Merge pull request #7147 from Arunodoy18/fix/8056-clean-markdown-in-solutions

thc202 · web-flow · commit 75217708485a · 2026-03-04T18:06:59.000Z
commonlib: Remove markdown formatting from solution elements
diff --git a/addOns/commonlib/CHANGELOG.md b/addOns/commonlib/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 - Update dependencies.
 - Use a monospaced font for the output panel.
+- Remove Markdown formatting from vulnerabilities' solutions (Issue 8056).
 
 ### Added
 - Added OWASP Top 10 2025 and OWASP API Top 10 2023 Alert Tags.
diff --git a/addOns/commonlib/src/main/resources/org/zaproxy/addon/commonlib/internal/vulns/vulnerabilities.xml b/addOns/commonlib/src/main/resources/org/zaproxy/addon/commonlib/internal/vulns/vulnerabilities.xml
@@ -611,13 +611,13 @@ Web application functionality that is often a target for automation attacks may
     * Web-based SMS message sending - attackers may exploit SMS message sending systems in order to spam mobile phone users
 	</desc>
 	<solution>Implement strong anti-automation measures to defend against malicious attempts to automate processes. Consider the following strategies:
-1. **CAPTCHA:** Integrate CAPTCHA challenges in critical forms to distinguish between automated bots and human users.
-2. **Rate Limiting:** Enforce rate limiting on various actions to prevent rapid and repetitive requests which makes the automated attacks less effective.
-3. **Behavioral Analysis:** Implement behavioral analysis tools to detect patterns indicative of automation, such as unusual navigation sequences or form submissions.
-4. **Device Fingerprinting:** Use device fingerprinting techniques to identify and block requests from suspicious or known automated sources.
-5. **Multi-Factor Authentication (MFA):** Introduce multi-factor authentication to add an extra layer of security, making it harder for automated attacks to succeed.
-6. **Honeypots:** Deploy honeypots or hidden fields in forms to trick automated bots into revealing their presence, allowing for appropriate action.
-7. **Monitoring and Logging:** Regularly monitor and log user activities to identify and respond to unusual patterns indicative of automation.
+- CAPTCHA: Integrate CAPTCHA challenges in critical forms to distinguish between automated bots and human users.
+- Rate Limiting: Enforce rate limiting on various actions to prevent rapid and repetitive requests which makes the automated attacks less effective.
+- Behavioral Analysis: Implement behavioral analysis tools to detect patterns indicative of automation, such as unusual navigation sequences or form submissions.
+- Device Fingerprinting: Use device fingerprinting techniques to identify and block requests from suspicious or known automated sources.
+- Multi-Factor Authentication (MFA): Introduce multi-factor authentication to add an extra layer of security, making it harder for automated attacks to succeed.
+- Honeypots: Deploy honeypots or hidden fields in forms to trick automated bots into revealing their presence, allowing for appropriate action.
+- Monitoring and Logging: Regularly monitor and log user activities to identify and respond to unusual patterns indicative of automation.
 
 A combination of these measures is often more effective in preventing automated attacks.</solution>
 	<reference>https://owasp.org/www-project-automated-threats-to-web-applications/</reference>
@@ -1072,15 +1072,15 @@ Before parsing XML files with associated DTDs, scan for recursive entity declara
 Multi-tier fingerprinting is similar to its predecessor, TCP/IP Fingerprinting (with a scanner such as Nmap) except that it is focused on the Application Layer of the OSI model instead of the Transport Layer. The theory behind this fingerprinting is to create an accurate profile of the target's platform, web application software technology, backend database version, configurations and possibly even their network architecture/topology.</desc>
 	<solution>Implement measures to obfuscate or disguise information about the system's platform, web application software technology, backend database version, configurations, and network architecture/topology. This can include:
 
-1. **Platform and Software Diversity:** Use a mix of technologies and platforms to make it harder for attackers to build an accurate profile.
+- Platform and Software Diversity: Use a mix of technologies and platforms to make it harder for attackers to build an accurate profile.
 
-2. **False Information:** Introduce fake or misleading information in system responses to confuse fingerprinting tools.
+- False Information: Introduce fake or misleading information in system responses to confuse fingerprinting tools.
 
-3. **Response Randomization:** Randomize certain elements in responses to make it difficult for attackers to consistently identify the system.
+- Response Randomization: Randomize certain elements in responses to make it difficult for attackers to consistently identify the system.
 
-4. **Firewall Rules:** Implement firewall rules to block or limit the effectiveness of fingerprinting techniques.
+- Firewall Rules: Implement firewall rules to block or limit the effectiveness of fingerprinting techniques.
 
-5. **Regular Updates:** Keep software, platforms, and configurations up-to-date to patch known vulnerabilities and prevent accurate identification based on outdated information.
+- Regular Updates: Keep software, platforms, and configurations up-to-date to patch known vulnerabilities and prevent accurate identification based on outdated information.
 
 There is no one-size-fits-all solution, and a combination of these measures may be most effective.</solution>
 	<reference>https://cwe.mitre.org/data/definitions/205.html</reference>
@@ -1119,12 +1119,12 @@ A Web application should invalidate a session after a predefined idle time has p
 	<alert>Insecure Indexing</alert>
 	<desc>Insecure Indexing is a threat to the data confidentiality of the web-site. Indexing web-site contents via a process that has access to files which are not supposed to be publicly accessible has the potential of leaking information about the existence of such files, and about their content. In the process of indexing, such information is collected and stored by the indexing process, which can later be retrieved (albeit not trivially) by a determined attacker, typically through a series of queries to the search engine. The attacker does not thwart the security model of the search engine. As such, this attack is subtle and very hard to detect and to foil - it’s not easy to distinguish the attacker’s queries from a legitimate user’s queries.</desc>
 	<solution>Implement measures to secure indexing processes and prevent unauthorized access to sensitive information. The following strategies can be considered:
-1. **Access Controls:** Review and restrict access permissions for the indexing process to ensure it only accesses and indexes files that are intended to be publicly available.
-2. **Robot Exclusion Standard (robots.txt):** Use the robots.txt file to explicitly specify which areas of the website should not be indexed by search engines.
-3. **Authentication Requirements:** Implement authentication mechanisms for accessing sensitive files, ensuring that only authorized users or processes can retrieve them.
-4. **File Encryption:** Encrypt sensitive files to protect their content, even if an unauthorized user gains access to the files.
-5. **URL Redaction:** Avoid including sensitive information in URLs or filenames that might be exposed during indexing.
-6. **Security Headers:** Utilize security headers (e.g., Content Security Policy) to control how browsers and search engines interact with your website.
+- Access Controls: Review and restrict access permissions for the indexing process to ensure it only accesses and indexes files that are intended to be publicly available.
+- Robot Exclusion Standard (robots.txt): Use the robots.txt file to explicitly specify which areas of the website should not be indexed by search engines.
+- Authentication Requirements: Implement authentication mechanisms for accessing sensitive files, ensuring that only authorized users or processes can retrieve them.
+- File Encryption: Encrypt sensitive files to protect their content, even if an unauthorized user gains access to the files.
+- URL Redaction: Avoid including sensitive information in URLs or filenames that might be exposed during indexing.
+- Security Headers: Utilize security headers (e.g., Content Security Policy) to control how browsers and search engines interact with your website.
 
 A proactive and layered approach to security is crucial for safeguarding against Insecure Indexing.</solution>
 	<reference>https://cwe.mitre.org/data/definitions/612.html</reference>
