Created
June 23, 2021 16:56
-
-
Save kmcquade/092de9d955174c00e3797b9a52b4ee50 to your computer and use it in GitHub Desktop.
2021-06-23: ZAP Automation Framework troubleshooting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.com/docs/(TBA) | |
| env: # The environment, mandatory | |
| contexts: # List of 1 or more contexts, mandatory | |
| - name: context 1 # Name to be used to refer to this context in other jobs, mandatory | |
| url: http://demo.testfire.net # The top level url, mandatory, everything under this will be included | |
| includePaths: # TBA: An optional list of regexes to include | |
| excludePaths: # TBA: An optional list of regexes to exclude | |
| authentication: # TBA: In time to cover all auth configs | |
| parameters: | |
| failOnError: true # If set exit on an error | |
| failOnWarning: false # If set exit on a warning | |
| progressToStdout: true # If set will write job progress to stdout | |
| jobs: | |
| - type: addOns # Add-on management | |
| parameters: | |
| updateAddOns: false # Update any add-ons that have new versions | |
| install: # A list of non standard add-ons to install from the ZAP Marketplace | |
| - ascanrules | |
| - ascanrulesAlpha | |
| - pscanrulesBeta | |
| - domxss | |
| - graphql | |
| - openapi | |
| - reflect | |
| - reports | |
| - soap | |
| - spiderAjax | |
| uninstall: # A list of standard add-ons to uninstall | |
| - type: passiveScan-config # Passive scan configuration | |
| parameters: | |
| maxAlertsPerRule: 10 # Int: Maximum number of alerts to raise per rule | |
| scanOnlyInScope: true # Bool: Only scan URLs in scope (recommended) | |
| maxBodySizeInBytesToScan: # Int: Maximum body size to scan, default: 0 - will scan all messages | |
| rules: # A list of one or more passive scan rules and associated settings which override the defaults | |
| - type: spider # The traditional spider - fast but doesnt handle modern apps so well | |
| parameters: | |
| context: # String: Name of the context to spider, default: first context | |
| url: # String: Url to start spidering from, default: first context URL | |
| failIfFoundUrlsLessThan: # Int: Fail if spider finds less than the specified number of URLs, default: 0 | |
| warnIfFoundUrlsLessThan: # Int: Warn if spider finds less than the specified number of URLs, default: 0 | |
| maxDuration: # Int: The max time in minutes the spider will be allowed to run for, default: 0 unlimited | |
| maxDepth: # Int: The maximum tree depth to explore, default 5 | |
| maxChildren: # Int: The maximum number of children to add to each node in the tree | |
| acceptCookies: # Bool: Whether the spider will accept cookies, default: true | |
| handleODataParametersVisited: # Bool: Whether the spider will handle OData responses, default: false | |
| handleParameters: # Enum [ignore_completely, ignore_value, use_all]: How query string parameters are used when checking if a URI has already been visited, default: use_all | |
| maxParseSizeBytes: # Int: The max size of a response that will be parsed, default: 2621440 - 2.5 Mb | |
| parseComments: # Bool: Whether the spider will parse HTML comments in order to find URLs, default: true | |
| parseGit: # Bool: Whether the spider will parse Git metadata in order to find URLs, default: false | |
| parseRobotsTxt: # Bool: Whether the spider will parse 'robots.txt' files in order to find URLs, default: true | |
| parseSitemapXml: # Bool: Whether the spider will parse 'sitemap.xml' files in order to find URLs, default: true | |
| parseSVNEntries: # Bool: Whether the spider will parse SVN metadata in order to find URLs, default: false | |
| postForm: # Bool: Whether the spider will submit POST forms, default: true | |
| processForm: # Bool: Whether the spider will process forms, default: true | |
| requestWaitTime: # Int: The time between the requests sent to a server in milliseconds, default: 200 | |
| sendRefererHeader: # Bool: Whether the spider will send the referer header, default: true | |
| threadCount: # Int: The number of spider threads, default: 2 | |
| userAgent: '' # String: The user agent to use in requests, default: '' - use the default ZAP one | |
| - type: passiveScan-wait # Passive scan wait for the passive scanner to finish | |
| parameters: | |
| maxDuration: 1 # Int: The max time to wait for the passive scanner, default: 0 unlimited | |
