Session creation during active scanner

250 views
Skip to first unread message

Albert

unread,
Jul 11, 2016, 9:58:41 AM7/11/16
to OWASP ZAP User Group
Hi,

I see that ZAP is creating a new session for every active scanner request, or at least that what it seems from the zap.log:


2779104 [ZAP-ActiveScanner-0] INFO org.zaproxy.zap.users.User  - Authenticating user: TestUser

2779125 [ZAP-ActiveScanner-0] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite  - Created a new session as no match was found: HttpSession [name=Session 1,158, active=false, tokenValues='']


Is this a normal behaviour?

Albert

unread,
Jul 13, 2016, 8:10:40 AM7/13/16
to OWASP ZAP User Group
Hi, 

Is this logging behaviour considered acceptable? I also see some Spider execeptions. Seems is creating a session for every request. 

345954 [pool-6-thread-1] INFO org.zaproxy.zap.users.User  - Authenticating user: TestUser

345996 [pool-6-thread-1] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite  - Created a new session as no match was found: HttpSession [name=Session 63, active=false, tokenValues='']

346079 [pool-6-thread-2] INFO org.zaproxy.zap.users.User  - Authenticating user: TestUser

346100 [pool-6-thread-2] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite  - Created a new session as no match was found: HttpSession [name=Session 64, active=false, tokenValues='']

346149 [pool-6-thread-2] INFO org.zaproxy.zap.users.User  - Authenticating user: TestUser

346169 [pool-6-thread-2] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite  - Created a new session as no match was found: HttpSession [name=Session 65, active=false, tokenValues='']

346228 [pool-6-thread-2] INFO org.zaproxy.zap.users.User  - Authenticating user: TestUser

346248 [pool-6-thread-1] ERROR org.zaproxy.zap.spider.SpiderTask  - An error occured while fetching the resource: chunked stream ended unexpectedly

java.io.IOException: chunked stream ended unexpectedly

at org.apache.commons.httpclient.ChunkedInputStream.getChunkSizeFromInputStream(ChunkedInputStream.java:252)

at org.apache.commons.httpclient.ChunkedInputStream.nextChunk(ChunkedInputStream.java:221)

at org.apache.commons.httpclient.ChunkedInputStream.read(ChunkedInputStream.java:176)

at java.io.FilterInputStream.read(Unknown Source)

at org.apache.commons.httpclient.AutoCloseInputStream.read(AutoCloseInputStream.java:108)

at java.io.FilterInputStream.read(Unknown Source)

at org.apache.commons.httpclient.AutoCloseInputStream.read(AutoCloseInputStream.java:127)

at org.apache.commons.httpclient.HttpMethodBase.getResponseBody(Unknown Source)

at org.parosproxy.paros.network.HttpSender.send(Unknown Source)

at org.parosproxy.paros.network.HttpSender.sendAuthenticated(Unknown Source)

at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)

at org.parosproxy.paros.network.HttpSender.sendAndReceive(Unknown Source)

at org.zaproxy.zap.spider.SpiderTask.fetchResource(Unknown Source)

at org.zaproxy.zap.spider.SpiderTask.run(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

346259 [pool-6-thread-2] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite  - Created a new session as no match was found: HttpSession [name=Session 66, active=false, tokenValues='']

346273 [pool-6-thread-2] INFO org.zaproxy.zap.users.User  - Authenticating user: TestUser

346301 [pool-6-thread-2] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite  - Created a new session as no match was found: HttpSession [name=Session 67, active=false, tokenValues='']

346320 [pool-6-thread-2] INFO org.zaproxy.zap.users.User  - Authenticating user: TestUser

346340 [pool-6-thread-2] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite  - Created a new session as no match was found: HttpSession [name=Session 68, active=false, tokenValues='']

346449 [pool-6-thread-1] INFO org.zaproxy.zap.users.User  - Authenticating user: TestUser

346485 [pool-6-thread-1] INFO org.zaproxy.zap.extension.httpsessions.HttpSessionsSite  - Created a new session as no match was found: HttpSession [name=Session 69, active=false, tokenValues='']

346502 [pool-6-thread-1] INFO org.zaproxy.zap.users.User  - Authenticating user: TestUser

346547 [pool-6-thread-1] INFO org.zaproxy.zap.extension.https

thc...@gmail.com

unread,
Jul 13, 2016, 1:55:34 PM7/13/16
to zaprox...@googlegroups.com
Hi.

No, sessions initiated by automated authentication attempts should not
be shown in the HTTP Sessions tab (an issue has been raised to address
that [1]).

Regarding the exceptions, either the server is not sending all the
contents or ZAP is not able to correctly process them.


[1] https://github.com/zaproxy/zaproxy/issues/2674

Best regards.
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/7342db20-9139-49d1-a7fd-1dd0932e2059%40googlegroups.com
> <https://groups.google.com/d/msgid/zaproxy-users/7342db20-9139-49d1-a7fd-1dd0932e2059%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

Albert

unread,
Jul 21, 2016, 10:03:39 AM7/21/16
to OWASP ZAP User Group
Hi thc, 

I see this message on the ./ZAP/zap.log, I am wondering if that is the normal behavior when spidering and scanning. 

