PS Product SecurityKnowledge Base

Sample ZAP Summary

This miniature sample is intentionally short. Use it to explain what a scanner summary is good for and what it is not good for.

What this snippet is for

  • quick leadership or triage summaries;
  • attaching a simple artifact to CI evidence;
  • showing how a DAST result can point reviewers toward manual follow-up.

It should not replace deeper route-by-route review for authorization, workflow abuse, or business logic.

Counts

  • High: 2
  • Medium: 3
  • Low: 2

Alerts

  1. SQL Injection - /api/v1/orders/search
  2. Cross-Site Scripting - /profile
  3. Missing Anti-CSRF Tokens - /settings/update
  4. Authentication Request Identified - /login
  5. Content Security Policy Header Not Set - /
  6. X-Content-Type-Options Header Missing - /static/app.js
  7. Cookie Without Secure Flag - /session

Reviewer note

If the scanner says โ€œCSP header missing,โ€ ask which origin, which page class, and which authenticated surface. A generic header finding becomes meaningful only after route context and business context are added.