| - type: activeScan # The active scanner - this actively attacks the target so should only be used with permission | |
| parameters: | |
| context: # String: Name of the context to attack, default: first context | |
| policy: # String: Name of the scan policy to be used, default: Default Policy | |
| maxRuleDurationInMins: # Int: The max time in minutes any individual rule will be allowed to run for, default: 0 unlimited | |
| maxScanDurationInMins: # Int: The max time in minutes the active scanner will be allowed to run for, default: 0 unlimited | |
| addQueryParam: # Bool: If set will add an extra query parameter to requests that do not have one, default: false | |
| defaultPolicy: # String: The name of the default scan policy to use, default: Default Policy | |
| delayInMs: # Int: The delay in milliseconds between each request, use to reduce the strain on the target, default 0 | |
| handleAntiCSRFTokens: # Bool: If set then automatically handle anti CSRF tokens, default: false | |
| injectPluginIdInHeader: # Bool: If set then the relevant rule Id will be injected into the X-ZAP-Scan-ID header of each request, default: false | |
| scanHeadersAllRequests: # Bool: If set then the headers of requests that do not include any parameters will be scanned, default: false | |
| threadPerHost: # Int: The max number of threads per host, default: 2 | |
| policyDefinition: # The policy definition - only used if the 'policy' is not set | |
| defaultStrength: Low # String: The default Attack Strength for all rules, one of Low, Medium, High, Insane (not recommended), default: Medium | |
| defaultThreshold: Off # String: The default Alert Threshold for all rules, one of Off, Low, Medium, High, default: Medium | |
| rules: # A list of one or more active scan rules and associated settings which override the defaults | |
| - id: 20012 | |
| threshold: Medium | |
| strength: Medium | |
| - type: report # Report generation | |
| parameters: | |
| template: traditional-json # String: The template id, default : traditional-html | |
| reportDir: /tmp/zap/ # String: The directory into which the report will be written | |
| reportFile: # String: The report file name pattern, default: {yyyy-MM-dd}-ZAP-Report-[[site]] | |
| reportTitle: # String: The report title | |
| reportDescription: # String: The report description | |
| displayReport: # Boolean: Display the report when generated, default: false | |
| risks: # List: The risks to include in this report, default all | |
| - high | |
| - medium | |
| - low | |
| - info | |
| confidences: # List: The confidences to include in this report, default all | |
| - high | |
| - medium | |
| - low | |
| - falsepositive | |
| sections: # List: The template sections to include in this report - see the relevant template, default all |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 2021-06-23 16:50:41,099 [main ] INFO CommandLineBootstrap - OWASP ZAP D-2021-05-03 started 23/06/2021, 16:50:41 with home /tmp/zap/ | |
| 2021-06-23 16:50:41,142 [main ] INFO SSLConnector - Reading supported SSL/TLS protocols... | |
| 2021-06-23 16:50:41,143 [main ] INFO SSLConnector - Using a SSLEngine... | |
| 2021-06-23 16:50:41,270 [main ] INFO SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3] | |
| 2021-06-23 16:50:41,274 [main ] INFO OptionsParamCertificate - Unsafe SSL renegotiation disabled. | |
| 2021-06-23 16:50:41,750 [main ] INFO ENGINE - dataFileCache open start | |
| 2021-06-23 16:50:41,766 [main ] INFO ENGINE - dataFileCache commit start | |
| 2021-06-23 16:50:41,769 [main ] INFO ENGINE - dataFileCache commit end | |
| 2021-06-23 16:50:41,771 [main ] INFO ENGINE - dataFileCache open end | |
| 2021-06-23 16:50:41,816 [main ] INFO ExtensionFactory - Loading extensions | |
