inno-devops-labs · IviUnicorn · Oct 17, 2025 · Jun 26, 2026
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -0,0 +1,22 @@
+## Goal
+<!-- Clearly describe the purpose and objective of this pull request. What problem does it solve or what feature does it add? -->
+
+## Changes
+<!-- List the key changes made in this PR. Bullet points are preferred. -->
+
+## Testing
+<!-- Describe how you tested these changes. Include any relevant test scenarios, steps to reproduce testing, or test results. -->
+
+## Artifacts & Screenshots
+<!-- Add any relevant screenshots, videos, or other visual artifacts that demonstrate the changes. -->
+
+## Checklist
+
+- [ ] PR has a clear, descriptive title
+- [ ] Documentation has been updated if applicable
+- [ ] No secrets or large temporary files are included in the changes
+
+---
+
+<!-- Example commit message for reference: -->
+<!-- docs: add PR template -->
diff --git a/labs/assets/homepage.jpg b/labs/assets/homepage.jpg
diff --git a/labs/lab5/.gitignore b/labs/lab5/.gitignore
@@ -0,0 +1 @@
+semgrep/juice-shop/
diff --git a/labs/lab5/analysis/correlation.txt b/labs/lab5/analysis/correlation.txt
@@ -0,0 +1,6 @@
+=== SAST/DAST Correlation Report ===
+SAST findings (Semgrep): 26
+ZAP findings: 12 unique types / 87 instances
+Nuclei findings: 22
+Nikto findings: 14
+SQLmap: SQLi confirmed (see sqlmap/ output)
diff --git a/labs/lab5/analysis/dast-analysis.txt b/labs/lab5/analysis/dast-analysis.txt
@@ -0,0 +1,5 @@
+=== DAST Analysis Report ===
+ZAP unique alert types: 12 (87 raw instances)
+Nuclei findings: 22
+Nikto findings: 14
+SQLmap: SQL injection CONFIRMED on GET param 'q' (boolean-based blind + time-based blind, SQLite)
diff --git a/labs/lab5/analysis/sast-analysis.txt b/labs/lab5/analysis/sast-analysis.txt
@@ -0,0 +1,4 @@
+=== SAST Analysis Report ===
+Semgrep total findings: 26
+      8 ERROR
+     18 WARNING
diff --git a/labs/lab5/nikto/nikto-console.log b/labs/lab5/nikto/nikto-console.log
@@ -0,0 +1,25 @@
+- Nikto v2.1.5
+---------------------------------------------------------------------------
++ Target IP:          127.0.0.1
++ Target Hostname:    localhost
++ Target Port:        3001
++ Start Time:         2026-06-26 20:46:16 (GMT0)
+---------------------------------------------------------------------------
++ Server: No banner retrieved
++ Server leaks inodes via ETags, header found with file /, fields: 0xW/124fa 0x19f05a4be56 
++ Uncommon header 'access-control-allow-origin' found, with contents: *
++ Uncommon header 'x-recruiting' found, with contents: /#/jobs
++ Uncommon header 'x-content-type-options' found, with contents: nosniff
++ Uncommon header 'feature-policy' found, with contents: payment 'self'
++ Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
++ No CGI Directories found (use '-C all' to force check all possible dirs)
++ File/dir '/ftp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
++ "robots.txt" contains 1 entry which should be manually viewed.
++ Uncommon header 'access-control-allow-methods' found, with contents: GET,HEAD,PUT,PATCH,POST,DELETE
++ OSVDB-3092: /css: This might be interesting...
++ OSVDB-3092: /ftp/: This might be interesting...
++ OSVDB-3092: /public/: This might be interesting...
++ 6544 items checked: 2 error(s) and 12 item(s) reported on remote host
++ End Time:           2026-06-26 20:47:29 (GMT0) (73 seconds)
+---------------------------------------------------------------------------
++ 1 host(s) tested
diff --git a/labs/lab5/nikto/nikto-results.txt b/labs/lab5/nikto/nikto-results.txt
@@ -0,0 +1,15 @@
+- Nikto v2.1.5/2.1.5
++ Target Host: localhost
++ Target Port: 3001
++ GET /: Server leaks inodes via ETags, header found with file /, fields: 0xW/124fa 0x19f05a4be56 
++ GET /: Uncommon header 'access-control-allow-origin' found, with contents: *
++ GET /: Uncommon header 'x-recruiting' found, with contents: /#/jobs
++ GET /: Uncommon header 'x-content-type-options' found, with contents: nosniff
++ GET /: Uncommon header 'feature-policy' found, with contents: payment 'self'
++ GET /: Uncommon header 'x-frame-options' found, with contents: SAMEORIGIN
++ GET //ftp/: File/dir '/ftp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
++ GET /robots.txt: "robots.txt" contains 1 entry which should be manually viewed.
++ OPTIONS *: Uncommon header 'access-control-allow-methods' found, with contents: GET,HEAD,PUT,PATCH,POST,DELETE
++ -3092: GET /css: /css: This might be interesting...
++ -3092: GET /ftp/: /ftp/: This might be interesting...
++ -3092: GET /public/: /public/: This might be interesting...
diff --git a/labs/lab5/nuclei/nuclei-results.json b/labs/lab5/nuclei/nuclei-results.json
diff --git a/labs/lab5/semgrep/semgrep-json.log b/labs/lab5/semgrep/semgrep-json.log
@@ -0,0 +1,38 @@
+
+
+┌─────────────┐
+│ Scan Status │
+└─────────────┘
+  Scanning 910 files tracked by git with 674 Code rules:
+
+  Language      Rules   Files          Origin      Rules                                                                
+ ─────────────────────────────        ───────────────────                                                               
+  <multilang>      27     607          Community     674                                                                
+  ts               84     471                                                                                           
+  json              3     103                                                                                           
+  yaml             19      87                                                                                           
+  html              1      76                                                                                           
+  solidity          1      17                                                                                           
+  js               78      13                                                                                           
+  dockerfile        4       1                                                                                           
+  bash              1       1                                                                                           
+
+
+
+┌──────────────┐
+│ Scan Summary │
+└──────────────┘
+✅ Scan completed successfully.
+ • Findings: 26 (26 blocking)
+ • Rules run: 140
+ • Targets scanned: 910
+ • Parsed lines: ~99.9%
+ • Scan skipped: 
+   ◦ Files larger than  files 1.0 MB: 8
+   ◦ Files matching .semgrepignore patterns: 139
+ • Scan was limited to files tracked by git
+ • For a detailed list of skipped files and lines, run semgrep with the --verbose flag
+Ran 140 rules on 910 files: 26 findings.
+
+📢 Too many findings? Try Semgrep Pro for more powerful queries and less noise.
+   See https://sg.run/false-positives.