I start zap from a Java program. 
If I have the java program use the ZAP with UI  I can see all the scans i programmed to run work smoothly. 
If I run the same program but using the zap daemon the program eventually gets stuck  while scanning at certain percentage. See below the zap.log at the point where it gets stuck looping. 


2016-07-21 15:45:33,200 [Thread-10] INFO  PluginFactory - loaded plugin HTTP Only Site

2016-07-21 15:45:33,200 [Thread-10] INFO  PluginFactory - loaded plugin Proxy Disclosure

2016-07-21 15:45:33,200 [Thread-10] INFO  PluginFactory - loaded plugin HTTPS Content Available via HTTP

2016-07-21 15:45:33,200 [Thread-10] INFO  PluginFactory - loaded plugin Cookie Slack Detector

2016-07-21 15:45:33,206 [Thread-11] INFO  HostProcess - Scanning 33 node(s) from http://targetsite:8080

2016-07-21 15:45:33,206 [Thread-11] INFO  HostProcess - start host http://targetsite:8080 | TestExternalRedirect strength MEDIUM threshold MEDIUM

2016-07-21 15:45:33,448 [ZAP-ActiveScanner-1] INFO  User - Authenticating user: TestUser

2016-07-21 15:45:33,468 [ZAP-ActiveScanner-1] INFO  HttpSessionsSite - Created a new session as no match was found: HttpSession [name=Session 48, active=false, tokenValues='']

2016-07-21 15:45:33,539 [ZAP-ActiveScanner-1] INFO  User - Authenticating user: TestUser

2016-07-21 15:45:33,559 [ZAP-ActiveScanner-1] INFO  HttpSessionsSite - Created a new session as no match was found: HttpSession [name=Session 49, active=false, tokenValues='']

2016-07-21 15:45:33,609 [ZAP-ActiveScanner-1] INFO  User - Authenticating user: TestUser

2016-07-21 15:45:33,630 [ZAP-ActiveScanner-1] INFO  HttpSessionsSite - Created a new session as no match was found: HttpSession [name=Session 50, active=false, tokenValues='']

2016-07-21 15:45:33,682 [ZAP-ActiveScanner-1] INFO  User - Authenticating user: TestUser

2016-07-21 15:45:33,704 [ZAP-ActiveScanner-1] INFO  HttpSessionsSite - Created a new session as no match was found: HttpSession [name=Session 51, active=false, tokenValues='']

2016-07-21 15:45:33,756 [ZAP-ActiveScanner-1] INFO  User - Authenticating user: TestUser

2016-07-21 15:45:33,776 [ZAP-ActiveScanner-1] INFO  HttpSessionsSite - Created a new session as no match was found: HttpSession [name=Session 52, active=false, tokenValues='']

2016-07-21 15:45:33,832 [ZAP-ActiveScanner-1] INFO  User - Authenticating user: TestUser

2016-07-21 15:45:33,856 [ZAP-ActiveScanner-1] INFO  HttpSessionsSite - Created a new session as no match was found: HttpSession [name=Session 53, active=false, tokenValues='']

2016-07-21 15:45:33,904 [ZAP-ActiveScanner-1] INFO  User - Authenticating user: TestUser

2016-07-21 15:45:33,924 [ZAP-ActiveScanner-1] INFO  HttpSessionsSite - Created a new session as no match was found: HttpSession [name=Session 54, active=false, tokenValues='']

2016-07-21 15:45:33,968 [ZAP-ActiveScanner-1] INFO  User - Authenticating user: TestUser

2016-07-21 15:45:33,988 [ZAP-ActiveScanner-1] INFO  HttpSessionsSite - Created a new session as no match was found: HttpSession [name=Session 55, active=false, tokenValues='']

2016-07-21 15:45:34,053 [ZAP-ActiveScanner-1] INFO  User - Authenticating user: TestUser

2016-07-21 15:45:34,087 [ZAP-ActiveScanner-1] INFO  HttpSessionsSite - Created a new session as no match was found: HttpSession [name=Session 56, active=false, tokenValues='']

2016-07-21 15:45:34,217 [ZAP-ActiveScanner-0] INFO  User - Authenticating user: TestUser

2016-07-21 15:45:34,236 [ZAP-ActiveScanner-0] INFO  HttpSessionsSite - Created a new session as no match was found: HttpSession [name=Session 57, active=false, tokenValues='']



Creating a session every time means is reauthenticating every time it lanches a request? Is that the expected behaviour?
Why you think zap hungs when using the daemon mode. I been strugglying for days to sort this out.



thc...@gmail.com

unread,
Jul 29, 2016, 11:29:54 AM7/29/16
to zaprox...@googlegroups.com
Hi.

The (re)authentication attempts might be normal, it depends if the
session being used was invalidated or not (for whatever reason).
(Note that the sessions being added to the HTTP sessions tab is a bug.)

Regarding the hungs, more details are needed to check why that happens.

Best regards.
> > <mailto:zaproxy-user...@googlegroups.com>.
> <https://groups.google.com/d/msgid/zaproxy-users/7342db20-9139-49d1-a7fd-1dd0932e2059%40googlegroups.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/d/optout>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/zaproxy-users/46f6d701-44f6-4886-98a0-fe0c2e3bbcfa%40googlegroups.com
> <https://groups.google.com/d/msgid/zaproxy-users/46f6d701-44f6-4886-98a0-fe0c2e3bbcfa%40googlegroups.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages