Script Active Scan Rules is being skipped with no error in log.

[JordanGS]

Hi everyone,

I am running a scan on a single page, the Script Active Scan Rules is being skipped with no error message shown in log.

Any advice would be appreciated since i can't debug without an error message :( Thank you!

[thc...@gmail.com]

Hi.

Which ZAP version are you using?

In weeklies that scanner is automatically skipped if there's no Active
Rules scripts enabled.

Best regards.

> --
> You received this message because you are subscribed to the Google
> Groups "OWASP ZAP User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to zaproxy-user...@googlegroups.com
> <mailto:zaproxy-user...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.

[JordanGS]

I tried weekly ZAP_D-2016-04-04 and ZAP_D-2016-04-12.

Everything is set on default in the policy.

[JordanGS]

It's not just that rule thought

Cross Domain Reconfiguration has 0 requests being made

Heartbleed Open SSL has 0 requests being made 

Session Fixation has 0 requests being made

XML External Entry Entity Attack has 0

Generic Padding oracle has 0

Possible Username enumeration is being skipped

[JordanGS]

Also, the summary shows that each rule only executed for less than half a second. Why did it not send any requests?

[thc...@gmail.com]

> Cross Domain Reconfiguration has 0 requests being made

This one should send something, are there no errors in the log?

> Heartbleed Open SSL has 0 requests being made

Does not show the number of "messages" sent, it does not send HTTP
messages which is what is being counted.

> Session Fixation has 0 requests being made

Does not send any request if its prerequisites are not met, a context
with a form-based authentication (to obtain the login URL).

> XML External Entry Entity Attack has 0

Does not send any request if the Content-Type of the request does not
contain XML.

> Generic Padding oracle has 0

Does not send any request if the values of the parameters being attacked
do not look to be encrypted or do not match a given pattern.

> Possible Username enumeration is being skipped

It's skipped if its prerequisites are not met, a context with a
form-based authentication (to obtain the login URL).


Best regards.

[thc...@gmail.com]

Answered just now to previous message.

[JordanGS]

> Cross Domain Reconfiguration has 0 requests being made 

This one should send something, are there no errors in the log? 

Nothing

---

> Heartbleed Open SSL has 0 requests being made 

Does not show the number of "messages" sent, it does not send HTTP 

messages which is what is being counted. 

I know this, but it only ran for 5 seconds which is why i mentioned it.

---

> Session Fixation has 0 requests being made 

Does not send any request if its prerequisites are not met, a context 

with a form-based authentication (to obtain the login URL). 

This might be an interesting situation because the method of authentication is a login form but because it is a CAS based, it uses an authentication script to log in.

---

> XML External Entry Entity Attack has 0 

Does not send any request if the Content-Type of the request does not 

contain XML. 

No xml being submitted, just a form submission.

---

> Generic Padding oracle has 0 

Does not send any request if the values of the parameters being attacked 

do not look to be encrypted or do not match a given pattern. 

The page has a hidden encrypted userid value.

---

> Possible Username enumeration is being skipped 

It's skipped if its prerequisites are not met, a context with a 

form-based authentication (to obtain the login URL). 

maube the same issue as above, CAS based, it uses an authentication script to log in.

[JordanGS]

Cross Site scripting DOM Based took 30 minutes but 0 requests

SOAP Action Spoofing has 0 requests and less than 1 second

SOAP XML injection has 0 requests and less than 1 second

Also no error's in the log :(

[kingthorin+owaspzap]

Ok so catching up Script based auth is not the same as form auth, so if you're using script auth some scanners will be skipped.

DOM XSS probably lists 0 requests because they're not initiated by ZAP, they're initiated by a browser via Selenium. The SOAP related ones would only apply to SOAP related requests and are likely skipped.

[kingthorin+owaspzap]

Oh and heartbleed does take time because it makes network based requests but not web requests.

[kingthorin+owaspzap]

To the original question ... What script active scanner do you have setup? Is it enabled in the scripts tree? Are script active scan rules turned on in your scan policy?

Could it be https://github.com/zaproxy/zaproxy/issues/1786 ?

[JordanGS]

Thank you both for the clarifications!

To the original question! YES!!! It is issue 1786. I was playing around with creating an custom active scan rule script and i couldn't figure out why it was being skipped.

[kingthorin+owaspzap]

Thanks for following up.

Glad we got to a solution.

I'll link this discussion to 1786.

[JordanGS]

I might be a little slow sometimes because I have a lot of concurrent projects but i'll always follow up :)

Thanks again for the quick clarification, I thought I was going crazy for a moment. Especially since so many items were being skipped/ignored and i wasn't sure what the pre-requisites/conditions were. Is this documented anywhere, as a kind of quick reference?

[thc...@gmail.com]

In most of the cases, it's not, but it should be thoroughly described in
the corresponding help pages...

Best regards.

