Using headless chrome for active scan
1,167 views
Skip to first unread message
Anthony Robinson
Mar 23, 2022, 9:32:31 AM3/23/22
to OWASP ZAP User Group
I am currently using zap using the automation framework and have yaml file up and working however the site I wish to zap needs to be launched in chrome.
I can't find a setting in the yaml to force chrome-headless during the active scan, is there such a setting?
Thanks
thc...@gmail.com
Mar 23, 2022, 9:59:32 AM3/23/22
to zaprox...@googlegroups.com
Hi.
If you are referring to DOM XSS browser you can specify it with the scan
rule configuration "rules.domxss.browserid".
More info in:
https://www.zaproxy.org/docs/desktop/ui/dialogs/options/ruleconfig/
https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/
Best regards.
If you are referring to DOM XSS browser you can specify it with the scan
rule configuration "rules.domxss.browserid".
More info in:
https://www.zaproxy.org/docs/desktop/ui/dialogs/options/ruleconfig/
https://www.zaproxy.org/faq/how-do-you-find-out-what-key-to-use-to-set-a-config-value-on-the-command-line/
Best regards.
Simon Bennetts
Mar 23, 2022, 10:04:25 AM3/23/22
to OWASP ZAP User Group
Or if you are refering to the Ajax Spider you can set that via the browserId option: https://www.zaproxy.org/docs/desktop/addons/ajax-spider/automation/
Cheers,
Simon
Anthony Robinson
Mar 23, 2022, 10:10:44 AM3/23/22
to OWASP ZAP User Group
I don't think I'm doing either of these,
please see my output:
1648044394695 mozrunner::runner INFO Running command: "C:\\Program Files\\Mozilla Firefox\\firefox.exe" "--marionette" "-headless" "-no-remote" "-profile" "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\3\\rust_mozprofileqXjQVD"
1648044394699 mozrunner::runner INFO Running command: "C:\\Program Files\\Mozilla Firefox\\firefox.exe" "--marionette" "-headless" "-no-remote" "-profile" "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\3\\rust_mozprofileowLb4q"
*** You are running in headless mode.
*** You are running in headless mode.
1648044395003 Marionette INFO Marionette enabled
1648044395005 Marionette INFO Marionette enabled
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
console.warn: SearchSettings: "get: No settings file exists, new profile?" (new NotFoundError("Could not open the file at C:\\Users\\Administrator\\AppData\\Local\\Temp\\3\\rust_mozprofileowLb4q\\search.json.mozlz4", (void 0)))
console.warn: SearchSettings: "get: No settings file exists, new profile?" (new NotFoundError("Could not open the file at C:\\Users\\Administrator\\AppData\\Local\\Temp\\3\\rust_mozprofileqXjQVD\\search.json.mozlz4", (void 0)))
console.error: Region.jsm: "Error fetching region" (new TypeError("NetworkError when attempting to fetch resource.", ""))
console.error: Region.jsm: "Failed to fetch region" (new Error("NO_RESULT", "resource://gre/modules/Region.jsm", 419))
1648044396256 Marionette INFO Listening on port 53518
console.warn: TopSitesFeed: Failed to fetch data from Contile server: NetworkError when attempting to fetch resource.
console.error: Region.jsm: "Error fetching region" (new TypeError("NetworkError when attempting to fetch resource.", ""))
console.error: Region.jsm: "Failed to fetch region" (new Error("NO_RESULT", "resource://gre/modules/Region.jsm", 419))
console.warn: TopSitesFeed: Failed to fetch data from Contile server: NetworkError when attempting to fetch resource.
1648044396500 Marionette INFO Listening on port 53519
1648044396732 RemoteAgent WARN TLS certificate errors will be ignored for this session
1648044396733 RemoteAgent WARN TLS certificate errors will be ignored for this session
Mar 23, 2022 2:06:36 PM org.openqa.selenium.remote.ProtocolHandshake createSession
INFO: Detected dialect: W3C
Mar 23, 2022 2:06:36 PM org.openqa.selenium.remote.ProtocolHandshake createSession
INFO: Detected dialect: W3C
JavaScript error: resource:///modules/FaviconLoader.jsm, line 598: InvalidStateError: JSWindowActorChild.sendAsyncMessage: JSWindowActorChild cannot send at the moment
1648044408990 Marionette INFO Stopped listening on port 53519
1648044409683 Marionette INFO Stopped listening on port 53518
###!!! [Parent][PImageBridgeParent] Error: RunMessage(msgname=PImageBridge::Msg_WillClose) Channel closing: too late to send/recv, messages will be lost
1648044394699 mozrunner::runner INFO Running command: "C:\\Program Files\\Mozilla Firefox\\firefox.exe" "--marionette" "-headless" "-no-remote" "-profile" "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\3\\rust_mozprofileowLb4q"