| 2021-06-23 16:50:43,494 [main ] INFO ExtensionFactory - Installed add-ons: [[id=accessControl, version=7.0.0], [id=alertFilters, version=11.0.0], [id=ascanrules, version=40.0.0], [id=ascanrulesAlpha, version=31.0.0], [id=ascanrulesBeta, version=34.0.0], [id=automation, version=0.3.0], [id=bruteforce, version=11.0.0], [id=commonlib, version=1.3.0], [id=coreLang, version=14.0.0], [id=diff, version=11.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=11.0.0], [id=encoder, version=0.6.0], [id=formhandler, version=4.0.0], [id=fuzz, version=13.2.0], [id=gettingStarted, version=13.0.0], [id=graaljs, version=0.2.0], [id=graphql, version=0.4.0], [id=help, version=12.0.0], [id=hud, version=0.13.0], [id=importurls, version=8.0.0], [id=invoke, version=11.0.0], [id=onlineMenu, version=9.0.0], [id=openapi, version=19.0.0], [id=plugnhack, version=12.0.0], [id=portscan, version=9.0.0], [id=pscanrules, version=34.0.0], [id=pscanrulesAlpha, version=31.0.0], [id=pscanrulesBeta, version=25.0.0], [id=quickstart, version=30.0.0], [id=reflect, version=0.0.11], [id=replacer, version=9.0.0], [id=reports, version=0.3.0], [id=retire, version=0.8.0], [id=reveal, version=4.0.0], [id=saverawmessage, version=6.0.0], [id=savexmlmessage, version=0.2.0], [id=scripts, version=29.0.0], [id=selenium, version=15.4.0], [id=sequence, version=6.0.0], [id=soap, version=7.0.0], [id=spiderAjax, version=23.4.0], [id=tips, version=8.0.0], [id=webdriverlinux, version=29.0.0], [id=webdrivermacos, version=29.0.0], [id=webdriverwindows, version=29.0.0], [id=websocket, version=24.0.0], [id=zest, version=35.0.0]] | |
| 2021-06-23 16:50:44,483 [main ] INFO ExtensionFactory - Extensions loaded | |
| 2021-06-23 16:50:44,945 [main ] INFO ExtensionLoader - Initializing Allows ZAP to check for updates | |
| 2021-06-23 16:50:44,951 [main ] INFO ExtensionLoader - Initializing Options Extension | |
| 2021-06-23 16:50:44,952 [main ] INFO ExtensionLoader - Initializing Edit Menu Extension | |
| 2021-06-23 16:50:44,954 [main ] INFO ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP | |
| 2021-06-23 16:50:44,964 [main ] INFO ExtensionLoader - Initializing Session State Extension | |
| 2021-06-23 16:50:44,966 [main ] INFO ExtensionLoader - Initializing Report Extension | |
| 2021-06-23 16:50:44,968 [main ] INFO ExtensionLoader - Initializing History Extension | |
| 2021-06-23 16:50:44,971 [main ] INFO ExtensionLoader - Initializing Show hidden fields and enable disabled fields | |
| 2021-06-23 16:50:44,973 [main ] INFO ExtensionLoader - Initializing Search messages for strings and regular expressions | |
| 2021-06-23 16:50:44,977 [main ] INFO ExtensionLoader - Initializing Allows you to intercept and modify requests and responses | |
| 2021-06-23 16:50:44,980 [main ] INFO ExtensionLoader - Initializing Passive scanner | |
| 2021-06-23 16:50:45,123 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules | |
| 2021-06-23 16:50:45,125 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule | |
| 2021-06-23 16:50:45,127 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library | |
| 2021-06-23 16:50:45,128 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure | |
| 2021-06-23 16:50:45,132 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control Header Set | |
| 2021-06-23 16:50:45,139 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch | |
| 2021-06-23 16:50:45,140 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: CSP | |
| 2021-06-23 16:50:45,142 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing | |
| 2021-06-23 16:50:45,144 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag | |
| 2021-06-23 16:50:45,145 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie | |
| 2021-06-23 16:50:45,147 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Cookie Without SameSite Attribute | |
| 2021-06-23 16:50:45,148 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag | |
| 2021-06-23 16:50:45,151 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration | |
| 2021-06-23 16:50:45,152 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion | |
| 2021-06-23 16:50:45,154 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens | |
| 2021-06-23 16:50:45,155 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure | |
| 2021-06-23 16:50:45,158 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite | |
| 2021-06-23 16:50:45,159 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages | |
| 2021-06-23 16:50:45,160 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL | |
| 2021-06-23 16:50:45,162 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header | |
| 2021-06-23 16:50:45,163 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments | |
| 2021-06-23 16:50:45,165 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method | |
| 2021-06-23 16:50:45,167 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState | |
| 2021-06-23 16:50:45,169 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content | |
| 2021-06-23 16:50:45,170 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure | |
| 2021-06-23 16:50:45,172 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Username Hash Found | |
| 2021-06-23 16:50:45,174 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Viewstate | |
| 2021-06-23 16:50:45,176 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header | |
| 2021-06-23 16:50:45,177 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing | |
| 2021-06-23 16:50:45,179 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak | |
| 2021-06-23 16:50:45,181 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: X-Frame-Options Header | |
| 2021-06-23 16:50:45,182 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s) | |
| 2021-06-23 16:50:45,185 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: WSDL File Detection | |
| 2021-06-23 16:50:45,187 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak) | |
| 2021-06-23 16:50:45,189 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set | |
| 2021-06-23 16:50:45,191 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Directory Browsing | |
| 2021-06-23 16:50:45,195 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure | |
| 2021-06-23 16:50:45,196 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative) | |
| 2021-06-23 16:50:45,198 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post | |
| 2021-06-23 16:50:45,200 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post | |
| 2021-06-23 16:50:45,202 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing | |
| 2021-06-23 16:50:45,204 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Modern Web Application | |
| 2021-06-23 16:50:45,206 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: PII Disclosure | |
| 2021-06-23 16:50:45,208 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache | |
| 2021-06-23 16:50:45,209 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header | |
| 2021-06-23 16:50:45,211 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override | |
| 2021-06-23 16:50:45,213 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header | |
| 2021-06-23 16:50:45,215 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset | |
| 2021-06-23 16:50:45,217 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning | |
| 2021-06-23 16:50:45,219 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS) | |
| 2021-06-23 16:50:45,221 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS) | |
| 2021-06-23 16:50:45,223 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Open Redirect | |
| 2021-06-23 16:50:45,226 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak | |
| 2021-06-23 16:50:45,227 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak | |
| 2021-06-23 16:50:45,229 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Base64 Disclosure | |
| 2021-06-23 16:50:45,231 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Content Cacheability | |
| 2021-06-23 16:50:45,233 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: An example passive scan rule which loads data from a file. | |
| 2021-06-23 16:50:45,237 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Example Passive Scan Rule: Denial of Service | |
| 2021-06-23 16:50:45,239 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: In Page Banner Information Leak | |
| 2021-06-23 16:50:45,241 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Dangerous JS Functions | |
| 2021-06-23 16:50:45,242 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Java Serialization Object | |
| 2021-06-23 16:50:45,244 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Permissions Policy Header Not Set | |
| 2021-06-23 16:50:45,246 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Insufficient Site Isolation Against Spectre Vulnerability | |
| 2021-06-23 16:50:45,254 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Source Code Disclosure | |
| 2021-06-23 16:50:45,256 [main ] INFO ExtensionPassiveScan - loaded passive scan rule: Sub Resource Integrity Attribute Missing | |
| 2021-06-23 16:50:45,299 [main ] INFO ExtensionLoader - Initializing Allows you to view and manage alerts | |
| 2021-06-23 16:50:45,305 [main ] INFO ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added | |
