Unable to perform full scan script based authentication in docker

kaushal prajapati

unread,

Feb 10, 2022, 1:43:10 AM2/10/22

to OWASP ZAP User Group

Hello everyone,

I am performing full scan with script based authentication for altoro mutual in docker. Actually, I am doing for other url, but first I want to experiment on altoro mutual, so, I created script for altoro even though I knew, I can simply perform form based authentication for altoro.

My script is working in zap desktop software but, when I run in docker I got some errors:

Firstly, I copied altoro.context and auth_altoro_mutual.zst to the /zap/wrk/ in container. After, I executed docker container and configured script by performing command:

zap.sh -cmd -config script.scripts.name="auth_altoro_mutual" -cmd -config script.scripts.engine="Mozilla Zest" -cmd -config script.scripts.type=authentication -cmd -config script.scripts.enabled=true -cmd -config script.scripts.file="/zap/wrk/auth_altoro_mutual.zst".

Below images describe this:

Moreover, I run full scan command: zap-full-scan.py -t https://demo.testfire.net -n altoro.context -g gen.conf -J altoro.json -d m 3

and I got error as "Failed to load context file /zap/wrk/altoro.context : internal_error"

Below screen shot shows error:

My terminal history is here: Teminal History - Pastebin

My altoro context file is here: Re: altoro.context - Pastebin

My auth_altoro_mutual zest script file is here: auth_altoro_mutual.zst - Pastebin

I am also performing same things for the another Url and got the same error as Both worked fine in Zap desktop. I have tried both stable and weekly docker images.

Any help would be appreciated, Thank you.

Simon Bennetts

unread,

Feb 10, 2022, 9:31:04 AM2/10/22

to OWASP ZAP User Group

Have a look in the zap.log file for more details of the error: https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file

Note that when starting one of the packaged scans from outside of docker you will need to map a network drive containing the files you want to /zap/wrk/

See https://www.zaproxy.org/docs/docker/full-scan/ for the format.

Cheers,

Simon

kaushal prajapati

unread,

Feb 16, 2022, 1:44:06 AM2/16/22

to OWASP ZAP User Group

Thanks for reply back. I appreciated it. I got three errors:

1. 1056392 [ZAP-ProxyThread-472] ERROR org.zaproxy.zap.extension.api.CoreAPI - no_implementor
org.zaproxy.zap.extension.api.ApiException: no_implementor

2. 1056393 [ZAP-ProxyThread-472] ERROR org.zaproxy.zap.extension.api.API - API 'other' endpoint didn't handle exception:
org.zaproxy.zap.extension.api.ApiException: internal_error.

3.ERROR org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Unable to find script while loading Script Based Authentication Method for name: auth_altoro_mutual.

My config.xml :

