active scan pops up file save dialog for json

88 views
Skip to first unread message

Alex Roytman

unread,
May 27, 2021, 12:18:25 PM5/27/21
to OWASP ZAP Developer Group
Hello,

I have a very strange behavior during active scan whether via UI or in daemon mode. 
I run it on windows machine and dozens of time I get file a save dialog pop up asking me to save JSON content to a file. Is my ZAP misconfigured or geckodriver.exe is not understanding application/json content type and treats it as download?
If I am not using selenium directly do I even need geckodriver and browser (headless or real) to run active scan?

Thank you,
Alex

psiinon

unread,
May 27, 2021, 1:01:33 PM5/27/21
to OWASP ZAP Developer Group
Ah!
Someone else reported this but then couldnt give us any more info.
I can reproduce this but only when I use the non headless versions of Firefox and Chrome. With the headless versions I get no popups.
I've got what I think is a fix but I cant test it :/
Could you try it out?
I can supply either the code changes needed or a test add-on...

Cheers,

Simon

Alex Roytman

unread,
May 27, 2021, 1:47:49 PM5/27/21
to OWASP ZAP Developer Group
Be glad to - just give me instructions as I am pretty new to ZAP
I do not build it so a plugin perhaps?

psiinon

unread,
May 28, 2021, 6:39:26 AM5/28/21
to OWASP ZAP Developer Group
Sure.
I've built a test version of the selenium add-on which you can download here: https://github.com/psiinon/zap-extensions/releases/download/selenium-v15.4.0/selenium-release-15.4.0.zap
Save that locally and then add it to ZAP using the "File / Load Add-on File ..." menu item.
Then try an active scan again and let us know if you still get the save dialogs shown.
I've only included a possible fix for Firefox in this add-on, it looks like Chrome will need the equivalent changes...

Many thanks,

Simon

Alex Roytman

unread,
Jun 2, 2021, 4:59:48 PM6/2/21
to OWASP ZAP Developer Group
sorry had to switch to other things for few days. will test as soon as I have few hours

psiinon

unread,
Jun 3, 2021, 4:31:24 AM6/3/21
to OWASP ZAP Developer Group
No problem, just let us know when you've had a chance to try it :)

Sreejith ss

unread,
Aug 3, 2022, 8:30:10 AMAug 3
to OWASP ZAP Developer Group
The issue still exist in ZAP version 1.10, zap is used in headless mode and integrated with selenium test case and the test is running in chrome but getting Save As pop up while doing active scan and it is generated from firefox, would you please look into it and help me with same. 

kingthorin+owaspzap

unread,
Aug 3, 2022, 3:31:17 PMAug 3
to OWASP ZAP Developer Group
#1 I have no idea what version 1.10 is. Assuming you mean 2.10 you're still behind. The currently supported release is 2.11.1. (Unless you time traveled down some internet archive rabbit hole and dug up a 1.1.0 release from like 12 years ago.)
#2 I have no idea why you're getting Save as dialogs in Firefox, likely because your app isn't sending the proper Content-Type on the responses. You could try disabling the DOM XSS rule and see if you get past it. (Since it's the only active scan rule that uses a browser.) If that doesn't do it, then it's something with your Selenium usage.
Reply all
Reply to author
Forward
0 new messages