CommandBox/Undertow Server scanned with OWASP ZAP

We had a user ask recently if we had run any automated scanners against CommandBox servers to verify they were secure. While we’ve taken care to make CommandBox servers secure by default and I’ve helped many clients who have run scans against their own CommandBox-hosted apps, Ortus had never performed any scans just against CommandBox itself. I grabbed the OWASP ZAP scanner, which is a free scanning tool that checks for a bunch of different vulnerabilities, specifically HTTP header related. I figured it would be nice to post what I did here for the community to see.

image

I downloaded the OWASP Zap scanning tool and started an HTML server in a folder with an index.html that outputs “hello world”.

mkdir scanme --cd
echo "hello world" > index.html
server start cfengine=none

I’m purposefully not testing a CF engine here, since the goal wasn’t to find if Lucee or Adobe CF is safe, but whether the CommandBox portions were safe.

The scan ran with only two warnings (attached file 2022-02-15-ZAP-Report.pdf)

2022-02-15-ZAP-Report.pdf (10.3 KB)

The two warnings were because the server didn’t return these headers:

  • X-Content-Type-Options
  • X-Frame-Options

Obviously, as a generic server tool, CommandBox wouldn’t return those headers. They would be specific to the application being served and the developers of that app would set them up as they needed.

To demonstrate how easily CommandBox allows these headers to be added, placing the following server.json in the server and restarting generates a clean scan with zero findings (attached file 2022-02-15-ZAP-Report-with-headers.pdf)

2022-02-15-ZAP-Report-with-headers.pdf (4.5 KB)

{
    "web":{
        "rules":[
            "set(attribute='%{o,X-Content-Type-Options}',value='nosniff')",
            "set(attribute='%{o,X-Frame-Options}',value='deny')"
        ]
    }
}

To get a more useful test you’d want to test your actual app running on whatever version of Lucee or Adobe you use. But you can see CommandBox servers themselves have no issues found by OWASP ZAP.

2 Likes