active scan pops up file save dialog for json

[Alex Roytman]

Hello,

I have a very strange behavior during active scan whether via UI or in daemon mode. 

I run it on windows machine and dozens of time I get file a save dialog pop up asking me to save JSON content to a file. Is my ZAP misconfigured or geckodriver.exe is not understanding application/json content type and treats it as download?

If I am not using selenium directly do I even need geckodriver and browser (headless or real) to run active scan?

Thank you,

Alex

[psiinon]

Ah!

Someone else reported this but then couldnt give us any more info.

I can reproduce this but only when I use the non headless versions of Firefox and Chrome. With the headless versions I get no popups.

I've got what I think is a fix but I cant test it :/

Could you try it out?

I can supply either the code changes needed or a test add-on...

Cheers,

Simon

[Alex Roytman]

Be glad to - just give me instructions as I am pretty new to ZAP

I do not build it so a plugin perhaps?

[psiinon]

Sure.

I've built a test version of the selenium add-on which you can download here: https://github.com/psiinon/zap-extensions/releases/download/selenium-v15.4.0/selenium-release-15.4.0.zap

Save that locally and then add it to ZAP using the "File / Load Add-on File ..." menu item.

Then try an active scan again and let us know if you still get the save dialogs shown.

I've only included a possible fix for Firefox in this add-on, it looks like Chrome will need the equivalent changes...

Many thanks,

Simon

[Alex Roytman]

sorry had to switch to other things for few days. will test as soon as I have few hours

[psiinon]

No problem, just let us know when you've had a chance to try it :)

[Sreejith ss]

The issue still exist in ZAP version 1.10, zap is used in headless mode and integrated with selenium test case and the test is running in chrome but getting Save As pop up while doing active scan and it is generated from firefox, would you please look into it and help me with same. 

[kingthorin+owaspzap]

#1 I have no idea what version 1.10 is. Assuming you mean 2.10 you're still behind. The currently supported release is 2.11.1. (Unless you time traveled down some internet archive rabbit hole and dug up a 1.1.0 release from like 12 years ago.)

#2 I have no idea why you're getting Save as dialogs in Firefox, likely because your app isn't sending the proper Content-Type on the responses. You could try disabling the DOM XSS rule and see if you get past it. (Since it's the only active scan rule that uses a browser.) If that doesn't do it, then it's something with your Selenium usage.

[Gael GERARD]

Bonjour,

I also have the Save as dialog popin from Firefox while running active scan.

Scanner seems blocked to a URL to a directory with multiple files in it.

It seems Zap scanner is trying to open each one of them and the Save as pops in for each one of the pdf files inside this directory.

Is there a way to prevent Zap to pars the files in this directory ? Would a robot.txt or a index.html at the root of the folder solve my problem?

Merci for your help !