root@447cd2bf9aff:/root/.ZAP# cat config.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<config>
<pscans>
<autoTagScanners>
<scanner>
<name>html_tag_form</name>
<type>TAG</type>
<config>Form</config>
<reqUrlRegex/>
<reqHeadRegex/>
<resHeadRegex/>
<resBodyRegex><form</resBodyRegex>
<enabled>true</enabled>
</scanner>
<scanner>
<name>html_tag_password</name>
<type>TAG</type>
<config>Password</config>
<reqUrlRegex/>
<reqHeadRegex/>
<resHeadRegex/>
<resBodyRegex><password\s</resBodyRegex>
<enabled>true</enabled>
</scanner>
<scanner>
<name>html_type_password</name>
<type>TAG</type>
<config>Password</config>
<reqUrlRegex/>
<reqHeadRegex/>
<resHeadRegex/>
<resBodyRegex>type\s*=\s*['"]?password['"]?</resBodyRegex>
<enabled>true</enabled>
</scanner>
<scanner>
<name>html_type_hidden</name>
<type>TAG</type>
<config>Hidden</config>
<reqUrlRegex/>
<reqHeadRegex/>
<resHeadRegex/>
<resBodyRegex>type\s*=\s*['"]?hidden['"]?</resBodyRegex>
<enabled>true</enabled>
</scanner>
<scanner>
<name>html_type_upload</name>
<type>TAG</type>
<config>Upload</config>
<reqUrlRegex/>
<reqHeadRegex/>
<resHeadRegex/>
<resBodyRegex>type\s*=\s*['"]?file['"]?</resBodyRegex>
<enabled>true</enabled>
</scanner>
<scanner>
<name>html_tag_object</name>
<type>TAG</type>
<config>Object</config>
<reqUrlRegex/>
<reqHeadRegex/>
<resHeadRegex/>
<resBodyRegex><object\s</resBodyRegex>
<enabled>true</enabled>
</scanner>
<scanner>
<name>html_tag_script</name>
<type>TAG</type>
<config>Script</config>
<reqUrlRegex/>
<reqHeadRegex/>
<resHeadRegex/>
<resBodyRegex><script</resBodyRegex>
<enabled>true</enabled>
</scanner>
<scanner>
<name>html_mailto</name>
<type>TAG</type>
<config>MailTo</config>
<reqUrlRegex/>
<reqHeadRegex/>
<resHeadRegex/>
<resBodyRegex><.*href\s*=\s*['"]?mailto:</resBodyRegex>
<enabled>true</enabled>
</scanner>
<scanner>
<name>html_setcookie</name>
<type>TAG</type>
<config>SetCookie</config>
<reqUrlRegex/>
<reqHeadRegex/>
<resHeadRegex>set-cookie</resHeadRegex>
<resBodyRegex/>
<enabled>true</enabled>
</scanner>
<scanner>
<name>html_comment1</name>
<type>TAG</type>
<config>Comment</config>
<reqUrlRegex/>
<reqHeadRegex/>
<resHeadRegex/>
<resBodyRegex>/\*</resBodyRegex>
<enabled>true</enabled>
</scanner>
<scanner>
<name>html_comment2</name>
<type>TAG</type>
<config>Comment</config>
<reqUrlRegex/>
<reqHeadRegex/>
<resHeadRegex/>
<resBodyRegex><!--</resBodyRegex>
<enabled>true</enabled>
</scanner>
<scanner>
<name>response_json</name>
<type>TAG</type>
<config>JSON</config>
<reqUrlRegex/>
<reqHeadRegex/>
<resHeadRegex>type\s*:\s*application\/json</resHeadRegex>
<resBodyRegex/>
<enabled>true</enabled>
</scanner>
</autoTagScanners>
<maxAlertsPerRule>10</maxAlertsPerRule>
</pscans>
<version>20011001</version>
<database>
<recoverylog>false</recoverylog>
</database>
<api>
<disablekey>true</disablekey>
<addrs>
<addr>
<name>.*</name>
<regex>true</regex>
</addr>
</addrs>
<key>change-me-9203935709</key>
</api>
<spider>
<maxDuration>0</maxDuration>
</spider>
<connection>
<proxyChain>
<enabled>false</enabled>
<hostName/>
<port>8080</port>
<realm/>
<userName/>
<prompt>false</prompt>
<password/>
</proxyChain>
<securityProtocolsEnabled>
<protocol>SSLv3</protocol>
<protocol>TLSv1</protocol>
<protocol>TLSv1.1</protocol>
<protocol>TLSv1.2</protocol>
<protocol>TLSv1.3</protocol>
</securityProtocolsEnabled>
</connection>
<proxy>
<securityProtocolsEnabled>
<protocol>SSLv3</protocol>
<protocol>TLSv1</protocol>
<protocol>TLSv1.1</protocol>
<protocol>TLSv1.2</protocol>
</securityProtocolsEnabled>
<ip>0.0.0.0</ip>
<port>47846</port>
</proxy>
<certificate>
<use>false</use>
<pkcs12>
<path/>
<password/>
<index>0</index>
</pkcs12>
</certificate>
<reveal version="1">
<enabled>false</enabled>
</reveal>
<anticsrf>
<tokens>
<token>
<name>anticsrf</name>
<enabled>true</enabled>
</token>
<token>
<name>CSRFToken</name>
<enabled>true</enabled>
</token>
<token>
<name>__RequestVerificationToken</name>
<enabled>true</enabled>
</token>
<token>
<name>csrfmiddlewaretoken</name>
<enabled>true</enabled>
</token>
<token>
<name>authenticity_token</name>
<enabled>true</enabled>
</token>
<token>
<name>OWASP_CSRFTOKEN</name>
<enabled>true</enabled>
</token>
<token>
<name>anoncsrf</name>
<enabled>true</enabled>
</token>
<token>
<name>csrf_token</name>
<enabled>true</enabled>
</token>
<token>
<name>_csrf</name>
<enabled>true</enabled>
</token>
<token>
<name>_csrfSecret</name>
<enabled>true</enabled>
</token>
<token>
<name>__csrf_magic</name>
<enabled>true</enabled>
</token>
<token>
<name>CSRF</name>
<enabled>true</enabled>
</token>
<token>
<name>_token</name>
<enabled>true</enabled>
</token>
<token>
<name>_csrf_token</name>
<enabled>true</enabled>
</token>
</tokens>
</anticsrf>
<ajaxSpider version="4"/>
<selenium version="2"/>
<rules>
<common>
<sleep>15</sleep>
</common>
<csrf>
<ignorelist/>
<ignore>
<attname/>
<attvalue/>
</ignore>
</csrf>
<cookie>
<ignorelist/>
</cookie>
<domains>
<trusted/>
</domains>
<domxss>
<browserid/>
</domxss>
</rules>
<hud version="4">
<newChangelog>true</newChangelog>
<tutorialUpdates>History</tutorialUpdates>
<tutorialUpdates>Comments</tutorialUpdates>
<tutorialUpdates>ToggleScript</tutorialUpdates>
</hud>
<globalalertfilter version="1"/>
<dynssl>
<param>
<rootca>MIIMWwIBAzCCDBQGCSqGSIb3DQEHAaCCDAUEggwBMIIL_TCCBcQGCSqGSIb3DQEHAaCCBbUEggWxMIIFrTCCBakGCyqGSIb3DQEMCgECoIIFQDCCBTwwZgYJKoZIhvcNAQUNMFkwOAYJKoZIhvcNAQUMMCsEFD62JNdYmhy3kJSkEz1J4MQLkydiAgInEAIBIDAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQ0gAdjXo4et9VOsYaYbyTFgSCBNAwqCwx9JYrmRyuE083AnTAzYE9J7NBqUj-RGty0ID2qAWwQgWSKkrtP8fKZ7UD-4CcimJy_PlV1eO1dlM0B1vWK7p4JV_IutwL_iVSyf2zIZlbESvHBId9lg6YT3dkIOZxd-OEiuhNeurGbT4Rwei9kO4gxgHoFTRQZX3lV0OouVvKeM8jhmrCBB7udyIvgw1xcp0iQzAVBrMVYucb6G3FQ1YGmSIhEBH4pIZr29Tw7zeCbt-JXPcd6T0smIX973eBTobeQdThWpR1dlILKbAgylNOGqJJfYdt2hZiPBcLnMm1wEL5X_eFUG7J_w7KtVpKOj_ThQ6BcjEEuYFJ0gsfSfMiyPjYnzA4GeADI69i2m2kTHsX2d-Qgl_THQfHBOgL9mf_BK9JZm_lzXSNtP-lvTotmZgV7PlopPlWj7Kgg8ykB78UqMl10m8I7WwTzWLO-ktzfZ97QQIvUxog5VprszFqzDdKmUml_43CcpFJaGnQYIWqLTBu8_ioY2gwbi8-qYor1rU1zxkq_-jwN_rWbZO1KYUmyrHpyW5RFjIL-vK7CLwZdb_-Qu-bW0F_6heT8PfPeu_FPIRjKufSztl1ojexBqiBCKZumyRKj-NfX9iNkSFO3qrHi-YAVzVQygw_ERWgHwaXj-LexOuM_e-mbpCmEQFS37filoZDCDe_e_7x5Bgk0fTQ908wu2FEeTJcAMvusg8mOfftJV4X04r_KLwfWEdm4DHaHMHIXO800oLAhOffww-LrzQDv6qDzd-zm1poAD3gX73EaRrKjB0LRnmtFVfpYsYNRvsX9WmpV5ZTNXD1JAic-toyG0GKp9ewuy4GAw6qWI6WhQAsspwzrJzyvmMW-TnRpFPmM_Q9F1Xr8jXJhX_DWmHCVnBNj2tkGfJ7KF9MCZcQvjMbSzmTi54KD7eXVLg5-paMqbz9fmdiHB79UJGBT2M1FPKQvTUx4ENAlzND9nrBOL6_-YdyMqg3QdLzHVNlBvPHOPlUJ3y-7mHgK_uYv0qn5Ql3vMJ27lsp1uWT-w6FlPPf4u_SzUwaoPABVSph1i_40M8aDvPJU1ql3f8VD2okrKXWA-PcMA_OZQThJ60yA9EbkYV3Ar6Yh2HtGUqhSssOsoPGrW7bCNExqc1xmPEV7UWyOtSQqUuewFXFvsGaPiU7JxcLjBHuK6ti2Quvq0LrwhSCZ75RSHWE2s2uWtWF8S6utYyAq-Pd28jeP6MKaDoUYJ4091GDy-fu_5Q4Gc_zUT8WdnewVEymW_FDvlabG4WhfTWepV1Na5wrxqB4o2pRJ1ufX5iMgXYTsZjGs8bMfLDZdMgY4Gf02k3Zw0P2V97ZyT7VZJKLhRi3ez-GYfW3yLgOItgKVJihEzfFwefMhl1g1GWJvo069FxCpw5T4jWIA86CEAXEF8erc_2oeHKtvXj-zhQBbYA2X9hvRlRw591XZj1jpRHyLdkuygVctzcKh-cJ1f5lkHioeVXT2XecxnrrCQtn9xc55dNIhZsfEenLSL_q3750g8pX8Y0nY2W6sW6QDmo0UUruxXsDacFRsxNmAAfiZ69No-k8sNs19BglCFjh8kUt2Y6wFTo8c7i4DctTUQAYZdJkqlL6hOv7C2H4v2hsyCSUHIpvsfoSmfNf4DFWMDEGCSqGSIb3DQEJFDEkHiIAbwB3AGEAcwBwAF8AegBhAHAAXwByAG8AbwB0AF8AYwBhMCEGCSqGSIb3DQEJFTEUBBJUaW1lIDE2NDQ0Njg4NDAyMDcwggYxBgkqhkiG9w0BBwagggYiMIIGHgIBADCCBhcGCSqGSIb3DQEHATBmBgkqhkiG9w0BBQ0wWTA4BgkqhkiG9w0BBQwwKwQUSWNHYNh9HINZgd2cnVQPnW9UV_QCAicQAgEgMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBAFIy0AZ4wZU3u6h6POSTDmgIIFoE9wVN57upmhXRDbmcaeb5j2ls32DqAE2X8U2fBXZsP2fAEvQXnRRVlDmEoKb8GlKcTjcK5RrrIL0kxGrkr9NA6Cn-Fm5cY_C6CIAe6fdGCmKd7tAWUSAp_ZKccMmxceCYC4KVvDwopErYPglST4PxCvGuzNJdmsyc4jnNLah0jtgGeYrW7ZCQZDIGH0cU6Mxh9B0CGFq15P3OLCbLep3CViy5t2a4viGtXNAKsxC-4Szr5m6ClOu08rMZ2J8eszUGE3hdhxbap3LtbIa8OcQ9YN6EZuQWZPk6169ec7M_c01P6n-dklrEbYbEBnGUaNi1BWSz9GK22U1sXAtIj_GQLS5wKyU_Mw828DC7qgfc5xcahq0fbBYRD6Fv_sIMSnWx0CTimaC21iVU8ENS9nox3sUqRG-_Tqp58i4-F6wpaS9Hxj-PS0dsc1eG5UQjovCiwgUP7_nLtsS7onu1MbIVxcvpmQYCZfQi8umhCOdErN2F_QWDMGBWCU1AIHgsXiiipDK8wKGVgn8-LtJaiBlL69acMP_z4nYYqDSEkoCUcAima4Q3dsXzn7zXrUs8MKEKi-6wuxHBzvMqr9dkDp7-zNE95_lN12bOSBa-GRy908YnilUNj812TL7H-WsI2BmftTm-HQloHL04Z-VjTcnW1bSe2uzJHKZUHmL_-yIEuNq9KgUWQMhqVIZsaKVbl4hr1aIZ_KNV9iMMZvo_w3JVi4R1v2QdkDFrlXKAyZnV2ZfgpF7sAQAY8A9rDSX6f9uuNDoYg-0sbaOhXo1bXeirQzlxOKa4WcKjcn7Tuz6PK_HZXKgb6nl5NaJPOHBrzrxsH69uGuzMtor4-aNPEaKHn1SUoSVJn6Ac63O0I6dnamr3x8L8-dmUrqDQSVndkEs3MAjKzQvzmRUortJ25Ka8pPSf0HNOJqn51-fL7a4FHUcaVkAXNMVoEMOoXKf2Pn2p4G0Rxg5dliko8RuxB0ddgEgc05cdsdt9gBXRMtolqcyTKzc_z4E_wiMYs4HbX_7nT0i5f6LPAtA_wynqLxWVMvmhJyvtkUScx05WvDOuUIdxhN-xr6UK8cgwPBCJECLAe1DmO_-j9u0QKGUcvBX8EnsFJ9M8xM9DObQZ-vuKINOz84pCoR8688VVrukVvyTeVPHnbPQDzAlRKaHwbdX_vM9TWhZLvZQzRHm_xXYn4kcPHVO3Q_W9N3UThFANX_Q960J0EDNrV_9hBXAf48XBTRCwGeDPENnuMqtQcmxKl8rMLWukJYRcQDzpq_j9s3EL0g4D5Y8NpXszuiL_dgGLIKt0tAfMrWKSHXVU8vp4RMygpWCtav-ICRvl81T2ir6iYYMDf0P6qAtKtgSGzJkCnNqmqvQFIp-gN788V3kn9bYZK11C6jqi5gV5ry5ygu6r3s51C0KIjVFa4QuQ8ynAW4dnEYpdOzk6qs1dLD9mb_ElEG50s6ujYuod9RwYM_Gj0gvc2aRk8LOTREyiaXOuZyq4mBPHAopt0JeLr6nhKV1kaAoKa78SUCDxzaTIEikVl8fLmRSa28i_7k4mZjZS39f5ezYDx9_Y-E7KF8ydTIv0O6Z8IXpvl4lcyZIEI80v-FrhXIroXrbrEURKPy3WbcCy1GnkcUVOwXzslklna5ShEYHs4PhKejZPIlTERBE5xAkjtvhwGjPTcHVNu7bNzRv1W7RiTBiwbx9ijU5okln3E79ggsFWekHDOO8DMppIsJyzndKD_MJtHYsMtGbtoY8Q4MSkD4pWLpuKArK4l9_d2HmiWZ8_uJ6Qme-kjU4VKO7PsSajLzHX_glASjPldBI0etBzJ8eKIf0lGiDCo9gNFrrWXe-cQGPFj_IIeHjsXWGqHa7Sct0rXOdQw81UwB-RrfzwdHolk_Kh0-3j4NnBQXM5s49VEJFYDLiKcXmjA-MCEwCQYFKw4DAhoFAAQUbSiySpH09Us7BEWFdqPV4nNiHDMEFM87_bGtNGJn8KSs-F0R3AGmPN4qAgMBhqA=</rootca>
</param>
</dynssl>
<oast version="1">
<boast version="1">
<pollingFrequency>60</pollingFrequency>
</boast>
<callback version="1"/>
<interactsh version="1">
<pollingFrequency>60</pollingFrequency>
</interactsh>
</oast>
<start>
<dayLastChecked>2022-02-16</dayLastChecked>
</start>
<forcedUser>
<setForcedUserModeEnabled>true</setForcedUserModeEnabled>
</forcedUser>
<script>
<scripts>
<name>Base64 Disclosure</name>
<description/>
<engine>Oracle Nashorn</engine>
<type>websocketpassive</type>
<enabled>true</enabled>
<file>/root/.ZAP/scripts/scripts/websocketpassive/Base64 Disclosure.js</file>
</scripts>
<scripts>
<name>Debug Error Disclosure</name>
<description/>
<engine>Oracle Nashorn</engine>
<type>websocketpassive</type>
<enabled>true</enabled>
<file>/root/.ZAP/scripts/scripts/websocketpassive/Debug Error Disclosure.js</file>
</scripts>
<scripts>
<name>Private IP Disclosure</name>
<description/>
<engine>Oracle Nashorn</engine>
<type>websocketpassive</type>
<enabled>true</enabled>
<file>/root/.ZAP/scripts/scripts/websocketpassive/Private IP Disclosure.js</file>
</scripts>
<scripts>
<name>Application Error Scanner</name>
<description/>
<engine>Oracle Nashorn</engine>
<type>websocketpassive</type>
<enabled>true</enabled>
<file>/root/.ZAP/scripts/scripts/websocketpassive/Application Error Scanner.js</file>
</scripts>
<scripts>
<name>Username Idor Scanner</name>
<description/>
<engine>Oracle Nashorn</engine>
<type>websocketpassive</type>
<enabled>true</enabled>
<file>/root/.ZAP/scripts/scripts/websocketpassive/Username Idor Scanner.js</file>
</scripts>
<scripts>
<name>XML Comments Disclosure</name>
<description/>
<engine>Oracle Nashorn</engine>
<type>websocketpassive</type>
<enabled>true</enabled>
<file>/root/.ZAP/scripts/scripts/websocketpassive/XML Comments Disclosure.js</file>
</scripts>
<scripts>
<name>Email Disclosure</name>
<description/>
<engine>Oracle Nashorn</engine>
<type>websocketpassive</type>
<enabled>true</enabled>
<file>/root/.ZAP/scripts/scripts/websocketpassive/Email Disclosure.js</file>
</scripts>
<scripts>
<name>auth_altoro_mutual2</name>
<description/>
<engine>Mozilla Zest</engine>
<type>authentication</type>
<enabled>true</enabled>
<file>/zap/wrk/auth_altoro_mutual.zst</file>
</scripts>
<scripts>
<name>PII Disclosure</name>
<description/>
<engine>Oracle Nashorn</engine>
<type>websocketpassive</type>
<enabled>true</enabled>
<file>/root/.ZAP/scripts/scripts/websocketpassive/PII Disclosure.js</file>
</scripts>
</script>
</config>

Kindly see find the whole log below:

root@447cd2bf9aff:/zap/wrk# cat zap.out
Found Java version 11.0.13
Available memory: 16002 MB
Using JVM args: -Xmx4000m
1577 [main] INFO org.zaproxy.zap.DaemonBootstrap - OWASP ZAP 2.11.1 started 16/02/2022, 05:56:58 with home /root/.ZAP/
1643 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config database.recoverylog = false was false
1643 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.disablekey = true was true
1644 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.name = .* was .*
1644 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config api.addrs.addr.regex = true was true
1645 [main] INFO org.parosproxy.paros.common.AbstractParam - Setting config spider.maxDuration = 0 was 0
1657 [main] INFO org.parosproxy.paros.network.SSLConnector - Reading supported SSL/TLS protocols...
1658 [main] INFO org.parosproxy.paros.network.SSLConnector - Using a SSLEngine...
1800 [main] INFO org.parosproxy.paros.network.SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
1803 [main] INFO org.parosproxy.paros.extension.option.OptionsParamCertificate - Unsafe SSL renegotiation disabled.
2369 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open start
2377 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start
2378 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end
2380 [main] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache open end
2495 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Loading extensions
4152 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Installed add-ons: [[id=alertFilters, version=13.0.0], [id=ascanrulesBeta, version=39.0.0], [id=bruteforce, version=11.0.0], [id=commonlib, version=1.7.0], [id=diff, version=11.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=12.0.0], [id=encoder, version=0.6.0], [id=exim, version=0.0.1], [id=formhandler, version=4.0.0], [id=gettingStarted, version=13.0.0], [id=graaljs, version=0.2.0], [id=help, version=14.0.0], [id=hud, version=0.13.0], [id=importurls, version=9.0.0], [id=invoke, version=11.0.0], [id=network, version=0.1.0], [id=oast, version=0.9.0], [id=onlineMenu, version=9.0.0], [id=pscanrulesBeta, version=28.0.0], [id=replacer, version=9.0.0], [id=reveal, version=4.0.0], [id=saverawmessage, version=7.0.0], [id=savexmlmessage, version=0.3.0], [id=scripts, version=29.0.0], [id=selenium, version=15.6.0], [id=spiderAjax, version=23.7.0], [id=tips, version=9.0.0], [id=websocket, version=24.0.0], [id=zest, version=35.0.0]]
4723 [ZAP-daemon] INFO org.zaproxy.addon.network.internal.TlsUtils - Using supported SSL/TLS protocols: [TLSv1.2, TLSv1.3]
4825 [ZAP-daemon] INFO org.zaproxy.zap.control.ExtensionFactory - Extensions loaded
5015 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows ZAP to check for updates
5020 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Options Extension
5020 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Edit Menu Extension
5021 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP
5033 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session State Extension
5034 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing History Extension
5037 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Show hidden fields and enable disabled fields
5038 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Search messages for strings and regular expressions
5040 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to intercept and modify requests and responses
5043 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive scanner
5077 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules
5077 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule
5078 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)
5078 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set
5079 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Directory Browsing
5079 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure
5079 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)
5079 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post
5079 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post
5079 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing
5080 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Modern Web Application
5080 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: PII Disclosure
5080 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache
5080 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header
5080 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override
5081 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header
5081 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset
5081 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning
5081 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)
5081 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)
5082 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: Open Redirect
5082 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak
5082 [ZAP-daemon] INFO org.zaproxy.zap.extension.pscan.ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak
5105 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to view and manage alerts
5109 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added
5118 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Spider used for automatically finding URIs on a site
5125 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks
5126 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool
5127 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manual Request Editor Extension
5127 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences
5128 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters
5128 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens
5131 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authentication Extension
5151 [ZAP-daemon] INFO org.zaproxy.zap.extension.authentication.ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]
5155 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser
5375 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Logs errors to the Output tab in development mode only
5376 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Users Extension
5379 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies
5380 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Script integration
5387 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages
5612 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Forced User Extension
5613 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Extension handling HTTP sessions
5617 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Zest is a specialized scripting language, originally, from Mozilla specifically designed to be used in security tools
5901 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionDiff
5901 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Post Table View Extension
5901 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for scriptable encoders to ZAP.
5902 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Session Management Extension
5922 [ZAP-daemon] INFO org.zaproxy.zap.extension.sessions.ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]
5924 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Form Table View Extension
5924 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.
5949 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree
5952 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Core UI related functionality.
5952 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Authorization Extension
5952 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing AJAX Spider, uses Crawljax
5954 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.
5960 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Manages the local proxy configurations
5961 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Handles adding Global Excluded URLs
5962 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds menu item to refresh the Sites tree
5962 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing OWASP ZAP User Guide
5962 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts
5962 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Combined HTTP Panels Extension
5962 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Hex View Extension
5962 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Image View Extension
5962 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Request View Extension
5963 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Large Response View Extension
5963 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Query Table View Extension
5963 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension
5963 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.
5963 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active and passive rule configuration
5965 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Statistics
5967 [ZAP-daemon] INFO org.zaproxy.zap.extension.stats.ExtensionStats - Start recording in memory stats
5968 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Custom Pages Definition
5968 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Tips and Tricks
5968 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.
5970 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Heads Up Display
6054 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionHUDlaunch
6055 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing DOM XSS Active Scan Rule
6119 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The Online menu links
6119 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing The ZAP Getting Started Guide
6120 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Import and Export functionality supporting multiple formats.
6120 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage
6121 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Context alert rules filter
6123 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides the GraalVM JavaScript engine for ZAP scripting.
6769 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Easy way to replace strings in requests and responses
6774 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionSaveRawHttpMessage
6774 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Active Scan Rules - beta
6775 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Provides core networking capabilities.
6781 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing ExtensionOast
6789 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Adds OAST scripts.
6790 [ZAP-daemon] INFO org.parosproxy.paros.extension.ExtensionLoader - Initializing Passive Scan Rules - beta
7046 [ZAP-daemon] INFO org.zaproxy.addon.oast.services.callback.CallbackService - Started callback service on 0.0.0.0:37485
8288 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on update check complete
8293 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on already installed: /root/.ZAP/plugin/pscanrulesBeta-beta-28.zap
8293 [ZAP-daemon] INFO org.parosproxy.paros.CommandLine - Add-on already installed: /root/.ZAP/plugin/ascanrulesBeta-beta-39.zap
8294 [ZAP-daemon] INFO org.zaproxy.zap.DaemonBootstrap - ZAP is now listening on 0.0.0.0:47846
8971 [ZAP-ProxyThread-4] ERROR org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType - Unable to find script while loading Script Based Authentication Method for name: auth_altoro_mutual
9152 [ZAP-ProxyThread-4] ERROR org.zaproxy.zap.extension.api.ContextAPI - null
java.lang.NullPointerException: null
at org.zaproxy.zap.authentication.ScriptBasedAuthenticationMethodType.persistMethodToSession(ScriptBasedAuthenticationMethodType.java:754) ~[zap-2.11.1.jar:2.11.1]
at org.zaproxy.zap.extension.authentication.ExtensionAuthentication.persistContextData(ExtensionAuthentication.java:407) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.model.Model.saveContext(Model.java:547) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.model.Session.saveContext(Session.java:1306) ~[zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.model.Session.importContext(Session.java:1605) ~[zap-2.11.1.jar:2.11.1]
at org.zaproxy.zap.extension.api.ContextAPI.handleApiAction(ContextAPI.java:279) [zap-2.11.1.jar:2.11.1]
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:513) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.11.1.jar:2.11.1]
at java.lang.Thread.run(Thread.java:829) [?:?]
12784 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Starting spidering scan on https://demo.testfire.net/ at 2022-02-16T05:57:10.141+0000
12791 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Spider initializing...
12834 [ZAP-SpiderInitThread-0] INFO org.zaproxy.zap.spider.Spider - Starting spider...
16300 [ZAP-PassiveScanner] INFO org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Content Security Policy (CSP) Header Not Set as it has raised more than 10 alerts.
16309 [ZAP-PassiveScanner] INFO org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner HTTP Server Response Header as it has raised more than 10 alerts.
16312 [ZAP-PassiveScanner] INFO org.zaproxy.zap.extension.pscan.PassiveScanThread - Disabling passive scanner Strict-Transport-Security Header as it has raised more than 10 alerts.
37557 [ZAP-SpiderThreadPool-0-thread-1] INFO org.zaproxy.zap.spider.Spider - Spidering process is complete. Shutting down...
37561 [ZAP-SpiderShutdownThread-0] INFO org.zaproxy.zap.extension.spider.SpiderThread - Spider scanning complete: true on https://demo.testfire.net/ at 2022-02-16T05:57:34.916+0000
37917 [ZAP-ProxyThread-16] INFO org.parosproxy.paros.core.scanner.Scanner - scanner started
41980 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - Scanning 88 node(s) from https://demo.testfire.net
41981 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | ScriptsActiveScanner strength MEDIUM threshold MEDIUM
41983 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - skipped plugin [no scripts enabled] https://demo.testfire.net | ScriptsActiveScanner in 0.002s with 0 message(s) sent and 0 alert(s) raised.
41984 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | SourceCodeDisclosureGitScanRule strength MEDIUM threshold MEDIUM
49633 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | SourceCodeDisclosureGitScanRule in 7.649s with 0 message(s) sent and 0 alert(s) raised.
49634 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | SourceCodeDisclosureFileInclusionScanRule strength MEDIUM threshold MEDIUM
62680 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | SourceCodeDisclosureFileInclusionScanRule in 13.046s with 46 message(s) sent and 0 alert(s) raised.
62680 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | ShellShockScanRule strength MEDIUM threshold MEDIUM
74521 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | ShellShockScanRule in 11.841s with 46 message(s) sent and 0 alert(s) raised.
74521 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | HttPoxyScanRule strength MEDIUM threshold MEDIUM
110460 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | HttPoxyScanRule in 35.939s with 176 message(s) sent and 0 alert(s) raised.
110461 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | CsrfTokenScanRule strength MEDIUM threshold MEDIUM
120303 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | CsrfTokenScanRule in 9.842s with 44 message(s) sent and 44 alert(s) raised.
120303 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | HeartBleedActiveScanRule strength MEDIUM threshold MEDIUM
120304 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | CrossDomainScanRule strength MEDIUM threshold MEDIUM
120307 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | SourceCodeDisclosureCve20121823ScanRule strength MEDIUM threshold MEDIUM
120817 [ZAP-ActiveScanner-1] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | CrossDomainScanRule in 0.512s with 2 message(s) sent and 0 alert(s) raised.
131734 [ZAP-ActiveScanner-0] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | HeartBleedActiveScanRule in 11.431s with 3 message(s) sent and 0 alert(s) raised.
132697 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | SourceCodeDisclosureCve20121823ScanRule in 12.391s with 19 message(s) sent and 0 alert(s) raised.
132698 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | RemoteCodeExecutionCve20121823ScanRule strength MEDIUM threshold MEDIUM
161306 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | RemoteCodeExecutionCve20121823ScanRule in 28.609s with 176 message(s) sent and 0 alert(s) raised.
161307 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | SessionFixationScanRule strength MEDIUM threshold MEDIUM
163891 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | SessionFixationScanRule in 2.585s with 0 message(s) sent and 0 alert(s) raised.
163891 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | SqlInjectionMySqlScanRule strength MEDIUM threshold MEDIUM
191263 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | SqlInjectionMySqlScanRule in 27.371s with 161 message(s) sent and 0 alert(s) raised.
191263 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | SqlInjectionHypersonicScanRule strength MEDIUM threshold MEDIUM
215347 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | SqlInjectionHypersonicScanRule in 24.084s with 138 message(s) sent and 0 alert(s) raised.
215348 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | SqlInjectionOracleScanRule strength MEDIUM threshold MEDIUM
239788 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | SqlInjectionOracleScanRule in 24.44s with 138 message(s) sent and 0 alert(s) raised.
239788 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | SqlInjectionPostgreScanRule strength MEDIUM threshold MEDIUM
264446 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | SqlInjectionPostgreScanRule in 24.657s with 138 message(s) sent and 0 alert(s) raised.
264446 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | SqlInjectionSqLiteScanRule strength MEDIUM threshold MEDIUM
300642 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | SqlInjectionSqLiteScanRule in 36.196s with 193 message(s) sent and 0 alert(s) raised.
300643 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | DomXssScanRule strength MEDIUM threshold MEDIUM
346128 [ZAP-ActiveScanner-0] WARN org.zaproxy.zap.extension.domxss.DomXssScanRule - Skipping scanner, failed to start browser: Timed out waiting 45 seconds for Firefox to start.
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: '447cd2bf9aff', ip: '172.17.0.3', os.name: 'Linux', os.arch: 'amd64', os.version: '5.13.0-28-generic', java.version: '11.0.13'
Driver info: driver.version: FirefoxDriver
346129 [ZAP-ActiveScanner-1] WARN org.zaproxy.zap.extension.domxss.DomXssScanRule - Skipping scanner, failed to start browser: Timed out waiting 45 seconds for Firefox to start.
Build info: version: 'unknown', revision: 'unknown', time: 'unknown'
System info: host: '447cd2bf9aff', ip: '172.17.0.3', os.name: 'Linux', os.arch: 'amd64', os.version: '5.13.0-28-generic', java.version: '11.0.13'
Driver info: driver.version: FirefoxDriver
346284 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - skipped plugin [failed to start or connect to the browser] https://demo.testfire.net | DomXssScanRule in 45.641s with 0 message(s) sent and 0 alert(s) raised.
346285 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | SqlInjectionMsSqlScanRule strength MEDIUM threshold MEDIUM
364756 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | SqlInjectionMsSqlScanRule in 18.471s with 88 message(s) sent and 0 alert(s) raised.
364757 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | XpathInjectionScanRule strength MEDIUM threshold MEDIUM
379146 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | XpathInjectionScanRule in 14.388s with 69 message(s) sent and 0 alert(s) raised.
379146 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | XxeScanRule strength MEDIUM threshold MEDIUM
381897 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | XxeScanRule in 2.75s with 0 message(s) sent and 0 alert(s) raised.
381897 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | PaddingOracleScanRule strength MEDIUM threshold MEDIUM
388771 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | PaddingOracleScanRule in 6.874s with 0 message(s) sent and 0 alert(s) raised.
388771 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | ExpressionLanguageInjectionScanRule strength MEDIUM threshold MEDIUM
398338 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | ExpressionLanguageInjectionScanRule in 9.567s with 23 message(s) sent and 0 alert(s) raised.
398338 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | CloudMetadataScanRule strength MEDIUM threshold MEDIUM
398339 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | SourceCodeDisclosureSvnScanRule strength MEDIUM threshold MEDIUM
398591 [ZAP-ActiveScanner-0] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | CloudMetadataScanRule in 0.253s with 1 message(s) sent and 0 alert(s) raised.
412385 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | SourceCodeDisclosureSvnScanRule in 14.046s with 61 message(s) sent and 0 alert(s) raised.
412385 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | RelativePathConfusionScanRule strength MEDIUM threshold MEDIUM
428822 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | RelativePathConfusionScanRule in 16.437s with 73 message(s) sent and 73 alert(s) raised.
428823 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | BackupFileDisclosureScanRule strength MEDIUM threshold MEDIUM
686320 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | BackupFileDisclosureScanRule in 257.497s with 1957 message(s) sent and 0 alert(s) raised.
686320 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | HttpOnlySiteScanRule strength MEDIUM threshold MEDIUM
686323 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | IntegerOverflowScanRule strength MEDIUM threshold MEDIUM
686323 [ZAP-ActiveScanner-0] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | HttpOnlySiteScanRule in 0.003s with 0 message(s) sent and 0 alert(s) raised.
706709 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | IntegerOverflowScanRule in 20.385s with 92 message(s) sent and 0 alert(s) raised.
706709 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | ProxyDisclosureScanRule strength MEDIUM threshold MEDIUM
840800 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | ProxyDisclosureScanRule in 134.091s with 880 message(s) sent and 0 alert(s) raised.
840801 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | TraceAxdScanRule strength MEDIUM threshold MEDIUM
846585 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | TraceAxdScanRule in 5.783s with 12 message(s) sent and 0 alert(s) raised.
846585 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | EnvFileScanRule strength MEDIUM threshold MEDIUM
851938 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | EnvFileScanRule in 5.353s with 11 message(s) sent and 0 alert(s) raised.
851939 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | HiddenFilesScanRule strength MEDIUM threshold MEDIUM
851960 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | XsltInjectionScanRule strength MEDIUM threshold MEDIUM
861465 [ZAP-ActiveScanner-0] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | HiddenFilesScanRule in 9.525s with 38 message(s) sent and 0 alert(s) raised.
882501 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | XsltInjectionScanRule in 30.541s with 124 message(s) sent and 0 alert(s) raised.
882502 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | InsecureHttpMethodScanRule strength MEDIUM threshold MEDIUM
908146 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | InsecureHttpMethodScanRule in 25.644s with 153 message(s) sent and 62 alert(s) raised.
908147 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | HttpsAsHttpScanRule strength MEDIUM threshold MEDIUM
923428 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | HttpsAsHttpScanRule in 15.281s with 62 message(s) sent and 55 alert(s) raised.
923428 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | GetForPostScanRule strength MEDIUM threshold MEDIUM
926398 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | GetForPostScanRule in 2.97s with 3 message(s) sent and 0 alert(s) raised.
926399 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | UserAgentScanRule strength MEDIUM threshold MEDIUM
1016143 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | UserAgentScanRule in 89.744s with 616 message(s) sent and 56 alert(s) raised.
1016144 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | HttpParameterPollutionScanRule strength MEDIUM threshold MEDIUM
1021688 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | HttpParameterPollutionScanRule in 5.544s with 14 message(s) sent and 0 alert(s) raised.
1021688 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | UsernameEnumerationScanRule strength MEDIUM threshold MEDIUM
1021689 [Thread-7] INFO org.zaproxy.zap.extension.ascanrulesBeta.UsernameEnumerationScanRule - There does not appear to be any configured contexts using Form-based Authentication. Further attempts during the current scan will be skipped.
1021690 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - skipped plugin https://demo.testfire.net | UsernameEnumerationScanRule in 0.001s with 0 message(s) sent and 0 alert(s) raised.
1021690 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - start host https://demo.testfire.net | SlackerCookieScanRule strength MEDIUM threshold MEDIUM
1050208 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host/plugin https://demo.testfire.net | SlackerCookieScanRule in 28.517s with 176 message(s) sent and 88 alert(s) raised.
1050208 [Thread-7] INFO org.parosproxy.paros.core.scanner.HostProcess - completed host https://demo.testfire.net in 1012.275s with 378 alert(s) raised.
1050209 [Thread-6] INFO org.parosproxy.paros.core.scanner.Scanner - scanner completed in 1012.291s
1056392 [ZAP-ProxyThread-472] ERROR org.zaproxy.zap.extension.api.CoreAPI - no_implementor
org.zaproxy.zap.extension.api.ApiException: no_implementor
at org.zaproxy.zap.extension.api.CoreAPI.generateReport(CoreAPI.java:1631) [zap-2.11.1.jar:2.11.1]
at org.zaproxy.zap.extension.api.CoreAPI.handleApiOther(CoreAPI.java:1415) [zap-2.11.1.jar:2.11.1]
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:551) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.11.1.jar:2.11.1]
at java.lang.Thread.run(Thread.java:829) [?:?]
1056393 [ZAP-ProxyThread-472] ERROR org.zaproxy.zap.extension.api.API - API 'other' endpoint didn't handle exception:
org.zaproxy.zap.extension.api.ApiException: internal_error
at org.zaproxy.zap.extension.api.CoreAPI.generateReport(CoreAPI.java:1687) ~[zap-2.11.1.jar:2.11.1]
at org.zaproxy.zap.extension.api.CoreAPI.handleApiOther(CoreAPI.java:1415) ~[zap-2.11.1.jar:2.11.1]
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:551) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.11.1.jar:2.11.1]
at java.lang.Thread.run(Thread.java:829) [?:?]
1057815 [ZAP-Shutdown] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start
1057892 [ZAP-Shutdown] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end
1057922 [ZAP-Shutdown] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - Database closed
1058039 [ZAP-Shutdown] INFO org.zaproxy.zap.extension.api.CoreAPI - OWASP ZAP 2.11.1 terminated.

Any help would be appreciated, Thank you.

kingthorin+owaspzap

unread,

Feb 16, 2022, 9:48:00 AM2/16/22

to OWASP ZAP User Group

https://www.zaproxy.org/docs/api/#common-errors

Ruchira Sahan

unread,

Feb 17, 2022, 1:25:41 AM2/17/22

to OWASP ZAP User Group

Thank you for the link. In there it says,

" If you come across the No Implementor Error while invoking the APIs: Check the necessary add-on or component is installed and enabled. (For example if you receive "no_implementor" in relation to Ajax Spider calls, perhaps the Ajax Spider add-on isn't installed.)"

In our case (I'm working with Kaushal), the error message is,

1050209 [Thread-6] INFO org.parosproxy.paros.core.scanner.Scanner - scanner completed in 1012.291s
1056392 [ZAP-ProxyThread-472] ERROR org.zaproxy.zap.extension.api.CoreAPI - no_implementor
org.zaproxy.zap.extension.api.ApiException: no_implementor
at org.zaproxy.zap.extension.api.CoreAPI.generateReport(CoreAPI.java:1631) [zap-2.11.1.jar:2.11.1]
at org.zaproxy.zap.extension.api.CoreAPI.handleApiOther(CoreAPI.java:1415) [zap-2.11.1.jar:2.11.1]
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:551) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.11.1.jar:2.11.1]
at java.lang.Thread.run(Thread.java:829) [?:?]
1056393 [ZAP-ProxyThread-472] ERROR org.zaproxy.zap.extension.api.API - API 'other' endpoint didn't handle exception:
org.zaproxy.zap.extension.api.ApiException: internal_error
at org.zaproxy.zap.extension.api.CoreAPI.generateReport(CoreAPI.java:1687) ~[zap-2.11.1.jar:2.11.1]
at org.zaproxy.zap.extension.api.CoreAPI.handleApiOther(CoreAPI.java:1415) ~[zap-2.11.1.jar:2.11.1]
at org.zaproxy.zap.extension.api.API.handleApiRequest(API.java:551) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.proxy.ProxyThread.processHttp(ProxyThread.java:497) [zap-2.11.1.jar:2.11.1]
at org.parosproxy.paros.core.proxy.ProxyThread.run(ProxyThread.java:333) [zap-2.11.1.jar:2.11.1]
at java.lang.Thread.run(Thread.java:829) [?:?]
1057815 [ZAP-Shutdown] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit start
1057892 [ZAP-Shutdown] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - dataFileCache commit end
1057922 [ZAP-Shutdown] INFO hsqldb.db.HSQLDB379AF3DEBD.ENGINE - Database closed
1058039 [ZAP-Shutdown] INFO org.zaproxy.zap.extension.api.CoreAPI - OWASP ZAP 2.11.1 terminated.

Can you please help us to understand our error? It looks like its from CoreAPI in this case but how should we troubleshoot it because it's not an addon like ajax spider?

Thank you

thc...@gmail.com

unread,

Feb 17, 2022, 4:40:13 AM2/17/22

to zaprox...@googlegroups.com

The reports add-on is not installed or was not loaded.

Best regards.

Sarvesh Sonawane

unread,

Feb 18, 2022, 1:44:24 AM2/18/22

to zaprox...@googlegroups.com

Hello

Try once

1) On your desktop create one file start_ZAP.bat

2) Make sure files extensions is .bat and not .txt

3) edit this start_ZAP.bat in notepad and enter below text in it and save it (change orange colored items)

echo "Invoking OWASP ZAP"
Start cmd.exe /k "C:\Program Files\OWASP\Zed Attack Proxy\zap.bat" -port 8080 -config api.key=<OWASP_ZAP_API_KEY> -config scanner.attackOnStart=true -config view.mode=attack -addonupdate -addoninstallall -daemon
echo "OWASP ZAP Started Successfully"

now whenever you double click on this - it will start zap

On Thu, Feb 17, 2022 at 3:10 PM <thc...@gmail.com> wrote:

The reports add-on is not installed or was not loaded.

Best regards.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/39035879-9188-fa75-67a1-9250e57df457%40gmail.com.

--

Greetings

Thanks and Regards

--------------------------------------------------------------------------------------------------------

Sarvesh Sonawane

Call : 9890530063

Skype : sarveshsonawane

Social : Linkedin | Facebook | Twitter

Simon Bennetts

unread,

Feb 18, 2022, 4:33:51 AM2/18/22

to OWASP ZAP User Group

This is not relevant here and probably not what most people would want to do, as per https://groups.google.com/g/zaproxy-users/c/QTJNAyOdljk/m/lregPJW6AAAJ

Ruchira Sahan

unread,

Feb 21, 2022, 12:58:25 AM2/21/22

to OWASP ZAP User Group

Thanks everyone -addoninstallall did the trick. Now its working although we couldn't find any url's from authenticated areas of altoro mutual so we think there is an issue with either the context file or the script file. These files are exported from zap windows application with no changes.

Here is the context file -

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<configuration>
<context>
<name>Default Context</name>
<desc/>
<inscope>true</inscope>
<incregexes>https://demo.testfire.net/.*</incregexes>
<incregexes>https://demo.testfire.net/index.jsp/.*</incregexes>
<tech>
<include>Db</include>
<include>Db.CouchDB</include>
<include>Db.Firebird</include>
<include>Db.HypersonicSQL</include>
<include>Db.IBM DB2</include>
<include>Db.Microsoft Access</include>
<include>Db.Microsoft SQL Server</include>
<include>Db.MongoDB</include>
<include>Db.MySQL</include>
<include>Db.Oracle</include>
<include>Db.PostgreSQL</include>
<include>Db.SAP MaxDB</include>
<include>Db.SQLite</include>
<include>Db.Sybase</include>
<include>Language</include>
<include>Language.ASP</include>
<include>Language.C</include>
<include>Language.JSP/Servlet</include>
<include>Language.Java</include>
<include>Language.Java.Spring</include>
<include>Language.JavaScript</include>
<include>Language.PHP</include>
<include>Language.Python</include>
<include>Language.Ruby</include>
<include>Language.XML</include>
<include>OS</include>
<include>OS.Linux</include>
<include>OS.MacOS</include>
<include>OS.Windows</include>
<include>SCM</include>
<include>SCM.Git</include>
<include>SCM.SVN</include>
<include>WS</include>
<include>WS.Apache</include>
<include>WS.IIS</include>
<include>WS.Tomcat</include>
</tech>
<urlparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</urlparser>
<postparser>
<class>org.zaproxy.zap.model.StandardParameterParser</class>
<config>{"kvps":"&","kvs":"=","struct":[]}</config>
</postparser>
<authentication>
<type>4</type>
<strategy>EACH_RESP</strategy>
<pollurl/>
<polldata/>
<pollheaders/>
<pollfreq>60</pollfreq>
<pollunits>REQUESTS</pollunits>
<loggedin>\Q<a id="LoginLink" href="/logout.jsp"><font style="font-weight: bold; color: red;">Sign Off</font></a>\E</loggedin>
<loggedout>\Q<a id="LoginLink" href="/login.jsp"><font style="font-weight: bold; color: red;">Sign In</font></a>\E</loggedout>
<script>
<name>auth_altoro_mutual</name>
<params>TG9naW5VUkw=:aHR0cHM6Ly9kZW1vLnRlc3RmaXJlLm5ldC9sb2dpbi5qc3A=&dHh0VXNlck5hbWU=:YWRtaW4=&dHh0UGFzc3dvcmQ=:YWRtaW4=</params>
</script>
</authentication>
<users>
<user>72;true;YWRtaW4=;4;VXNlcm5hbWU=:YWRtaW4=&UGFzc3dvcmQ=:YWRtaW4=</user>
</users>
<forceduser>72</forceduser>
<session>
<type>0</type>
</session>
<authorization>
<type>0</type>
<basic>
<header/>
<body/>
<logic>AND</logic>
<code>-1</code>
</basic>
</authorization>
</context>
</configuration>

Here is the script file,

{
"about": "This is a Zest script. For more details about Zest visit https://github.com/zaproxy/zest/",
"zestVersion": "0.3",
"title": "auth_altoro_mutual",
"description": "",
"prefix": "",
"type": "StandAlone",
"parameters": {
"tokenStart": "{{",
"tokenEnd": "}}",
"tokens": {
"txtUserName": "",
"LoginURL": "",
"txtPassword": ""
},
"elementType": "ZestVariables"
},
"statements": [
{
"comment": "Authentication scripts are used to authenticate to an application.\n The Username and Password parameters are set depending on how the script is invoked.",
"index": 1,
"enabled": true,
"elementType": "ZestComment"
},
{
"windowHandle": "firefox",
"browserType": "firefox",
"url": "{{LoginURL}}",
"capabilities": "",
"headless": false,
"index": 2,
"enabled": true,
"elementType": "ZestClientLaunch"
},
{
"value": "{{txtUserName}}",
"windowHandle": "firefox",
"type": "id",
"element": "uid",
"index": 3,
"enabled": true,
"elementType": "ZestClientElementSendKeys"
},
{
"value": "{{txtPassword}}",
"windowHandle": "firefox",
"type": "id",
"element": "passw",
"index": 4,
"enabled": true,
"elementType": "ZestClientElementSendKeys"
},
{
"windowHandle": "firefox",
"type": "name",
"element": "btnSubmit",
"index": 5,
"enabled": true,
"elementType": "ZestClientElementClick"
}
],
"authentication": [],
"index": 0,
"enabled": true,
"elementType": "ZestScript"
}

here are the commands to start the scan,

zap.sh -cmd -config script.scripts.name="auth_altoro_mutual" -cmd -config script.scripts.engine="Mozilla Zest" -cmd -config script.scripts.type=authentication -cmd -config script.scripts.enabled=true -cmd -config script.scripts.file="/zap/wrk/auth_altoro_mutual.zst" -cmd -config forcedUser.setForcedUserModeEnabled=true -cmd -config api.key=change-me-9203935709

zap.sh -cmd -addoninstallall

zap-full-scan.py -t https://demo.testfire.net/ -g gen.conf -J test.json -n altoro.context -d

Scan's are completed with no errors it's just that we don't have any URL's from authenticated areas. We have a few questions,

1. In the context file, following areas are encrypted?

<script>
<name>auth_altoro_mutual</name>
<params>TG9naW5VUkw=:aHR0cHM6Ly9kZW1vLnRlc3RmaXJlLm5ldC9sb2dpbi5qc3A=&dHh0VXNlck5hbWU=:YWRtaW4=&dHh0UGFzc3dvcmQ=:YWRtaW4=</params>
</script>
</authentication>
<users>
<user>72;true;YWRtaW4=;4;VXNlcm5hbWU=:YWRtaW4=&UGFzc3dvcmQ=:YWRtaW4=</user>
</users>
<forceduser>72</forceduser>

Is this correct? Or do we have to add plain text here?

2. Is there anything wrong with the zest script? (this works on zap desktop)

Any help would be appreciated. This is the final step of the journey :-)

Thank you

Simon Bennetts

unread,

Mar 2, 2022, 5:20:26 AM3/2/22

to OWASP ZAP User Group

I'm working on documenting more advice and guidance for setting up authenticated scans in automation (including docker), including full details on how to debug these sort of problems.

Unfortunately I've had to focus on other things but I do hope to get back to it asap.

It is turning out to be a bit harder than I hoped so I can definitely see the need for this..

Cheers,

Simon

Vineet Sadawari

unread,

Mar 2, 2022, 8:39:35 AM3/2/22

to OWASP ZAP User Group

Is there any part or thread which shows a successful authenticated Scan?

Please drop it here.

Thanks,

Vineet

Simon Bennetts

unread,

Mar 2, 2022, 8:53:30 AM3/2/22

to OWASP ZAP User Group

The best way to see if authentication has worked is to use the auth stats as per https://www.zaproxy.org/docs/desktop/addons/automation-framework/authentication/#authentication-statistics

Although thats part of the Automation Framework the auth stats are good to use anywhere.

As part of the diagnostics I plan to document exactly how you can include a script which will write out all of the requests and responses to a file.

That was proving harder to automate that I hoped to be honest :/

There is also a couple of API actions that can help:

users/authenticateAsUser(contextId*, userId*) Tries to authenticate as the identified user, returning the authentication request and whether it appears to have succeeded.
users/pollAsUser (contextId* userId*) Tries to poll as the identified user, returning the authentication request and whether it appears to have succeeded. This will only work if the polling verification strategy has been configured.

Does that help at all?

Cheers,

Simon

Vineet Sadawari

unread,

Mar 29, 2022, 7:55:58 AM3/29/22

to OWASP ZAP User Group

Simon,

For our test app (DVNA),

We did a variety of combinations to understand how ZAP's authentication statistics behave.

Combinations:

1. Giving Incorrect/Correct Credentials

2. Including regex Logged-Ou regex

3. Excluding Logged out URL

So, what we concluded from our observations was: we were never able to get the below stats together.

a) stats.auth.state.loggedin b) stats.auth.success

Is it intended behavior?

Simon Bennetts

unread,

Mar 29, 2022, 8:11:08 AM3/29/22

to OWASP ZAP User Group

No.

That implies to me that your config is incorrect.

Cheers,

Simon

Vineet Sadawari

unread,

Mar 29, 2022, 8:44:28 AM3/29/22

to OWASP ZAP User Group

Thanks, Simon,

will look into that.

Question:

1. When we add Logged-in/Logged out regex should that be present on every page?

Let's say we add a Logged-in regex.

So whatever regex we add should that be present on every Logged-in page?

Simon Bennetts

unread,

Mar 29, 2022, 8:49:36 AM3/29/22

to OWASP ZAP User Group

The logged in/out regexes are ZAPs way to tell if you are logged in or not.

So if you define a logged-in regex which is not present on a page then ZAP will take that to mean you are logged out.

If you dont have a suitable string in every page that you can use then you can use the polling option instead - you define a specific URL ZAP can poll - see https://www.zaproxy.org/docs/desktop/start/features/authstrategies/