/robots.txt (404 Not Found)
	https://try.gitea.io/robots.txt (404 Not Found)
WARN-NEW: PII Disclosure [10062] x 1 
	https://try.gitea.io/explore/repos?page=5&q&sort=alphabetically&topic=false (200 OK)
WARN-NEW: Absence of Anti-CSRF Tokens [10202] x 261 
	https://try.gitea.io/explore/repos (200 OK)
	https://try.gitea.io/explore/users (200 OK)
	https://try.gitea.io/explore/organizations (200 OK)
	https://try.gitea.io/explore/repos?q&sort=newest&tab (200 OK)
	https://try.gitea.io/explore/repos?q&sort=oldest&tab (200 OK)
WARN-NEW: Private IP Disclosure [2] x 2 
	https://try.gitea.io/js/swagger.js?v=2b645d0f53bfafb354e8ae694a0d739d (200 OK)
	https://try.gitea.io/tuwohuconu/openatx__uiautomator2 (200 OK)
WARN-NEW: Application Error Disclosure [90022] x 4 
	https://try.gitea.io/ulm0/negroni (200 OK)
	https://try.gitea.io/ligh0721/negroni (200 OK)
	https://try.gitea.io/strk/geos/commit/bed36f15c780057ae9b83eb9cd2e8ef6a9ada498 (200 OK)
FAIL-NEW: 0	FAIL-INPROG: 0	WARN-NEW: 13	WARN-INPROG: 0	INFO: 0	IGNORE: 0	PASS: 38
@6543 commented on GitHub (Sep 7, 2020): Gitea Version: 1.13.0+dev-569-g91e7ad569 ``` INFO: Created user preferences directory. Total of 566 URLs PASS: Cross-Domain JavaScript Source File Inclusion [10017] PASS: Content-Type Header Missing [10019] PASS: X-Frame-Options Header Scanner [10020] PASS: Information Disclosure - Sensitive Information in URL [10024] PASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025] PASS: HTTP Parameter Override [10026] PASS: Information Disclosure - Suspicious Comments [10027] PASS: Open Redirect [10028] PASS: Cookie Poisoning [10029] PASS: User Controllable Charset [10030] PASS: User Controllable HTML Element Attribute (Potential XSS) [10031] PASS: Viewstate Scanner [10032] PASS: Directory Browsing [10033] PASS: Heartbleed OpenSSL Vulnerability (Indicative) [10034] PASS: HTTP Server Response Header Scanner [10036] PASS: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) [10037] PASS: X-Backend-Server Header Information Leak [10039] PASS: HTTP to HTTPS Insecure Transition in Form Post [10041] PASS: HTTPS to HTTP Insecure Transition in Form Post [10042] PASS: User Controllable JavaScript Event (XSS) [10043] PASS: Big Redirect Detected (Potential Sensitive Information Leak) [10044] PASS: Retrieved from Cache [10050] PASS: X-ChromeLogger-Data (XCOLD) Header Information Leak [10052] PASS: CSP Scanner [10055] PASS: X-Debug-Token Information Leak [10056] PASS: Username Hash Found [10057] PASS: X-AspNet-Version Response Header Scanner [10061] PASS: Timestamp Disclosure [10096] PASS: Hash Disclosure [10097] PASS: Cross-Domain Misconfiguration [10098] PASS: Weak Authentication Method [10105] PASS: Reverse Tabnabbing [10108] PASS: Modern Web Application [10109] PASS: Session ID in URL Rewrite [3] PASS: Script Passive Scan Rules [50001] PASS: Insecure JSF ViewState [90001] PASS: Charset Mismatch [90011] PASS: Loosely Scoped Cookie [90033] WARN-NEW: Cookie No HttpOnly Flag [10010] x 231 https://try.gitea.io/ (200 OK) https://try.gitea.io/robots.txt (404 Not Found) https://try.gitea.io/sitemap.xml?lang=zh-CN (404 Not Found) https://try.gitea.io/sitemap.xml?lang=zh-HK (404 Not Found) https://try.gitea.io/sitemap.xml?lang=zh-TW (404 Not Found) WARN-NEW: Cookie Without Secure Flag [10011] x 342 https://try.gitea.io/ (200 OK) https://try.gitea.io/ (200 OK) https://try.gitea.io/ (200 OK) https://try.gitea.io/robots.txt (404 Not Found) https://try.gitea.io/robots.txt (404 Not Found) WARN-NEW: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 717 https://try.gitea.io/ (200 OK) https://try.gitea.io/user/sign_up (200 OK) https://try.gitea.io/explore/repos (200 OK) https://try.gitea.io/user/login?redirect_to=%2f (200 OK) https://try.gitea.io/user/login?redirect_to=%2fsitemap.xml (200 OK) WARN-NEW: X-Content-Type-Options Header Missing [10021] x 755 https://try.gitea.io/ (200 OK) https://try.gitea.io/user/sign_up (200 OK) https://try.gitea.io/explore/repos (200 OK) https://try.gitea.io/user/login?redirect_to=%2f (200 OK) https://try.gitea.io/user/login?redirect_to=%2fsitemap.xml (200 OK) WARN-NEW: Information Disclosure - Debug Error Messages [10023] x 4 https://try.gitea.io/ulm0/negroni (200 OK) https://try.gitea.io/ligh0721/negroni (200 OK) https://try.gitea.io/ulm0/mux (200 OK) WARN-NEW: Strict-Transport-Security Header Not Set [10035] x 806 https://try.gitea.io/ (200 OK) https://try.gitea.io/robots.txt (404 Not Found) https://try.gitea.io/sitemap.xml (404 Not Found) https://try.gitea.io/user/sign_up (200 OK) https://try.gitea.io/explore/repos (200 OK) WARN-NEW: Content Security Policy (CSP) Header Not Set [10038] x 739 https://try.gitea.io/ (200 OK) https://try.gitea.io/robots.txt (404 Not Found) https://try.gitea.io/sitemap.xml (404 Not Found) https://try.gitea.io/user/sign_up (200 OK) https://try.gitea.io/explore/repos (200 OK) WARN-NEW: Secure Pages Include Mixed Content [10040] x 1 https://try.gitea.io/asdasd2/FLEX (200 OK) WARN-NEW: Cookie Without SameSite Attribute [10054] x 342 https://try.gitea.io/ (200 OK) https://try.gitea.io/ (200 OK) https://try.gitea.io/ (200 OK) https://try.gitea.io/robots.txt (404 Not Found) https://try.gitea.io/robots.txt (404 Not Found) WARN-NEW: PII Disclosure [10062] x 1 https://try.gitea.io/explore/repos?page=5&q&sort=alphabetically&topic=false (200 OK) WARN-NEW: Absence of Anti-CSRF Tokens [10202] x 261 https://try.gitea.io/explore/repos (200 OK) https://try.gitea.io/explore/users (200 OK) https://try.gitea.io/explore/organizations (200 OK) https://try.gitea.io/explore/repos?q&sort=newest&tab (200 OK) https://try.gitea.io/explore/repos?q&sort=oldest&tab (200 OK) WARN-NEW: Private IP Disclosure [2] x 2 https://try.gitea.io/js/swagger.js?v=2b645d0f53bfafb354e8ae694a0d739d (200 OK) https://try.gitea.io/tuwohuconu/openatx__uiautomator2 (200 OK) WARN-NEW: Application Error Disclosure [90022] x 4 https://try.gitea.io/ulm0/negroni (200 OK) https://try.gitea.io/ligh0721/negroni (200 OK) https://try.gitea.io/strk/geos/commit/bed36f15c780057ae9b83eb9cd2e8ef6a9ada498 (200 OK) FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 13 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 38 ```
GiteaMirror commented 2025-11-02 03:23:47 -06:00
Author
Owner
Copy Link

@tboerger commented on GitHub (Dec 19, 2020):

I'm not really involved into Gitea anymore, so I'm closing this issue. If there ist still interest please open a new issue and maybe link to this one for initial discussion. I want to get my issues cleaned up.

@tboerger commented on GitHub (Dec 19, 2020): I'm not really involved into Gitea anymore, so I'm closing this issue. If there ist still interest please open a new issue and maybe link to this one for initial discussion. I want to get my issues cleaned up.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label topic/security type/enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#447
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?