Freeze DomXssScanRule

[Giuseppe Annese]

Hi,

during a full scan, the process seems to hang in the DomXssScanRule step, and the percentage doesn't progress.

We have also increased memory

Is there a way to disable this extension using the cli?

[Simon Bennetts]

The DOM XSS scan rule launches browsers and therefore will typically take longer than other rules.

It would be worth checking the zap.log file to check if any significant errors are being logged:

https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file

What "cli" are you refering to? There are various possibilities :)

Cheers,

Simon

[Giuseppe Annese]

We are using the zap docker image during a CI/CD pipeline with jenkins, for my test im using this command from windows:

docker run -t owasp/zap2docker-stable zap-full-scan.py -t URL -d -z "config rules.domxss.browserid=chrome-headless logger.zap.level=debug"

Thre result is the same, cant finish the scan, i stoppe job after 2houser exectuions

i can't swtich log to debug and log into zap.out are freezed at:

INFO  org.parosproxy.paros.core.scanner.HostProcess - start host https://valorizzazioni.staging.bnpparibascardif.it | DomXssScanRule strength MEDIUM threshold MEDIUM

INFO  org.zaproxy.zap.extension.domxss.DomXssScanRule - Reaper thread starting

After a long period i got:

WARN  org.zaproxy.addon.network.internal.server.http.MainServerHandler - Failed to write/forward the HTTP response to the client: java.io.IOException: Broken pipe

[Simon Bennetts]

The ZAP docker images currently only include Firefox and not Chrome.

Does switching back to Firefox help?

You can specify which scan rules are run via a packaged scan config file, as per https://www.zaproxy.org/docs/docker/baseline-scan/#configuration-file

The options you are supplying to ZAP look wrong to me.

I think it should be : "-config rules.domxss.browserid=chrome-headless" (with a minus before the config)

And "logger.zap.level" is not a ZAP config fiule setting so will have no effect.

Cheers,

Simon

[Giuseppe Annese]

Switching to firefox wont help, got same error.

Where i can find rule Id of  DomXssScanRule? It's 40026?

[thc...@gmail.com]

Yes, that one.

They are listed here:
https://www.zaproxy.org/docs/alerts/

The class is indicated in the details of the alert (Code section at the
bottom).

Best regards.

[psiinon]

Thats covered by this FAQ: https://www.zaproxy.org/faq/what-is-the-default-directory-that-zap-uses/

On Thu, May 11, 2023 at 8:52 AM 'Giuseppe Annese' via OWASP ZAP User Group <zaprox...@googlegroups.com> wrote:

Sorry but i've another question.

I'm using docker desktop on Windows and im tryng to run it locally, after image is pulled i ran this command:

docker run --name zap -i -t 4879b5734f4a

When i connect on it, i cant find .ZAP folder with log4j2.properites (like this link said https://www.zaproxy.org/faq/how-do-you-configure-zap-logging/)

I need to start *.jar with debug log enbaled

INFORMATIVA SULLA PRIVACY E SULLA CONFIDENZIALITA': Ai sensi del Reg. UE n.2016/679 sulla tutela della privacy, Vi informiamo che il presente messaggio e-mail potrebbe contenere informazioni riservate e/o fondate su privilegio legale, oltre a dati personali. Vi informiamo che deteniamo e trattiamo i dati contenuti nella presente per i soli scopi di adempiere ad obblighi di legge e/o contrattuali e/o per la tutela di nostri legittimi interessi. La conoscenza di questi dati è riservata ai soli destinatari di questa e-mail. Al di fuori degli scopi sopra descritti, tali dati non saranno da noi rivelati in alcun modo a terzi, senza il previo consenso scritto degli interessati coinvolti, ove prescritto e/o necessario ai sensi della legge applicabile. Qualora Voi non siate gli effettivi destinatari della presente e-mail, Vi informiamo che ne sono severamente proibite la diffusione, la copia e/o la distribuzione. Nel caso aveste ricevuto il presente messaggio per errore Vi preghiamo, pertanto, di informarci immediatamente e di eliminarlo dal vostro computer. Grazie.

PRIVACY AND CONFIDENTIALITY NOTICE: Pursuant to EU Regulation no.679/2016 on privacy protection, we inform You that his e-mail message might contain confidential and/or legally privileged information as well as personal data. We inform You that we hold and process all data contained therein for the sole purposes of meeting legal and/or contractual obligation(s) and/or for our legitimate interest. Knowledge of these data is reserved solely to the person(s) to whom this e-mail is addressed. Outside the scopes described above, these data will not be disclosed by us in any way to third parties without the prior written consent of the relevant data subject(s), where prescribed and/or deemed necessary by applicable law(s). If You are not the intended recipient, You are hereby notified that any disclosure, copying and/or distribution of the contents of this e-mail message is strictly prohibited. If You have received this communication in error, therefore, please delete it immediately and contact us to let us know it. Thank you.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/2b1c8e77-c0f2-44a4-aff8-fa24df69f156n%40googlegroups.com.

--

OWASP ZAP Project leader

[Giuseppe Annese]

The solution was not covered with the link because was into the path \\wsl.localhost\docker-desktop-data\*

Btw i found log*.properties after the first scan and i started the application in debug mode, but when is using firefox i still got stucked with DomXss rule.

Into the zap.out i founded a lot of exception:

[kingthorin+owaspzap]

Those aren't "Exceptions" they're DEBUG messages.