*** You are running in headless mode.
*** You are running in headless mode.
1648044395003 Marionette INFO Marionette enabled
1648044395005 Marionette INFO Marionette enabled
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
[GFX1-]: RenderCompositorSWGL failed mapping default framebuffer, no dt
console.warn: SearchSettings: "get: No settings file exists, new profile?" (new NotFoundError("Could not open the file at C:\\Users\\Administrator\\AppData\\Local\\Temp\\3\\rust_mozprofileowLb4q\\search.json.mozlz4", (void 0)))
console.warn: SearchSettings: "get: No settings file exists, new profile?" (new NotFoundError("Could not open the file at C:\\Users\\Administrator\\AppData\\Local\\Temp\\3\\rust_mozprofileqXjQVD\\search.json.mozlz4", (void 0)))
console.error: Region.jsm: "Error fetching region" (new TypeError("NetworkError when attempting to fetch resource.", ""))
console.error: Region.jsm: "Failed to fetch region" (new Error("NO_RESULT", "resource://gre/modules/Region.jsm", 419))
1648044396256 Marionette INFO Listening on port 53518
console.warn: TopSitesFeed: Failed to fetch data from Contile server: NetworkError when attempting to fetch resource.
console.error: Region.jsm: "Error fetching region" (new TypeError("NetworkError when attempting to fetch resource.", ""))
console.error: Region.jsm: "Failed to fetch region" (new Error("NO_RESULT", "resource://gre/modules/Region.jsm", 419))
console.warn: TopSitesFeed: Failed to fetch data from Contile server: NetworkError when attempting to fetch resource.
1648044396500 Marionette INFO Listening on port 53519
1648044396732 RemoteAgent WARN TLS certificate errors will be ignored for this session
1648044396733 RemoteAgent WARN TLS certificate errors will be ignored for this session
Mar 23, 2022 2:06:36 PM org.openqa.selenium.remote.ProtocolHandshake createSession
INFO: Detected dialect: W3C
Mar 23, 2022 2:06:36 PM org.openqa.selenium.remote.ProtocolHandshake createSession
INFO: Detected dialect: W3C
JavaScript error: resource:///modules/FaviconLoader.jsm, line 598: InvalidStateError: JSWindowActorChild.sendAsyncMessage: JSWindowActorChild cannot send at the moment
1648044408990 Marionette INFO Stopped listening on port 53519
1648044409683 Marionette INFO Stopped listening on port 53518
###!!! [Parent][PImageBridgeParent] Error: RunMessage(msgname=PImageBridge::Msg_WillClose) Channel closing: too late to send/recv, messages will be lost
Instead of using firefow I want to use chrome, can this be done for the active scan?
kingthorin+owaspzap
Mar 23, 2022, 12:17:17 PM3/23/22
to OWASP ZAP User Group
If you are referring to DOM XSS browser (which is currently the only one used in Active Scan) you can specify it with the scan
rule configuration "rules.domxss.browserid".
Anthony Robinson
Mar 24, 2022, 5:01:20 AM3/24/22
to OWASP ZAP User Group
No I'm not referring to this, if you see in my output there is a line saying that it runs firefox in headless mode
INFO Running command: "C:\\Program Files\\Mozilla Firefox\\firefox.exe" "--marionette" "-headless" "-no-remote" "-profile" "C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\3\\rust_mozprofileqXjQVD"
I want to know if instead of using of firefox for the activeScan can I use chrome?
Simon Bennetts
Mar 24, 2022, 5:15:19 AM3/24/22
to OWASP ZAP User Group
We cant tell what ZAP component is starting Firefox from that line, we would need to preceding lines in the log.
In any case, the active scanner doesnt start any browsers on its own.
Browsers are started by the ajax spider, the DOM XSS scan rule and by user interaction.
In all cases you can switch to using Chrome - see the previous guidance we gave you.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages