Pentest Reports
All penetration tests were performed using OWASP ZAP 2.17.0 on 04/05/2026 and 05/05/2026.
Scope
Tests were performed on internal project infrastructure only. All targets are owned by the aliQuest project team.
dev.aliquest.me (aliQuest Frontend)
Tool: OWASP ZAP Automated Scan Date: 05/05/2026 Total Findings: 13
| # | Finding | Severity | Notes |
|---|---|---|---|
| 1 | Vulnerable JS Library (lodash 4.17.23) | High | Loaded via SonarQube - requires SonarQube update |
| 2 | CSP: Failure to Define Directive with No Fallback | Medium | Systemic - CSP missing fallback directives |
| 3 | CSP: Wildcard Directive | Medium | Wildcard in CSP directives |
| 4 | CSP: script-src unsafe-inline | Medium | React requires unsafe-inline - future fix via nonces |
| 5 | CSP: style-src unsafe-inline | Medium | MUI requires unsafe-inline styles |
| 6 | Content Security Policy Header Not Set | Medium | Some pages missing CSP header |
| 7 | Sub Resource Integrity Attribute Missing | Medium | Google Fonts loaded without SRI hash - fix: self-host fonts |
| 8 | Vulnerable JS Library (second occurrence) | Medium | Second lodash reference |
| 9 | CSP: Notices | Low | Informational CSP warnings |
| 10 | Timestamp Disclosure - Unix | Low | Server timestamp in response headers |
| 11 | Information Disclosure - Suspicious Comments | Low | Dev comments in source code |
| 12 | Modern Web Application | Informational | Detection only |
| 13 | Re-examine Cache-control Directives | Informational | Cache headers review |
Actions Required:
- Replace Google Fonts CDN with self-hosted fonts to fix SRI issue and improve GDPR compliance
- Replace
unsafe-inlinein CSP with nonce-based approach (frontend work required) - Remove dev comments from production build
sonar.aliquest.me
Tool: OWASP ZAP Automated Scan Date: 04/05/2026 Total Findings: 7
| # | Finding | Severity | Notes |
|---|---|---|---|
| 1 | Vulnerable JS Library (lodash 4.17.23) | High | Internal SonarQube dependency - requires SonarQube update |
| 2 | CSP: Failure to Define Directive with No Fallback | Medium | SonarQube internal CSP |
| 3 | CSP: Wildcard Directive | Medium | SonarQube internal CSP |
| 4 | CSP: style-src unsafe-inline | Medium | SonarQube internal CSP |
| 5 | CSP: Notices | Low | SonarQube internal CSP |
| 6 | Timestamp Disclosure - Unix | Low | Server timestamp in response |
| 7 | Modern Web Application | Informational | Detection only |
Action Required: Update SonarQube to latest version to resolve lodash vulnerability.
argo.aliquest.me
Tool: OWASP ZAP Automated Scan Date: 04/05/2026 Total Findings: 9
| # | Finding | Severity | Notes |
|---|---|---|---|
| 1 | Vulnerable JS Library (lodash 4.17.23) | High | Internal ArgoCD dependency |
| 2 | CSP: Failure to Define Directive with No Fallback | Medium | ArgoCD internal CSP |
| 3 | CSP: Wildcard Directive | Medium | ArgoCD internal CSP |
| 4 | CSP: script-src unsafe-inline | Medium | ArgoCD internal CSP |
| 5 | CSP: style-src unsafe-inline | Medium | ArgoCD internal CSP |
| 6 | CSP: Notices | Low | ArgoCD internal CSP |
| 7 | Timestamp Disclosure - Unix | Low | Server timestamp in response |
| 8 | Modern Web Application | Informational | Detection only |
| 9 | Re-examine Cache-control Directives | Informational | Cache headers review |
Action Required: Update ArgoCD to latest version to resolve lodash vulnerability.
grafana.aliquest.me
Tool: OWASP ZAP Automated Scan Date: 04/05/2026 Total Findings: 12
| # | Finding | Severity | Notes |
|---|---|---|---|
| 1 | Vulnerable JS Library (lodash 4.17.23) | High | Internal Grafana dependency |
| 2 | CSP: Failure to Define Directive with No Fallback | Medium | Grafana internal CSP |
| 3 | CSP: Wildcard Directive | Medium | Grafana internal CSP |
| 4 | CSP: script-src unsafe-inline | Medium | Grafana internal CSP |
| 5 | CSP: style-src unsafe-inline | Medium | Grafana internal CSP |
| 6 | Content Security Policy Header Not Set | Medium | Some Grafana pages missing CSP |
| 7 | Vulnerable JS Library | Medium | Second occurrence |
| 8 | CSP: Notices | Low | Grafana internal CSP |
| 9 | Timestamp Disclosure - Unix (Systemic) | Low | Server timestamp in response |
| 10 | Information Disclosure - Suspicious Comments | Low | Dev comments in source code |
| 11 | Modern Web Application | Informational | Detection only |
| 12 | Re-examine Cache-control Directives | Informational | Cache headers review |
Action Required: Update Grafana to latest version. Review suspicious comments in source.
Summary
| Target | High | Medium | Low | Info |
|---|---|---|---|---|
| dev.aliquest.me | 1 | 6 | 3 | 3 |
| sonar.aliquest.me | 1 | 3 | 2 | 1 |
| argo.aliquest.me | 1 | 4 | 2 | 2 |
| grafana.aliquest.me | 1 | 5 | 3 | 3 |
Key observations:
- The HIGH finding (vulnerable lodash 4.17.23) is present in all services as an internal dependency of third-party tools. Resolution requires updating each tool.
- No critical vulnerabilities were found in our own application code.
- The SRI finding on dev.aliquest.me is the only finding specific to our own code - fix is to self-host Google Fonts.
- CSP
unsafe-inlinefindings on dev.aliquest.me are known limitations of React/MUI and will be addressed via nonce-based CSP in a future sprint.