On 13/04/16 20:35, JordanGS wrote:

[thc...@gmail.com]

>> Cross Domain Reconfiguration has 0 requests being made
>
> This one should send something, are there no errors in the log?
>
> Nothing

If you run just that scanner which requests do you see? (if in daemon
mode you can obtain the requests through the ZAP API, although more
cumbersome than using the GUI)

It should have two requests to XML files (crossdomain.xml and
clientaccesspolicy.xml).

>> Session Fixation has 0 requests being made
>
> Does not send any request if its prerequisites are not met, a context
> with a form-based authentication (to obtain the login URL).
>
> This might be an interesting situation because the method of authentication is a login form but because it is a CAS based, it uses an authentication script to log in.

We could allow the authentication scripts to provide a login URL...

Best regards.

On 12/04/16 18:53, JordanGS wrote:
>> Cross Domain Reconfiguration has 0 requests being made
>
> This one should send something, are there no errors in the log?
>

> *Nothing*
> *
> *
> *---*

>
>> Heartbleed Open SSL has 0 requests being made
>
> Does not show the number of "messages" sent, it does not send HTTP
> messages which is what is being counted.
>

> *I know this, but it only ran for 5 seconds which is why i mentioned it.*
> *
> *
> *---*

>
>> Session Fixation has 0 requests being made
>
> Does not send any request if its prerequisites are not met, a context
> with a form-based authentication (to obtain the login URL).
>

> *This might be an interesting situation because the method of

> authentication is a login form but because it is a CAS based, it uses an

> authentication script to log in.*
>
> *---*
> *
> *

>> XML External Entry Entity Attack has 0
>
> Does not send any request if the Content-Type of the request does not
> contain XML.
>

> *No xml being submitted, just a form submission.*
> *
> *

> ---
>
>> Generic Padding oracle has 0
>
> Does not send any request if the values of the parameters being attacked
> do not look to be encrypted or do not match a given pattern.
>

> *The page has a hidden encrypted userid value.*

>
> ---
>
>> Possible Username enumeration is being skipped
>
> It's skipped if its prerequisites are not met, a context with a
> form-based authentication (to obtain the login URL).
>

> *maube the same issue as above, **CAS based, it uses an authentication
> script to log in.*

[thc...@gmail.com]

>> Generic Padding oracle has 0
>
> Does not send any request if the values of the parameters being attacked
> do not look to be encrypted or do not match a given pattern.
>

> The page has a hidden encrypted userid value.

(Missed this one in the previous reply.)

Most likely the value does not match the required patterns. Could you
provide a dummy value?

In any case that should be explained in the help pages.

Best regards.

[JordanGS]

@thx202

> If you run just that scanner which requests do you see? (if in daemon 

> mode you can obtain the requests through the ZAP API, although more 

> cumbersome than using the GUI) 

> 

> It should have two requests to XML files (crossdomain.xml and 

> clientaccesspolicy.xml). 

ZAP discovered some issues which are being fixed right now, i'll be able to run that scan once the current issues zap discovered are fixed. Should be early next week. Sorry for the inconvenience.

> We could allow the authentication scripts to provide a login URL... 

My authentication script accepts a field called loginURL, please see attached screenshot

> Most likely the value does not match the required patterns. Could you 

> provide a dummy value? 

> 

> In any case that should be explained in the help pages. 

The only reference i found to this in the ZAP help pages is Active Scan Rules - Beta.

I am unsure what you mean by the required patterns or dummy value. Could you provide me a sample/example so i know what to look for?

Thank you!

[thc...@gmail.com]

Hi.

Answers inline:

On 14/04/16 17:56, JordanGS wrote:
> @thx202
>
>> If you run just that scanner which requests do you see? (if in daemon
>> mode you can obtain the requests through the ZAP API, although more
>> cumbersome than using the GUI)
>>
>> It should have two requests to XML files (crossdomain.xml and
>> clientaccesspolicy.xml).
>
> ZAP discovered some issues which are being fixed right now, i'll be able
> to run that scan once the current issues zap discovered are fixed.
> Should be early next week. Sorry for the inconvenience.
>

That was caused most likely because of an issue. [1]
Should be fixed in latest weekly release.

(There's another issue to change the scanners that do not send HTTP
messages to report that a message was sent. [2] )

>> We could allow the authentication scripts to provide a login URL...
>
> My authentication script accepts a field called loginURL, please see
> attached screenshot
>

Right, we could support that but the scanner might need to be changed to
effectively use the proper authentication method (which would no longer
require a login URL).

>> Most likely the value does not match the required patterns. Could you
>> provide a dummy value?
>>
>> In any case that should be explained in the help pages.
>
> The only reference i found to this in the ZAP help pages is Active Scan
> Rules - Beta.
>
> I am unsure what you mean by the required patterns or dummy value. Could
> you provide me a sample/example so i know what to look for?

An issue has been raised to address the lack of documentation. [3]
In the issue report it indicates (links to source code) what values are
ignored and the patterns that it expects.


[1] https://github.com/zaproxy/zaproxy/issues/2421
[2] https://github.com/zaproxy/zaproxy/issues/2425
[3] https://github.com/zaproxy/zaproxy/issues/2417

Thanks!
Best regards.