Errors when running ZAP
Mark Rader
421717 [Thread-206] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.11.200 | SourceCodeDisclosureCVE20121823 strength MEDIUM threshold MEDIUM
[Fatal Error] :1:50: White spaces are required between publicId and systemId.
[Fatal Error] :1:50: White spaces are required between publicId and systemId.
421732 [ZAP-ActiveScanner-1] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.11.200 | CrossDomainScanner in 0.016s
442320 [ZAP-ActiveScanner-1] ERROR org.zaproxy.zap.extension.ascanrulesBeta.SourceCodeDisclosureCVE20121823 - Error scanning a Host for Source Code Disclosure via CVE-2012-1823: Read timed out
java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1413)
at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:2032)
at org.zaproxy.zap.ZapGetMethod.readResponse(ZapGetMethod.java:88)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1147)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:424)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:191)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:246)
at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:461)
at org.parosproxy.paros.network.HttpSender.send(HttpSender.java:420)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:398)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:324)
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:223)
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:178)
at org.zaproxy.zap.extension.ascanrulesBeta.SourceCodeDisclosureCVE20121823.scan(Unknown Source)
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:264)
at java.lang.Thread.run(Unknown Source)
486380 [ZAP-ActiveScanner-0] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.11.200 | HeartBleedActiveScanner in 64.667s
486380 [Thread-206] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin http://192.168.11.200 | SourceCodeDisclosureCVE20121823 in 64.663s
486381 [Thread-206] INFO org.parosproxy.paros.core.scanner.HostProcess - start host http://192.168.11.200 | RemoteCodeExecutionCVE20121823 strength MEDIUM threshold MEDIUM
506586 [ZAP-ActiveScanner-0] ERROR org.zaproxy.zap.extension.ascanrulesBeta.RemoteCodeExecutionCVE20121823 - Error scanning a URL for Remote Code Execution via CVE-2012-1823: Read timed out
java.net.SocketTimeoutException: Read timed out
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at java.net.SocketInputStream.read(Unknown Source)
at java.io.BufferedInputStream.fill(Unknown Source)
at java.io.BufferedInputStream.read(Unknown Source)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:78)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:106)
at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1116)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1413)
at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:2032)
at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1793)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1147)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:424)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:191)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at org.parosproxy.paros.network.HttpSender.executeMethod(HttpSender.java:246)
at org.parosproxy.paros.network.HttpSender.runMethod(HttpSender.java:461)
at org.parosproxy.paros.network.HttpSender.send(HttpSender.java:420)
at org.parosproxy.paros.network.HttpSender.sendAuthenticated(HttpSender.java:398)
at org.parosproxy.paros.network.HttpSender.sendAndReceive(HttpSender.java:324)
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:223)
at org.parosproxy.paros.core.scanner.AbstractPlugin.sendAndReceive(AbstractPlugin.java:178)
at org.zaproxy.zap.extension.ascanrulesBeta.RemoteCodeExecutionCVE20121823.scan(Unknown Source)
at org.parosproxy.paros.core.scanner.AbstractPlugin.run(AbstractPlugin.java:264)
at java.lang.Thread.run(Unknown Source)
kingthorin+owaspzap
2) Java Version?
Mark Rader
1) OS & Version?
2) Java Version?
--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Colm O'Flaherty
Can you show us the request in question when the exception occurs? I'm wondering if it is well formed.
Mark Rader
kingthorin+owaspzap
Might be related to Java 7u71 (you could try 72).
If you do an actual build and deploy do you experience the issue with a "real" version of ZAP or only when running via Eclipse?
Were you working with a web service or something else that's using XML? (A google for "White spaces are required between publicId and systemId." leads to lots of posts surrounding XML parsing or consistency issues.)
Mark Rader
--
psiinon
I think the "Fatal Error" ones are caused when we try to parse the responses to get a DOM for the passive scanners.
It probably just means that the response is not well enough formed, and can be ignored unless its causing other problems. I've tried to get rid of those messages before but failed.
The socket timeouts could just be that the server is overloaded, or has chosen not to respond to what could have been an invalid request.
So if you're not experiencing any problems then I think these errors can be ignored.
Simon