| 2021-06-23 16:50:45,315 [main ] INFO ExtensionLoader - Initializing ExtensionSequence | |
| 2021-06-23 16:50:45,317 [main ] INFO ExtensionLoader - Initializing Spider used for automatically finding URIs on a site | |
| 2021-06-23 16:50:45,326 [main ] INFO ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks | |
| 2021-06-23 16:50:45,327 [main ] INFO ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool | |
| 2021-06-23 16:50:45,331 [main ] INFO ExtensionLoader - Initializing Simple but effective port scanner | |
| 2021-06-23 16:50:45,334 [main ] INFO ExtensionLoader - Initializing Manual Request Editor Extension | |
| 2021-06-23 16:50:45,335 [main ] INFO ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences | |
| 2021-06-23 16:50:45,337 [main ] INFO ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters | |
| 2021-06-23 16:50:45,339 [main ] INFO ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens | |
| 2021-06-23 16:50:45,344 [main ] INFO ExtensionLoader - Initializing Authentication Extension | |
| 2021-06-23 16:50:45,373 [main ] INFO ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication] | |
| 2021-06-23 16:50:45,405 [main ] INFO ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser | |
| 2021-06-23 16:50:45,761 [main ] INFO ExtensionLoader - Initializing Logs errors to the Output tab in development mode only | |
| 2021-06-23 16:50:45,762 [main ] INFO ExtensionLoader - Initializing Users Extension | |
| 2021-06-23 16:50:45,771 [main ] INFO ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies | |
| 2021-06-23 16:50:45,774 [main ] INFO ExtensionLoader - Initializing Script integration | |
| 2021-06-23 16:50:45,786 [main ] INFO ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages | |
| 2021-06-23 16:50:46,115 [main ] INFO ExtensionLoader - Initializing Forced User Extension | |
| 2021-06-23 16:50:46,118 [main ] INFO ExtensionLoader - Initializing Extension handling HTTP sessions | |
| 2021-06-23 16:50:46,123 [main ] INFO ExtensionLoader - Initializing Zest is a specialized scripting language, originally, from Mozilla specifically designed to be used in security tools | |
| 2021-06-23 16:50:46,530 [main ] INFO ExtensionLoader - Initializing ExtensionDiff | |
| 2021-06-23 16:50:46,531 [main ] INFO ExtensionLoader - Initializing HTTP Panel Post Table View Extension | |
| 2021-06-23 16:50:46,533 [main ] INFO ExtensionLoader - Initializing Adds support for scriptable encoders to ZAP. | |
| 2021-06-23 16:50:46,535 [main ] INFO ExtensionLoader - Initializing Simple browser configuration | |
| 2021-06-23 16:50:46,536 [main ] INFO ExtensionLoader - Initializing Session Management Extension | |
| 2021-06-23 16:50:46,546 [main ] INFO ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management] | |
| 2021-06-23 16:50:46,549 [main ] INFO ExtensionLoader - Initializing HTTP Panel Form Table View Extension | |
| 2021-06-23 16:50:46,550 [main ] INFO ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints. | |
| 2021-06-23 16:50:46,580 [main ] INFO ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree | |
| 2021-06-23 16:50:46,584 [main ] INFO ExtensionLoader - Initializing Allows you to import a WSDL file containing operations which ZAP will access, adding them to the Sites tree. | |
| 2021-06-23 16:50:46,586 [main ] INFO ExtensionLoader - Initializing Core UI related functionality. | |
| 2021-06-23 16:50:46,588 [main ] INFO ExtensionLoader - Initializing Authorization Extension | |
| 2021-06-23 16:50:46,589 [main ] INFO ExtensionLoader - Initializing AJAX Spider, uses Crawljax | |
| 2021-06-23 16:50:46,592 [main ] INFO ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser. | |
| 2021-06-23 16:50:46,601 [main ] INFO ExtensionLoader - Initializing Manages the local proxy configurations | |
| 2021-06-23 16:50:46,604 [main ] INFO ExtensionLoader - Initializing Add-on that adds a set of tools for testing access control in web applications. | |
| 2021-06-23 16:50:46,607 [main ] INFO ExtensionLoader - Initializing Handles adding Global Excluded URLs | |
| 2021-06-23 16:50:46,609 [main ] INFO ExtensionLoader - Initializing Adds menu item to refresh the Sites tree | |
| 2021-06-23 16:50:46,610 [main ] INFO ExtensionLoader - Initializing OWASP ZAP User Guide | |
| 2021-06-23 16:50:46,610 [main ] INFO ExtensionLoader - Initializing Provides a URL suitable for calling from target sites | |
| 2021-06-23 16:50:46,614 [main ] INFO ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts | |
| 2021-06-23 16:50:46,615 [main ] INFO ExtensionLoader - Initializing Combined HTTP Panels Extension | |
| 2021-06-23 16:50:46,616 [main ] INFO ExtensionLoader - Initializing HTTP Panel Hex View Extension | |
| 2021-06-23 16:50:46,617 [main ] INFO ExtensionLoader - Initializing HTTP Panel Image View Extension | |
| 2021-06-23 16:50:46,618 [main ] INFO ExtensionLoader - Initializing HTTP Panel Large Request View Extension | |
| 2021-06-23 16:50:46,619 [main ] INFO ExtensionLoader - Initializing HTTP Panel Large Response View Extension | |
| 2021-06-23 16:50:46,619 [main ] INFO ExtensionLoader - Initializing HTTP Panel Query Table View Extension | |
| 2021-06-23 16:50:46,620 [main ] INFO ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension | |
| 2021-06-23 16:50:46,621 [main ] INFO ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus. | |
| 2021-06-23 16:50:46,622 [main ] INFO ExtensionLoader - Initializing Active and passive rule configuration | |
| 2021-06-23 16:50:46,625 [main ] INFO ExtensionLoader - Initializing Statistics | |
| 2021-06-23 16:50:46,628 [main ] INFO ExtensionStats - Start recording in memory stats | |
| 2021-06-23 16:50:46,630 [main ] INFO ExtensionLoader - Initializing Custom Pages Definition | |
| 2021-06-23 16:50:46,631 [main ] INFO ExtensionLoader - Initializing Allows you to inspect and attack GraphQL endpoints. | |
| 2021-06-23 16:50:46,638 [main ] INFO ExtensionLoader - Initializing GraphQL Automation Framework Integration | |
| 2021-06-23 16:50:46,640 [main ] INFO ExtensionLoader - Initializing Easy way to replace strings in requests and responses | |
| 2021-06-23 16:50:46,648 [main ] INFO ExtensionLoader - Initializing Context alert rules filter | |
| 2021-06-23 16:50:46,653 [main ] INFO ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations. | |
| 2021-06-23 16:50:46,655 [main ] INFO ExtensionLoader - Initializing Allows to fuzz HTTP messages. | |
| 2021-06-23 16:50:46,657 [main ] INFO ExtensionLoader - Initializing Allows to fuzz WebSocket messages. | |
| 2021-06-23 16:50:46,659 [main ] INFO ExtensionLoader - Initializing Ajax Spider Automation Framework Integration | |
| 2021-06-23 16:50:46,662 [main ] INFO ExtensionLoader - Initializing Passive Scan Rules | |
| 2021-06-23 16:50:46,663 [main ] INFO ExtensionLoader - Initializing SOAP Automation Framework Integration | |
| 2021-06-23 16:50:46,666 [main ] INFO ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications | |
| 2021-06-23 16:50:46,671 [main ] INFO ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan | |
| 2021-06-23 16:50:46,673 [main ] INFO ExtensionLoader - Initializing Launch browsers proxying through ZAP | |
| 2021-06-23 16:50:46,676 [main ] INFO ExtensionLoader - Initializing Launch browsers proxying through ZAP | |
| 2021-06-23 16:50:46,683 [main ] INFO ExtensionLoader - Initializing The ZAP Getting Started Guide | |
| 2021-06-23 16:50:46,684 [main ] INFO ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders. | |
| 2021-06-23 16:50:46,691 [main ] INFO ExtensionLoader - Initializing Automation Framework | |
| 2021-06-23 16:50:46,694 [main ] INFO ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions | |
| 2021-06-23 16:50:46,725 [main ] INFO ExtensionLoader - Initializing OpenAPI Automation Framework Integration | |
| 2021-06-23 16:50:46,727 [main ] INFO ExtensionLoader - Initializing The Online menu links | |
| 2021-06-23 16:50:46,729 [main ] INFO ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage | |
| 2021-06-23 16:50:46,730 [main ] INFO ExtensionLoader - Initializing Heads Up Display | |
| 2021-06-23 16:50:47,044 [main ] INFO ExtensionLoader - Initializing ExtensionHUDlaunch | |
| 2021-06-23 16:50:47,047 [main ] INFO ExtensionLoader - Initializing ExtensionSaveRawHttpMessage | |
| 2021-06-23 16:50:47,048 [main ] INFO ExtensionLoader - Initializing Provides the GraalVM JavaScript engine for ZAP scripting. | |
| 2021-06-23 16:50:47,948 [main ] INFO ExtensionLoader - Initializing Translations of the core language files | |
| 2021-06-23 16:50:47,950 [main ] INFO ExtensionLoader - Initializing Passive Scan Rules - beta | |
| 2021-06-23 16:50:47,953 [main ] INFO ExtensionLoader - Initializing DOM XSS Active Scan Rule | |
| 2021-06-23 16:50:48,091 [main ] INFO ExtensionLoader - Initializing Active Scan Rules - beta | |
| 2021-06-23 16:50:48,092 [main ] INFO ExtensionLoader - Initializing Tips and Tricks | |
| 2021-06-23 16:50:48,094 [main ] INFO ExtensionLoader - Initializing Active Scan Rules | |
| 2021-06-23 16:50:48,096 [main ] INFO ExtensionLoader - Initializing Active Scan Rules - alpha | |
| 2021-06-23 16:50:48,097 [main ] INFO ExtensionLoader - Initializing Passive Scan Rules - alpha | |
| 2021-06-23 16:50:48,098 [main ] INFO ExtensionLoader - Initializing Finds reflected parameters. | |
| 2021-06-23 16:50:48,099 [main ] INFO ExtensionLoader - Initializing Report Generation | |
| 2021-06-23 16:50:48,104 [main ] INFO ExtensionLoader - Initializing Report Generation Automation Integration | |
| 2021-06-23 16:50:48,144 [main ] INFO ExtensionCallback - Started callback server on 0.0.0.0:40223 | |
| 2021-06-23 16:50:48,561 [main ] INFO CommandLine - Job addOns set updateAddOns = false | |
| 2021-06-23 16:50:48,562 [main ] INFO CommandLine - Job addOns started | |
| 2021-06-23 16:50:49,568 [main ] INFO CommandLine - Add-on already installed: /tmp/zap/plugin/ascanrules-release-40.zap | |
| 2021-06-23 16:50:49,570 [main ] INFO CommandLine - Add-on already installed: /tmp/zap/plugin/ascanrulesAlpha-alpha-31.zap | |
| 2021-06-23 16:50:49,573 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/pscanrulesBeta-beta-25.zap | |
| 2021-06-23 16:50:49,574 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/domxss-beta-11.zap | |
| 2021-06-23 16:50:49,575 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/graphql-alpha-0.4.0.zap | |
| 2021-06-23 16:50:49,576 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/openapi-beta-19.zap | |
| 2021-06-23 16:50:49,578 [main ] INFO CommandLine - Add-on already installed: /tmp/zap/plugin/reflect-alpha-0.0.11.zap | |
| 2021-06-23 16:50:49,579 [main ] INFO CommandLine - Add-on already installed: /tmp/zap/plugin/reports-beta-0.3.0.zap | |
| 2021-06-23 16:50:49,581 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/soap-alpha-7.zap | |
| 2021-06-23 16:50:49,586 [main ] INFO CommandLine - Add-on already installed: /zap/./plugin/spiderAjax-release-23.4.0.zap | |
| 2021-06-23 16:50:49,588 [main ] INFO CommandLine - Job addOns finished | |
| 2021-06-23 16:50:49,595 [main ] INFO CommandLine - Job passiveScan-config set maxAlertsPerRule = 10 | |
| 2021-06-23 16:50:49,600 [main ] INFO CommandLine - Job passiveScan-config set scanOnlyInScope = true | |
| 2021-06-23 16:50:49,601 [main ] INFO CommandLine - Job passiveScan-config started | |
| 2021-06-23 16:50:49,603 [main ] INFO CommandLine - Job passiveScan-config finished | |
| 2021-06-23 16:50:49,611 [main ] INFO CommandLine - Job spider set userAgent = | |
| 2021-06-23 16:50:49,615 [main ] INFO CommandLine - Job spider started | |
| 2021-06-23 16:50:49,623 [ZAP-SpiderInitThread-0] INFO SpiderThread - Starting spidering scan on Context: context 1 at Wed Jun 23 16:50:49 UTC 2021 | |
| 2021-06-23 16:50:49,628 [ZAP-SpiderInitThread-0] INFO Spider - Spider initializing... | |
| 2021-06-23 16:50:49,665 [ZAP-SpiderInitThread-0] INFO Spider - Starting spider... | |
| 2021-06-23 16:50:56,682 [ZAP-PassiveScanner] INFO PassiveScanThread - Disabling passive scanner Absence of Anti-CSRF Tokens as it has raised more than 10 alerts. | |
| 2021-06-23 16:50:56,898 [ZAP-PassiveScanner] INFO PassiveScanThread - Disabling passive scanner Content Security Policy (CSP) Header Not Set as it has raised more than 10 alerts. | |
| 2021-06-23 16:50:56,912 [ZAP-PassiveScanner] INFO PassiveScanThread - Disabling passive scanner HTTP Server Response Header as it has raised more than 10 alerts. | |
| 2021-06-23 16:50:56,924 [ZAP-PassiveScanner] INFO PassiveScanThread - Disabling passive scanner Content Cacheability as it has raised more than 10 alerts. | |
| 2021-06-23 16:50:56,930 [ZAP-PassiveScanner] INFO PassiveScanThread - Disabling passive scanner Permissions Policy Header Not Set as it has raised more than 10 alerts. | |
| 2021-06-23 16:50:57,064 [ZAP-PassiveScanner] INFO PassiveScanThread - Disabling passive scanner X-Content-Type-Options Header Missing as it has raised more than 10 alerts. | |
| 2021-06-23 16:50:57,088 [ZAP-PassiveScanner] INFO PassiveScanThread - Disabling passive scanner X-Frame-Options Header as it has raised more than 10 alerts. | |
| 2021-06-23 16:50:58,504 [ZAP-PassiveScanner] INFO PassiveScanThread - Disabling passive scanner Timestamp Disclosure as it has raised more than 10 alerts. | |
| 2021-06-23 16:51:01,020 [ZAP-SpiderThreadPool-0-thread-1] INFO Spider - Spidering process is complete. Shutting down... | |
| 2021-06-23 16:51:01,024 [ZAP-SpiderShutdownThread-0] INFO SpiderThread - Spider scanning complete: true | |
| 2021-06-23 16:51:01,136 [main ] INFO CommandLine - Job spider found 206 URLs | |
| 2021-06-23 16:51:01,138 [main ] INFO CommandLine - Job spider finished | |
| 2021-06-23 16:51:01,139 [main ] INFO CommandLine - Job passiveScan-wait set maxDuration = 1 | |
| 2021-06-23 16:51:01,140 [main ] INFO CommandLine - Job passiveScan-wait started | |
| 2021-06-23 16:51:12,460 [ZAP-PassiveScanner] INFO PassiveScanThread - Disabling passive scanner Information Disclosure - Suspicious Comments as it has raised more than 10 alerts. | |
| 2021-06-23 16:51:13,632 [main ] INFO CommandLine - Job passiveScan-wait finished | |
| 2021-06-23 16:51:13,637 [main ] INFO CommandLine - Job activeScan started | |
| 2021-06-23 16:51:13,658 [main ] INFO CommandLine - Job activeScan set default strength to LOW | |
| 2021-06-23 16:51:13,661 [main ] INFO CommandLine - Job activeScan set default threshold to OFF | |
| 2021-06-23 16:51:13,663 [main ] INFO CommandLine - Job activeScan set rule 20,012 strength to MEDIUM | |
| 2021-06-23 16:51:13,664 [main ] INFO CommandLine - Job activeScan set rule 20,012 threshold to MEDIUM | |
| 2021-06-23 16:51:13,670 [main ] INFO Scanner - scanner started | |
| 2021-06-23 16:51:14,640 [Thread-6] INFO HostProcess - Scanning 86 node(s) from http://demo.testfire.net | |
| 2021-06-23 16:51:14,643 [Thread-6] INFO HostProcess - start host http://demo.testfire.net | CsrfTokenScanRule strength MEDIUM threshold MEDIUM | |
| 2021-06-23 16:51:19,178 [Thread-6] INFO HostProcess - completed host/plugin http://demo.testfire.net | CsrfTokenScanRule in 4.536s with 42 message(s) sent and 42 alert(s) raised. | |
| 2021-06-23 16:51:19,180 [Thread-6] INFO HostProcess - completed host http://demo.testfire.net in 5.496s with 42 alert(s) raised. | |
| 2021-06-23 16:51:19,181 [Thread-5] INFO Scanner - scanner completed in 5.51s | |
| 2021-06-23 16:51:19,682 [main ] INFO CommandLine - Job activeScan finished | |
| 2021-06-23 16:51:19,684 [main ] INFO CommandLine - Job report set template = traditional-json | |
| 2021-06-23 16:51:19,686 [main ] INFO CommandLine - Job report set reportDir = /tmp/zap/ | |
| 2021-06-23 16:51:19,687 [main ] INFO CommandLine - Job report started | |
| 2021-06-23 16:51:19,850 [main ] ERROR ExtensionAutomation - null | |
| java.lang.NullPointerException: null | |
| at org.zaproxy.addon.reports.automation.ReportJob.runJob(ReportJob.java:77) ~[?:?] | |
| at org.zaproxy.addon.automation.ExtensionAutomation.runPlan(ExtensionAutomation.java:218) ~[automation-alpha-0.3.0.zap:?] | |
| at org.zaproxy.addon.automation.ExtensionAutomation.runAutomation(ExtensionAutomation.java:233) ~[automation-alpha-0.3.0.zap:?] | |
| at org.zaproxy.addon.automation.ExtensionAutomation.runAutomationFile(ExtensionAutomation.java:244) [automation-alpha-0.3.0.zap:?] | |
| at org.zaproxy.addon.automation.ExtensionAutomation.execute(ExtensionAutomation.java:345) [automation-alpha-0.3.0.zap:?] | |
| at org.parosproxy.paros.extension.ExtensionLoader.runCommandLine(ExtensionLoader.java:552) [zap-D-2021-05-03.jar:D-2021-05-03] | |
| at org.parosproxy.paros.control.Control.runCommandLine(Control.java:399) [zap-D-2021-05-03.jar:D-2021-05-03] | |
| at org.zaproxy.zap.CommandLineBootstrap.start(CommandLineBootstrap.java:85) [zap-D-2021-05-03.jar:D-2021-05-03] | |
| at org.zaproxy.zap.ZAP.main(ZAP.java:131) [zap-D-2021-05-03.jar:D-2021-05-03] | |
| 2021-06-23 16:51:19,858 [main ] ERROR CommandLine - Unexpected error accessing file /tmp/zap/zap-template.yaml : null - see log for details | |
| 2021-06-23 16:51:20,885 [main ] INFO ENGINE - dataFileCache commit start | |
| 2021-06-23 16:51:21,370 [main ] INFO ENGINE - dataFileCache commit end | |
| 2021-06-23 16:51:21,394 [main ] INFO ENGINE - Database closed | |
| 2021-06-23 16:51:21,524 [main ] INFO CommandLineBootstrap - OWASP ZAP D-2021-05-03 terminated. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment