Running ZAP Over Docker Network

[Charles Williams]

Hi ZAP Team,

I'm running ZAP via the Automation Framework in a Docker container, and I want to run it against my app which is running in another Docker container. Following the instructions in the docs for this kind of situation, I created my external network (docker network create zapnet), made sure that my images were run on that network (confirmed with docker network inspect zapnet), then ran the following command to kickstart ZAP:

docker run -v $(pwd):/zap/wrk/:rw --network=zapnet --rm -t owasp/zap2docker-stable zap.sh -cmd -autorun /zap/wrk/owasp_zap_required_files/Automation_Plan.yaml

This gave me a 'Connection refused' error when the spider in my plan started to authenticate my test user (starting at localhost, which I know is in the /etc/hosts file). However, if I changed the network to host:

docker run -v $(pwd):/zap/wrk/:rw --network=host --rm -t owasp/zap2docker-stable zap.sh -cmd -autorun /zap/wrk/owasp_zap_required_files/Automation_Plan.yaml

The scan works as intended. Given that I'll want to be running this in Jenkins (where the host network isn't an option in my environment), I need this to be working on the same zapnet network that my apps are running on. Is there any reason why running on host and not zapnet worked? And is there any way I can get this to work so the zapnet network is used and I get the same results?

I've followed the Docker Troubleshooting guide with no success (noting again that adding the network=host flag allows things like curl to work), below is my zap.log from the baseline scan test, it also says it could not reach the localhost. Note that at this time I was still able to access the localhost link in my browser with no difficulties:

zap@815e0b3be7db:/zap$ cat ~/.ZAP/zap.log

2022-03-25 21:37:36,539 [main ] INFO  Constant - Copying default configuration to /home/zap/.ZAP/config.xml

2022-03-25 21:37:36,745 [main ] INFO  Constant - Creating directory /home/zap/.ZAP/session

2022-03-25 21:37:36,746 [main ] INFO  Constant - Creating directory /home/zap/.ZAP/dirbuster

2022-03-25 21:37:36,746 [main ] INFO  Constant - Creating directory /home/zap/.ZAP/fuzzers

2022-03-25 21:37:36,746 [main ] INFO  Constant - Creating directory /home/zap/.ZAP/plugin

2022-03-25 21:37:36,824 [main ] INFO  CommandLineBootstrap - OWASP ZAP 2.11.1 started 25/03/2022, 21:37:36 with home /home/zap/.ZAP/

2022-03-25 21:37:36,882 [main ] INFO  AbstractParam - Setting config database.recoverylog = false was null

2022-03-25 21:37:36,883 [main ] INFO  AbstractParam - Setting config api.disablekey = true was null

2022-03-25 21:37:36,884 [main ] INFO  AbstractParam - Setting config api.addrs.addr.name = .* was null

2022-03-25 21:37:36,884 [main ] INFO  AbstractParam - Setting config api.addrs.addr.regex = true was null

2022-03-25 21:37:36,893 [main ] INFO  SSLConnector - Reading supported SSL/TLS protocols...

2022-03-25 21:37:36,893 [main ] INFO  SSLConnector - Using a SSLEngine...

2022-03-25 21:37:37,006 [main ] INFO  SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]

2022-03-25 21:37:37,009 [main ] INFO  OptionsParamCertificate - Unsafe SSL renegotiation disabled.

2022-03-25 21:37:37,523 [main ] INFO  ENGINE - dataFileCache open start

2022-03-25 21:37:37,532 [main ] INFO  ENGINE - dataFileCache commit start

2022-03-25 21:37:37,534 [main ] INFO  ENGINE - dataFileCache commit end

2022-03-25 21:37:37,535 [main ] INFO  ENGINE - dataFileCache open end

2022-03-25 21:37:37,603 [main ] INFO  ExtensionFactory - Loading extensions

2022-03-25 21:37:39,511 [main ] INFO  ExtensionFactory - Installed add-ons: [[id=alertFilters, version=13.0.0], [id=ascanrules, version=44.0.0], [id=automation, version=0.13.0], [id=bruteforce, version=11.0.0], [id=callhome, version=0.3.0], [id=commonlib, version=1.7.0], [id=diff, version=11.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=12.0.0], [id=encoder, version=0.6.0], [id=exim, version=0.0.1], [id=formhandler, version=4.0.0], [id=fuzz, version=13.6.0], [id=gettingStarted, version=13.0.0], [id=graaljs, version=0.2.0], [id=graphql, version=0.8.0], [id=help, version=14.0.0], [id=hud, version=0.13.0], [id=importurls, version=9.0.0], [id=invoke, version=11.0.0], [id=network, version=0.1.0], [id=oast, version=0.10.0], [id=onlineMenu, version=9.0.0], [id=openapi, version=26.0.0], [id=pscanrules, version=38.0.0], [id=quickstart, version=33.0.0], [id=replacer, version=9.0.0], [id=reports, version=0.12.0], [id=retest, version=0.2.0], [id=retire, version=0.10.0], [id=reveal, version=4.0.0], [id=saverawmessage, version=7.0.0], [id=savexmlmessage, version=0.3.0], [id=scripts, version=30.0.0], [id=selenium, version=15.7.0], [id=soap, version=13.0.0], [id=spiderAjax, version=23.7.0], [id=tips, version=9.0.0], [id=webdriverlinux, version=35.0.0], [id=websocket, version=24.0.0], [id=zest, version=35.0.0]]

2022-03-25 21:37:39,852 [main ] INFO  TlsUtils - Using supported SSL/TLS protocols: [TLSv1.2, TLSv1.3]

2022-03-25 21:37:40,365 [main ] INFO  ExtensionFactory - Extensions loaded

2022-03-25 21:37:40,648 [main ] INFO  ExtensionLoader - Initializing Allows ZAP to check for updates

2022-03-25 21:37:40,651 [main ] INFO  ExtensionLoader - Initializing Options Extension

2022-03-25 21:37:40,651 [main ] INFO  ExtensionLoader - Initializing Edit Menu Extension

2022-03-25 21:37:40,651 [main ] INFO  ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP

2022-03-25 21:37:40,660 [main ] INFO  ExtensionLoader - Initializing Session State Extension

2022-03-25 21:37:40,660 [main ] INFO  ExtensionLoader - Initializing History Extension

2022-03-25 21:37:40,662 [main ] INFO  ExtensionLoader - Initializing Show hidden fields and enable disabled fields

2022-03-25 21:37:40,663 [main ] INFO  ExtensionLoader - Initializing Search messages for strings and regular expressions

2022-03-25 21:37:40,665 [main ] INFO  ExtensionLoader - Initializing Allows you to intercept and modify requests and responses

2022-03-25 21:37:40,667 [main ] INFO  ExtensionLoader - Initializing Passive scanner

2022-03-25 21:37:40,723 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules

2022-03-25 21:37:40,724 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule

2022-03-25 21:37:40,724 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library

2022-03-25 21:37:40,725 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: WSDL File Detection

2022-03-25 21:37:40,725 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Anti-clickjacking Header

2022-03-25 21:37:40,725 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure

2022-03-25 21:37:40,725 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Incomplete or No Cache-control Header Set

2022-03-25 21:37:40,725 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch

2022-03-25 21:37:40,725 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: CSP

2022-03-25 21:37:40,725 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing

2022-03-25 21:37:40,725 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag

2022-03-25 21:37:40,726 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie

2022-03-25 21:37:40,726 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie without SameSite Attribute

2022-03-25 21:37:40,726 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag

2022-03-25 21:37:40,726 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration

2022-03-25 21:37:40,726 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion

2022-03-25 21:37:40,726 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens

2022-03-25 21:37:40,726 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure

2022-03-25 21:37:40,726 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite

2022-03-25 21:37:40,727 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages

2022-03-25 21:37:40,727 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL

2022-03-25 21:37:40,727 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header

2022-03-25 21:37:40,727 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments

2022-03-25 21:37:40,727 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method

2022-03-25 21:37:40,727 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState

2022-03-25 21:37:40,727 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content

2022-03-25 21:37:40,728 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure

2022-03-25 21:37:40,728 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Username Hash Found

2022-03-25 21:37:40,728 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Viewstate

2022-03-25 21:37:40,728 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header

2022-03-25 21:37:40,728 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing

2022-03-25 21:37:40,728 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak

2022-03-25 21:37:40,728 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

2022-03-25 21:37:40,757 [main ] INFO  ExtensionLoader - Initializing Allows you to view and manage alerts

2022-03-25 21:37:40,759 [main ] INFO  ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added

2022-03-25 21:37:40,766 [main ] INFO  ExtensionLoader - Initializing Spider used for automatically finding URIs on a site

2022-03-25 21:37:40,770 [main ] INFO  ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks

2022-03-25 21:37:40,771 [main ] INFO  ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool

2022-03-25 21:37:40,773 [main ] INFO  ExtensionLoader - Initializing Manual Request Editor Extension

2022-03-25 21:37:40,773 [main ] INFO  ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences

2022-03-25 21:37:40,773 [main ] INFO  ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters

2022-03-25 21:37:40,774 [main ] INFO  ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens

2022-03-25 21:37:40,779 [main ] INFO  ExtensionLoader - Initializing Authentication Extension

2022-03-25 21:37:40,798 [main ] INFO  ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]

2022-03-25 21:37:40,801 [main ] INFO  ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser

2022-03-25 21:37:40,802 [main ] INFO  ExtensionLoader - Initializing Logs errors to the Output tab in development mode only

2022-03-25 21:37:40,802 [main ] INFO  ExtensionLoader - Initializing Users Extension

2022-03-25 21:37:40,805 [main ] INFO  ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies

2022-03-25 21:37:40,806 [main ] INFO  ExtensionLoader - Initializing Script integration

2022-03-25 21:37:40,811 [main ] INFO  ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages

2022-03-25 21:37:40,943 [main ] INFO  ExtensionLoader - Initializing Forced User Extension

2022-03-25 21:37:40,944 [main ] INFO  ExtensionLoader - Initializing Extension handling HTTP sessions

2022-03-25 21:37:40,947 [main ] INFO  ExtensionLoader - Initializing Zest is a specialized scripting language, originally, from Mozilla specifically designed to be used in security tools

2022-03-25 21:37:41,195 [main ] INFO  ExtensionLoader - Initializing ExtensionDiff

2022-03-25 21:37:41,195 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Post Table View Extension

2022-03-25 21:37:41,196 [main ] INFO  ExtensionLoader - Initializing Adds support for scriptable encoders to ZAP.

2022-03-25 21:37:41,196 [main ] INFO  ExtensionLoader - Initializing Session Management Extension

2022-03-25 21:37:41,207 [main ] INFO  ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]

2022-03-25 21:37:41,208 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Form Table View Extension

2022-03-25 21:37:41,209 [main ] INFO  ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.

2022-03-25 21:37:41,235 [main ] INFO  ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree

2022-03-25 21:37:41,248 [main ] INFO  ExtensionLoader - Initializing Allows you to import a WSDL file containing operations which ZAP will access, adding them to the Sites tree.

2022-03-25 21:37:41,249 [main ] INFO  ExtensionLoader - Initializing Core UI related functionality.

2022-03-25 21:37:41,249 [main ] INFO  ExtensionLoader - Initializing Authorization Extension

2022-03-25 21:37:41,250 [main ] INFO  ExtensionLoader - Initializing AJAX Spider, uses Crawljax

2022-03-25 21:37:41,252 [main ] INFO  ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.

2022-03-25 21:37:41,260 [main ] INFO  ExtensionLoader - Initializing Manages the local proxy configurations

2022-03-25 21:37:41,261 [main ] INFO  ExtensionLoader - Initializing Handles adding Global Excluded URLs

2022-03-25 21:37:41,261 [main ] INFO  ExtensionLoader - Initializing Adds menu item to refresh the Sites tree

2022-03-25 21:37:41,261 [main ] INFO  ExtensionLoader - Initializing OWASP ZAP User Guide

2022-03-25 21:37:41,261 [main ] INFO  ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts

2022-03-25 21:37:41,261 [main ] INFO  ExtensionLoader - Initializing Combined HTTP Panels Extension

2022-03-25 21:37:41,261 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Hex View Extension

2022-03-25 21:37:41,262 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Image View Extension

2022-03-25 21:37:41,262 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Large Request View Extension

2022-03-25 21:37:41,262 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Large Response View Extension

2022-03-25 21:37:41,262 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Query Table View Extension

2022-03-25 21:37:41,262 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension

2022-03-25 21:37:41,262 [main ] INFO  ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.

2022-03-25 21:37:41,262 [main ] INFO  ExtensionLoader - Initializing Active and passive rule configuration

2022-03-25 21:37:41,265 [main ] INFO  ExtensionLoader - Initializing Statistics

2022-03-25 21:37:41,267 [main ] INFO  ExtensionStats - Start recording in memory stats

2022-03-25 21:37:41,269 [main ] INFO  ExtensionLoader - Initializing Custom Pages Definition

2022-03-25 21:37:41,269 [main ] INFO  ExtensionLoader - Initializing Easy way to replace strings in requests and responses

2022-03-25 21:37:41,277 [main ] INFO  ExtensionLoader - Initializing Scripts Automation

2022-03-25 21:37:41,287 [main ] INFO  ExtensionLoader - Initializing Provides core networking capabilities.

2022-03-25 21:37:41,296 [main ] INFO  ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.

2022-03-25 21:37:41,299 [main ] INFO  ExtensionLoader - Initializing Allows to fuzz HTTP messages.

2022-03-25 21:37:41,300 [main ] INFO  ExtensionLoader - Initializing The Retest add-on allows to verify the presence/absence of certain alerts.

2022-03-25 21:37:41,302 [main ] INFO  ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage

2022-03-25 21:37:41,302 [main ] INFO  ExtensionLoader - Initializing The ZAP Getting Started Guide

2022-03-25 21:37:41,303 [main ] INFO  ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.

2022-03-25 21:37:41,307 [main ] INFO  ExtensionLoader - Initializing Heads Up Display

2022-03-25 21:37:41,377 [main ] INFO  ExtensionLoader - Initializing ExtensionHUDlaunch

2022-03-25 21:37:41,378 [main ] INFO  ExtensionLoader - Initializing Active Scan Rules

2022-03-25 21:37:41,379 [main ] INFO  ExtensionLoader - Initializing SOAP Automation Framework Integration

2022-03-25 21:37:41,386 [main ] INFO  ExtensionLoader - Initializing Report Generation

2022-03-25 21:37:41,391 [main ] INFO  ExtensionLoader - Initializing Report Generation Automation Integration

2022-03-25 21:37:41,399 [main ] INFO  ExtensionLoader - Initializing The Online menu links

2022-03-25 21:37:41,399 [main ] INFO  ExtensionLoader - Initializing Tips and Tricks

2022-03-25 21:37:41,400 [main ] INFO  ExtensionLoader - Initializing ExtensionOast

2022-03-25 21:37:41,407 [main ] INFO  ExtensionLoader - Initializing Adds OAST scripts.

2022-03-25 21:37:41,407 [main ] INFO  ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions 

2022-03-25 21:37:41,416 [main ] INFO  ExtensionLoader - Initializing OpenAPI Automation Framework Integration

2022-03-25 21:37:41,420 [main ] INFO  ExtensionLoader - Initializing Allows to fuzz WebSocket messages.

2022-03-25 21:37:41,420 [main ] INFO  ExtensionLoader - Initializing Provides the GraalVM JavaScript engine for ZAP scripting.

2022-03-25 21:37:41,853 [main ] INFO  ExtensionLoader - Initializing Context alert rules filter

2022-03-25 21:37:41,857 [main ] INFO  ExtensionLoader - Initializing Alert Filters Automation Framework Integration

2022-03-25 21:37:41,861 [main ] INFO  ExtensionLoader - Initializing Automation Framework

2022-03-25 21:37:41,864 [main ] INFO  ExtensionLoader - Initializing Ajax Spider Automation Framework Integration

2022-03-25 21:37:41,870 [main ] INFO  ExtensionLoader - Initializing ExtensionSaveRawHttpMessage

2022-03-25 21:37:41,870 [main ] INFO  ExtensionLoader - Initializing Handles all of the calls to ZAP services

2022-03-25 21:37:41,872 [main ] INFO  ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications

2022-03-25 21:37:41,873 [main ] INFO  ExtensionQuickStart - Shh! No check-for-news - silent mode enabled

2022-03-25 21:37:41,874 [main ] INFO  ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan

2022-03-25 21:37:41,875 [main ] INFO  ExtensionLoader - Initializing Launch browsers proxying through ZAP

2022-03-25 21:37:41,875 [main ] INFO  ExtensionLoader - Initializing Launch browsers proxying through ZAP

2022-03-25 21:37:41,877 [main ] INFO  ExtensionLoader - Initializing Passive Scan Rules

2022-03-25 21:37:41,878 [main ] INFO  ExtensionLoader - Initializing Import and Export functionality supporting multiple formats.

2022-03-25 21:37:41,880 [main ] INFO  ExtensionLoader - Initializing DOM XSS Active Scan Rule

2022-03-25 21:37:41,922 [main ] INFO  ExtensionLoader - Initializing Allows you to inspect and attack GraphQL endpoints.

2022-03-25 21:37:41,928 [main ] INFO  ExtensionLoader - Initializing GraphQL Automation Framework Integration

2022-03-25 21:37:42,284 [main ] INFO  CallbackService - Started callback service on 0.0.0.0:45467

2022-03-25 21:37:42,292 [main ] INFO  ExtensionDynSSL - Creating new root CA certificate

2022-03-25 21:37:43,284 [main ] INFO  ExtensionDynSSL - New root CA certificate created

2022-03-25 21:37:45,296 [main ] INFO  ExtensionAutoUpdate - There is/are 6 newer addons

2022-03-25 21:37:57,732 [ZAP-DownloadInstaller] INFO  ExtensionAutoUpdate - Installing new addon websocket v25.0.0

2022-03-25 21:37:57,985 [ZAP-DownloadInstaller] INFO  ExtensionAutoUpdate - Finished installing new addon websocket v25.0.0

2022-03-25 21:37:58,012 [ZAP-DownloadInstaller] INFO  ExtensionAutoUpdate - Installing new addon webdriverlinux v36.0.0

2022-03-25 21:37:58,442 [ZAP-DownloadInstaller] INFO  ExtensionAutoUpdate - Finished installing new addon webdriverlinux v36.0.0

2022-03-25 21:37:58,461 [ZAP-DownloadInstaller] INFO  ExtensionAutoUpdate - Installing new addon pscanrules v39.0.0

2022-03-25 21:37:58,509 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Anti-clickjacking Header

2022-03-25 21:37:58,509 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure

2022-03-25 21:37:58,509 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Re-examine Cache-control Directives

2022-03-25 21:37:58,509 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch

2022-03-25 21:37:58,510 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: CSP

2022-03-25 21:37:58,510 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing

2022-03-25 21:37:58,510 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag

2022-03-25 21:37:58,510 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie

2022-03-25 21:37:58,511 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie without SameSite Attribute

2022-03-25 21:37:58,511 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag

2022-03-25 21:37:58,511 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration

2022-03-25 21:37:58,511 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion

2022-03-25 21:37:58,511 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens

2022-03-25 21:37:58,511 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure

2022-03-25 21:37:58,511 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite

2022-03-25 21:37:58,512 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages

2022-03-25 21:37:58,512 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL

2022-03-25 21:37:58,512 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header

2022-03-25 21:37:58,512 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments

2022-03-25 21:37:58,512 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method

2022-03-25 21:37:58,512 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState

2022-03-25 21:37:58,512 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content

2022-03-25 21:37:58,512 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure

2022-03-25 21:37:58,512 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Username Hash Found

2022-03-25 21:37:58,513 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Viewstate

2022-03-25 21:37:58,513 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header

2022-03-25 21:37:58,513 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing

2022-03-25 21:37:58,513 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak

2022-03-25 21:37:58,513 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

2022-03-25 21:37:58,517 [ZAP-DownloadInstaller] INFO  ExtensionAutoUpdate - Finished installing new addon pscanrules v39.0.0

2022-03-25 21:37:58,531 [ZAP-DownloadInstaller] INFO  ExtensionAutoUpdate - Installing new addon commonlib v1.9.0

2022-03-25 21:37:58,560 [ZAP-DownloadInstaller] ERROR I18N - Adding message bundle with duplicate prefix: retire

2022-03-25 21:37:58,565 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library

2022-03-25 21:37:58,665 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: WSDL File Detection

2022-03-25 21:37:58,749 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Anti-clickjacking Header

2022-03-25 21:37:58,749 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure

2022-03-25 21:37:58,750 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Re-examine Cache-control Directives

2022-03-25 21:37:58,750 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch

2022-03-25 21:37:58,750 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: CSP

2022-03-25 21:37:58,750 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing

2022-03-25 21:37:58,751 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag

2022-03-25 21:37:58,751 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie

2022-03-25 21:37:58,751 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie without SameSite Attribute

2022-03-25 21:37:58,752 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag

2022-03-25 21:37:58,752 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration

2022-03-25 21:37:58,752 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion

2022-03-25 21:37:58,752 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens

2022-03-25 21:37:58,752 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure

2022-03-25 21:37:58,752 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite

2022-03-25 21:37:58,753 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages

2022-03-25 21:37:58,753 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL

2022-03-25 21:37:58,753 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header

2022-03-25 21:37:58,753 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments

2022-03-25 21:37:58,753 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method

2022-03-25 21:37:58,753 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState

2022-03-25 21:37:58,753 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content

2022-03-25 21:37:58,753 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure

2022-03-25 21:37:58,753 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Username Hash Found

2022-03-25 21:37:58,753 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Viewstate

2022-03-25 21:37:58,754 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header

2022-03-25 21:37:58,754 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing

2022-03-25 21:37:58,754 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak

2022-03-25 21:37:58,754 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

2022-03-25 21:37:58,754 [ZAP-DownloadInstaller] INFO  ExtensionAutoUpdate - Finished installing new addon commonlib v1.9.0

2022-03-25 21:37:58,767 [ZAP-DownloadInstaller] INFO  ExtensionAutoUpdate - Installing new addon exim v0.1.0

2022-03-25 21:37:58,796 [ZAP-DownloadInstaller] WARN  ExtensionSaveXMLHttpMessage - The Save HTTP Message as XML add-on has been retired. This functionality is now provided by the Import/Export add-on.

2022-03-25 21:37:58,800 [ZAP-DownloadInstaller] WARN  ExtensionSaveRawHttpMessage - The Save Raw HTTP Message add-on has been retired. This functionality is now provided by the Import/Export add-on.

2022-03-25 21:37:58,806 [ZAP-DownloadInstaller] WARN  ExtensionImportUrls - The Import URLs add-on has been retired. This functionality is now provided by the Import/Export add-on.

2022-03-25 21:37:58,806 [ZAP-DownloadInstaller] INFO  ExtensionAutoUpdate - Finished installing new addon exim v0.1.0

2022-03-25 21:37:58,814 [ZAP-DownloadInstaller] INFO  ExtensionAutoUpdate - Installing new addon ascanrules v46.0.0

2022-03-25 21:37:58,849 [ZAP-DownloadInstaller] INFO  ExtensionAutoUpdate - Finished installing new addon ascanrules v46.0.0

2022-03-25 21:37:58,916 [main ] INFO  CommandLine - Add-on downloaded to: /home/zap/.ZAP/plugin/exim-beta-0.1.0.zap

2022-03-25 21:37:58,916 [main ] INFO  CommandLine - Add-on downloaded to: /home/zap/.ZAP/plugin/websocket-release-25.zap

2022-03-25 21:37:58,916 [main ] INFO  CommandLine - Add-on downloaded to: /home/zap/.ZAP/plugin/pscanrules-release-39.zap

2022-03-25 21:37:58,916 [main ] INFO  CommandLine - Add-on downloaded to: /home/zap/.ZAP/plugin/ascanrules-release-46.zap

2022-03-25 21:37:58,916 [main ] INFO  CommandLine - Add-on downloaded to: /home/zap/.ZAP/plugin/commonlib-release-1.9.0.zap

2022-03-25 21:37:58,916 [main ] INFO  CommandLine - Add-on downloaded to: /home/zap/.ZAP/plugin/webdriverlinux-release-36.zap

2022-03-25 21:37:58,916 [main ] INFO  CommandLine - Add-on update check complete

2022-03-25 21:37:58,917 [main ] INFO  ExtensionCallHome - Shh! Silent mode or telemetry turned off

2022-03-25 21:38:03,982 [main ] INFO  ENGINE - dataFileCache commit start

2022-03-25 21:38:03,984 [main ] INFO  ENGINE - dataFileCache commit end

2022-03-25 21:38:04,001 [main ] INFO  ENGINE - Database closed

2022-03-25 21:38:04,108 [main ] INFO  CommandLineBootstrap - OWASP ZAP 2.11.1 terminated.

2022-03-25 21:38:06,351 [main ] INFO  CommandLineBootstrap - OWASP ZAP 2.11.1 started 25/03/2022, 21:38:06 with home /home/zap/.ZAP/

2022-03-25 21:38:06,428 [main ] INFO  AbstractParam - Setting config database.recoverylog = false was false

2022-03-25 21:38:06,428 [main ] INFO  AbstractParam - Setting config api.disablekey = true was true

2022-03-25 21:38:06,429 [main ] INFO  AbstractParam - Setting config api.addrs.addr.name = .* was .*

2022-03-25 21:38:06,429 [main ] INFO  AbstractParam - Setting config api.addrs.addr.regex = true was true

2022-03-25 21:38:06,438 [main ] INFO  SSLConnector - Reading supported SSL/TLS protocols...

2022-03-25 21:38:06,439 [main ] INFO  SSLConnector - Using a SSLEngine...

2022-03-25 21:38:06,551 [main ] INFO  SSLConnector - Done reading supported SSL/TLS protocols: [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]

2022-03-25 21:38:06,554 [main ] INFO  OptionsParamCertificate - Unsafe SSL renegotiation disabled.

2022-03-25 21:38:07,148 [main ] INFO  ENGINE - dataFileCache open start

2022-03-25 21:38:07,159 [main ] INFO  ENGINE - dataFileCache commit start

2022-03-25 21:38:07,164 [main ] INFO  ENGINE - dataFileCache commit end

2022-03-25 21:38:07,165 [main ] INFO  ENGINE - dataFileCache open end

2022-03-25 21:38:07,237 [main ] INFO  ExtensionFactory - Loading extensions

2022-03-25 21:38:08,634 [main ] INFO  ExtensionFactory - Installed add-ons: [[id=alertFilters, version=13.0.0], [id=ascanrules, version=46.0.0], [id=automation, version=0.13.0], [id=bruteforce, version=11.0.0], [id=callhome, version=0.3.0], [id=commonlib, version=1.9.0], [id=diff, version=11.0.0], [id=directorylistv1, version=5.0.0], [id=domxss, version=12.0.0], [id=encoder, version=0.6.0], [id=exim, version=0.1.0], [id=formhandler, version=4.0.0], [id=fuzz, version=13.6.0], [id=gettingStarted, version=13.0.0], [id=graaljs, version=0.2.0], [id=graphql, version=0.8.0], [id=help, version=14.0.0], [id=hud, version=0.13.0], [id=importurls, version=9.0.0], [id=invoke, version=11.0.0], [id=network, version=0.1.0], [id=oast, version=0.10.0], [id=onlineMenu, version=9.0.0], [id=openapi, version=26.0.0], [id=pscanrules, version=39.0.0], [id=quickstart, version=33.0.0], [id=replacer, version=9.0.0], [id=reports, version=0.12.0], [id=retest, version=0.2.0], [id=retire, version=0.10.0], [id=reveal, version=4.0.0], [id=saverawmessage, version=7.0.0], [id=savexmlmessage, version=0.3.0], [id=scripts, version=30.0.0], [id=selenium, version=15.7.0], [id=soap, version=13.0.0], [id=spiderAjax, version=23.7.0], [id=tips, version=9.0.0], [id=webdriverlinux, version=36.0.0], [id=websocket, version=25.0.0], [id=zest, version=35.0.0]]

2022-03-25 21:38:08,892 [main ] INFO  TlsUtils - Using supported SSL/TLS protocols: [TLSv1.2, TLSv1.3]

2022-03-25 21:38:09,621 [main ] INFO  ExtensionFactory - Extensions loaded

2022-03-25 21:38:09,909 [main ] INFO  ExtensionLoader - Initializing Allows ZAP to check for updates

2022-03-25 21:38:09,913 [main ] INFO  ExtensionLoader - Initializing Options Extension

2022-03-25 21:38:09,913 [main ] INFO  ExtensionLoader - Initializing Edit Menu Extension

2022-03-25 21:38:09,913 [main ] INFO  ExtensionLoader - Initializing Provides a rest based API for controlling and accessing ZAP

2022-03-25 21:38:09,923 [main ] INFO  ExtensionLoader - Initializing Session State Extension

2022-03-25 21:38:09,923 [main ] INFO  ExtensionLoader - Initializing History Extension

2022-03-25 21:38:09,925 [main ] INFO  ExtensionLoader - Initializing Show hidden fields and enable disabled fields

2022-03-25 21:38:09,926 [main ] INFO  ExtensionLoader - Initializing Search messages for strings and regular expressions

2022-03-25 21:38:09,927 [main ] INFO  ExtensionLoader - Initializing Allows you to intercept and modify requests and responses

2022-03-25 21:38:09,929 [main ] INFO  ExtensionLoader - Initializing Passive scanner

2022-03-25 21:38:09,990 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Script Passive Scan Rules

2022-03-25 21:38:09,990 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Stats Passive Scan Rule

2022-03-25 21:38:09,991 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Vulnerable JS Library

2022-03-25 21:38:09,991 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: WSDL File Detection

2022-03-25 21:38:09,992 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Anti-clickjacking Header

2022-03-25 21:38:09,992 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Application Error Disclosure

2022-03-25 21:38:09,992 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Re-examine Cache-control Directives

2022-03-25 21:38:09,992 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Charset Mismatch

2022-03-25 21:38:09,992 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: CSP

2022-03-25 21:38:09,992 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Content-Type Header Missing

2022-03-25 21:38:09,993 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie No HttpOnly Flag

2022-03-25 21:38:09,993 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Loosely Scoped Cookie

2022-03-25 21:38:09,993 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie without SameSite Attribute

2022-03-25 21:38:09,993 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie Without Secure Flag

2022-03-25 21:38:09,993 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cross-Domain Misconfiguration

2022-03-25 21:38:09,994 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Cross-Domain JavaScript Source File Inclusion

2022-03-25 21:38:09,994 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Absence of Anti-CSRF Tokens

2022-03-25 21:38:09,994 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Private IP Disclosure

2022-03-25 21:38:09,994 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Session ID in URL Rewrite

2022-03-25 21:38:09,994 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Debug Error Messages

2022-03-25 21:38:09,995 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in URL

2022-03-25 21:38:09,995 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Sensitive Information in HTTP Referrer Header

2022-03-25 21:38:09,995 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Information Disclosure - Suspicious Comments

2022-03-25 21:38:09,995 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Weak Authentication Method

2022-03-25 21:38:09,996 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Insecure JSF ViewState

2022-03-25 21:38:09,996 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Secure Pages Include Mixed Content

2022-03-25 21:38:09,996 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Timestamp Disclosure

2022-03-25 21:38:09,996 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Username Hash Found

2022-03-25 21:38:09,996 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Viewstate

2022-03-25 21:38:09,996 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: X-AspNet-Version Response Header

2022-03-25 21:38:09,996 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: X-Content-Type-Options Header Missing

2022-03-25 21:38:09,996 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: X-Debug-Token Information Leak

2022-03-25 21:38:09,997 [main ] INFO  ExtensionPassiveScan - loaded passive scan rule: Server Leaks Information via "X-Powered-By" HTTP Response Header Field(s)

2022-03-25 21:38:10,030 [main ] INFO  ExtensionLoader - Initializing Allows you to view and manage alerts

2022-03-25 21:38:10,033 [main ] INFO  ExtensionLoader - Initializing Active scanner, heavily based on the original Paros active scanner, but with additional tests added

2022-03-25 21:38:10,040 [main ] INFO  ExtensionLoader - Initializing Spider used for automatically finding URIs on a site

2022-03-25 21:38:10,046 [main ] INFO  ExtensionLoader - Initializing A set of common popup menus for miscellaneous tasks

2022-03-25 21:38:10,047 [main ] INFO  ExtensionLoader - Initializing Forced browsing of files and directories using code from the OWASP DirBuster tool

2022-03-25 21:38:10,048 [main ] INFO  ExtensionLoader - Initializing Manual Request Editor Extension

2022-03-25 21:38:10,049 [main ] INFO  ExtensionLoader - Initializing Compares 2 sessions and generates an HTML file showing the differences

2022-03-25 21:38:10,049 [main ] INFO  ExtensionLoader - Initializing Invoke external applications passing context related information such as URLs and parameters

2022-03-25 21:38:10,050 [main ] INFO  ExtensionLoader - Initializing Handles anti cross site request forgery (CSRF) tokens

2022-03-25 21:38:10,053 [main ] INFO  ExtensionLoader - Initializing Authentication Extension

2022-03-25 21:38:10,075 [main ] INFO  ExtensionAuthentication - Loaded authentication method types: [Form-based Authentication, HTTP/NTLM Authentication, Manual Authentication, Script-based Authentication, JSON-based Authentication]

2022-03-25 21:38:10,079 [main ] INFO  ExtensionLoader - Initializing Creates a dynamic SSL certificate to allow SSL communications to be intercepted without warnings being generated by the browser

2022-03-25 21:38:10,332 [main ] INFO  ExtensionLoader - Initializing Logs errors to the Output tab in development mode only

2022-03-25 21:38:10,332 [main ] INFO  ExtensionLoader - Initializing Users Extension

2022-03-25 21:38:10,355 [main ] INFO  ExtensionLoader - Initializing Summarise and analyse FORM and URL parameters as well as cookies

2022-03-25 21:38:10,356 [main ] INFO  ExtensionLoader - Initializing Script integration

2022-03-25 21:38:10,382 [main ] INFO  ExtensionLoader - Initializing Scripting console, supports all JSR 223 scripting languages

2022-03-25 21:38:10,961 [main ] INFO  ExtensionLoader - Initializing Forced User Extension

2022-03-25 21:38:10,962 [main ] INFO  ExtensionLoader - Initializing Extension handling HTTP sessions

2022-03-25 21:38:10,971 [main ] INFO  ExtensionLoader - Initializing Zest is a specialized scripting language, originally, from Mozilla specifically designed to be used in security tools

2022-03-25 21:38:11,653 [main ] INFO  ExtensionLoader - Initializing ExtensionDiff

2022-03-25 21:38:11,653 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Post Table View Extension

2022-03-25 21:38:11,654 [main ] INFO  ExtensionLoader - Initializing Adds support for scriptable encoders to ZAP.

2022-03-25 21:38:11,661 [main ] INFO  ExtensionLoader - Initializing Session Management Extension

2022-03-25 21:38:11,766 [main ] INFO  ExtensionSessionManagement - Loaded session management method types: [Cookie-based Session Management, HTTP Authentication Session Management, Script-based Session Management]

2022-03-25 21:38:11,768 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Form Table View Extension

2022-03-25 21:38:11,768 [main ] INFO  ExtensionLoader - Initializing Capture messages from WebSockets with the ability to set breakpoints.

2022-03-25 21:38:11,855 [main ] INFO  ExtensionLoader - Initializing Allows you to import a file containing URLs which ZAP will access, adding them to the Sites tree

2022-03-25 21:38:11,858 [main ] INFO  ExtensionLoader - Initializing Allows you to import a WSDL file containing operations which ZAP will access, adding them to the Sites tree.

2022-03-25 21:38:11,860 [main ] INFO  ExtensionLoader - Initializing Core UI related functionality.

2022-03-25 21:38:11,860 [main ] INFO  ExtensionLoader - Initializing Authorization Extension

2022-03-25 21:38:11,860 [main ] INFO  ExtensionLoader - Initializing AJAX Spider, uses Crawljax

2022-03-25 21:38:11,870 [main ] INFO  ExtensionLoader - Initializing Provides WebDrivers to control several browsers using Selenium and includes HtmlUnit browser.

2022-03-25 21:38:11,921 [main ] INFO  ExtensionLoader - Initializing Manages the local proxy configurations

2022-03-25 21:38:11,926 [main ] INFO  ExtensionLoader - Initializing Handles adding Global Excluded URLs

2022-03-25 21:38:11,926 [main ] INFO  ExtensionLoader - Initializing Adds menu item to refresh the Sites tree

2022-03-25 21:38:11,927 [main ] INFO  ExtensionLoader - Initializing OWASP ZAP User Guide

2022-03-25 21:38:11,941 [main ] INFO  ExtensionLoader - Initializing Allows you to configure which extensions are loaded when ZAP starts

2022-03-25 21:38:11,941 [main ] INFO  ExtensionLoader - Initializing Combined HTTP Panels Extension

2022-03-25 21:38:11,941 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Hex View Extension

2022-03-25 21:38:11,941 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Image View Extension

2022-03-25 21:38:11,941 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Large Request View Extension

2022-03-25 21:38:11,941 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Large Response View Extension

2022-03-25 21:38:11,942 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Query Table View Extension

2022-03-25 21:38:11,942 [main ] INFO  ExtensionLoader - Initializing HTTP Panel Syntax Highlighter View Extension

2022-03-25 21:38:11,942 [main ] INFO  ExtensionLoader - Initializing Adds support for configurable keyboard shortcuts for all of the ZAP menus.

2022-03-25 21:38:11,942 [main ] INFO  ExtensionLoader - Initializing Active and passive rule configuration

2022-03-25 21:38:11,958 [main ] INFO  ExtensionLoader - Initializing Statistics

2022-03-25 21:38:11,968 [main ] INFO  ExtensionStats - Start recording in memory stats

2022-03-25 21:38:11,974 [main ] INFO  ExtensionLoader - Initializing Custom Pages Definition

2022-03-25 21:38:11,975 [main ] INFO  ExtensionLoader - Initializing Easy way to replace strings in requests and responses

2022-03-25 21:38:11,990 [main ] INFO  ExtensionLoader - Initializing Scripts Automation

2022-03-25 21:38:12,006 [main ] INFO  ExtensionLoader - Initializing Provides core networking capabilities.

2022-03-25 21:38:12,036 [main ] INFO  ExtensionLoader - Initializing Provides the foundation for concrete message types (for example, HTTP, WebSockets) expose fuzzer implementations.

2022-03-25 21:38:12,039 [main ] INFO  ExtensionLoader - Initializing Allows to fuzz HTTP messages.

2022-03-25 21:38:12,040 [main ] INFO  ExtensionLoader - Initializing The Retest add-on allows to verify the presence/absence of certain alerts.

2022-03-25 21:38:12,043 [main ] INFO  ExtensionLoader - Initializing ExtensionSaveXMLHttpMessage

2022-03-25 21:38:12,044 [main ] INFO  ExtensionLoader - Initializing The ZAP Getting Started Guide

2022-03-25 21:38:12,048 [main ] INFO  ExtensionLoader - Initializing This extension allows a user to change the default values used by ZAP Spiders.

2022-03-25 21:38:12,057 [main ] INFO  ExtensionLoader - Initializing Heads Up Display

2022-03-25 21:38:12,226 [main ] INFO  ExtensionLoader - Initializing ExtensionHUDlaunch

2022-03-25 21:38:12,227 [main ] INFO  ExtensionLoader - Initializing SOAP Automation Framework Integration

2022-03-25 21:38:12,234 [main ] INFO  ExtensionLoader - Initializing Report Generation

2022-03-25 21:38:12,239 [main ] INFO  ExtensionLoader - Initializing Report Generation Automation Integration

2022-03-25 21:38:12,248 [main ] INFO  ExtensionLoader - Initializing The Online menu links

2022-03-25 21:38:12,248 [main ] INFO  ExtensionLoader - Initializing Tips and Tricks

2022-03-25 21:38:12,249 [main ] INFO  ExtensionLoader - Initializing ExtensionOast

2022-03-25 21:38:12,260 [main ] INFO  ExtensionLoader - Initializing Adds OAST scripts.

2022-03-25 21:38:12,271 [main ] INFO  ExtensionLoader - Initializing Allows you to spider and import OpenAPI (Swagger) definitions 

2022-03-25 21:38:12,311 [main ] INFO  ExtensionLoader - Initializing OpenAPI Automation Framework Integration

2022-03-25 21:38:12,316 [main ] INFO  ExtensionLoader - Initializing Provides the GraalVM JavaScript engine for ZAP scripting.

2022-03-25 21:38:13,476 [main ] INFO  ExtensionLoader - Initializing Context alert rules filter

2022-03-25 21:38:13,484 [main ] INFO  ExtensionLoader - Initializing Alert Filters Automation Framework Integration

2022-03-25 21:38:13,490 [main ] INFO  ExtensionLoader - Initializing Automation Framework

2022-03-25 21:38:13,494 [main ] INFO  ExtensionLoader - Initializing Ajax Spider Automation Framework Integration

2022-03-25 21:38:13,501 [main ] INFO  ExtensionLoader - Initializing ExtensionSaveRawHttpMessage

2022-03-25 21:38:13,502 [main ] INFO  ExtensionLoader - Initializing Handles all of the calls to ZAP services

2022-03-25 21:38:13,503 [main ] INFO  ExtensionLoader - Initializing Adds the Quick Start panel for scanning and exploring applications

2022-03-25 21:38:13,506 [main ] INFO  ExtensionLoader - Initializing Add the option to use the Ajax Spider in the Quick Start scan

2022-03-25 21:38:13,507 [main ] INFO  ExtensionLoader - Initializing Launch browsers proxying through ZAP

2022-03-25 21:38:13,507 [main ] INFO  ExtensionLoader - Initializing Launch browsers proxying through ZAP

2022-03-25 21:38:13,510 [main ] INFO  ExtensionLoader - Initializing DOM XSS Active Scan Rule

2022-03-25 21:38:13,760 [main ] INFO  ExtensionLoader - Initializing Allows you to inspect and attack GraphQL endpoints.

2022-03-25 21:38:13,773 [main ] INFO  ExtensionLoader - Initializing GraphQL Automation Framework Integration

2022-03-25 21:38:13,783 [main ] INFO  ExtensionLoader - Initializing Import and Export functionality supporting multiple formats.

2022-03-25 21:38:13,794 [main ] INFO  ExtensionLoader - Initializing Import/Export Automation Framework Integration

2022-03-25 21:38:13,839 [main ] INFO  ExtensionLoader - Initializing Active Scan Rules

2022-03-25 21:38:13,852 [main ] INFO  ExtensionLoader - Initializing org.zaproxy.addon.commonlib.ExtensionCommonlib

2022-03-25 21:38:13,859 [main ] INFO  ExtensionLoader - Initializing Allows to fuzz WebSocket messages.

2022-03-25 21:38:13,877 [main ] INFO  ExtensionLoader - Initializing Passive Scan Rules

2022-03-25 21:38:15,159 [main ] INFO  CallbackService - Started callback service on 0.0.0.0:42463

2022-03-25 21:38:17,717 [main ] INFO  CommandLine - Downloading add-on from: https://github.com/zaproxy/zap-extensions/releases/download/pscanrulesBeta-v28/pscanrulesBeta-beta-28.zap

2022-03-25 21:38:19,385 [ZAP-DownloadInstaller] INFO  ExtensionAutoUpdate - Installing new addon pscanrulesBeta v28.0.0

2022-03-25 21:38:19,458 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Big Redirect Detected (Potential Sensitive Information Leak)

2022-03-25 21:38:19,459 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Content Security Policy (CSP) Header Not Set

2022-03-25 21:38:19,459 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Directory Browsing

2022-03-25 21:38:19,459 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Hash Disclosure

2022-03-25 21:38:19,460 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Heartbleed OpenSSL Vulnerability (Indicative)

2022-03-25 21:38:19,460 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: HTTP to HTTPS Insecure Transition in Form Post

2022-03-25 21:38:19,460 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: HTTPS to HTTP Insecure Transition in Form Post

2022-03-25 21:38:19,460 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Reverse Tabnabbing

2022-03-25 21:38:19,460 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Modern Web Application

2022-03-25 21:38:19,461 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: PII Disclosure

2022-03-25 21:38:19,461 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Retrieved from Cache

2022-03-25 21:38:19,463 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: HTTP Server Response Header

2022-03-25 21:38:19,463 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: HTTP Parameter Override

2022-03-25 21:38:19,463 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Strict-Transport-Security Header

2022-03-25 21:38:19,463 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: User Controllable Charset

2022-03-25 21:38:19,463 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Cookie Poisoning

2022-03-25 21:38:19,464 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: User Controllable HTML Element Attribute (Potential XSS)

2022-03-25 21:38:19,464 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: User Controllable JavaScript Event (XSS)

2022-03-25 21:38:19,464 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: Open Redirect

2022-03-25 21:38:19,464 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: X-Backend-Server Header Information Leak

2022-03-25 21:38:19,464 [ZAP-DownloadInstaller] INFO  ExtensionPassiveScan - loaded passive scan rule: X-ChromeLogger-Data (XCOLD) Header Information Leak

2022-03-25 21:38:19,499 [ZAP-DownloadInstaller] INFO  ExtensionAutoUpdate - Finished installing new addon pscanrulesBeta v28.0.0

2022-03-25 21:38:19,526 [main ] INFO  CommandLine - Add-on downloaded to: /home/zap/.ZAP/plugin/pscanrulesBeta-beta-28.zap

2022-03-25 21:38:19,576 [main ] INFO  CommandLine - Automation plan failures:

2022-03-25 21:38:19,579 [main ] INFO  CommandLine - Job spider failed to access URL http://localhost:8000 : Connection refused (Connection refused)

2022-03-25 21:38:19,580 [main ] INFO  Control - Automation Framework setting exit status to due to plan errors

2022-03-25 21:38:25,075 [main ] INFO  ENGINE - dataFileCache commit start

2022-03-25 21:38:25,076 [main ] INFO  ENGINE - dataFileCache commit end

2022-03-25 21:38:25,092 [main ] INFO  ENGINE - Database closed

2022-03-25 21:38:25,206 [main ] INFO  CommandLineBootstrap - OWASP ZAP 2.11.1 terminated.

Any help would be greatly appreciated!

Thank you!

[Niklas Rosencrantz]

Try it in a VM then it could work? After I started an Ubuntu VM with QEMU then the connection reached the test app. I looked in network settings in the Ubuntu VM and used the 10.0... address.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/19d4811c-89ad-4bec-88c7-13f110d0d195n%40googlegroups.com.

[Charles Williams]

Hi Niklas,

Unfortunately my environment wouldn’t really work with a VM here given certain constraints I have. I essentially need to get this working locally (on macOS) such that the commands can be put into a Jenkinsfile and run in a pipeline with similar results.

I suppose that may make this more of a Jenkins question than a ZAP one, but since I’m following the docs in ZAP I figured it wouldn’t hurt to ask and see if anyone else has encountered this kind of situation.

Get Outlook for iOS

---

From: zaprox...@googlegroups.com <zaprox...@googlegroups.com> on behalf of Niklas Rosencrantz <nikl...@gmail.com>
Sent: Friday, March 25, 2022 6:39:31 PM
To: zaprox...@googlegroups.com <zaprox...@googlegroups.com>
Subject: Re: [zaproxy-users] Running ZAP Over Docker Network

 

To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/CAJLf2ZX-PUpQt5TJ3LxbZmnEJzHt135HhmuRGu-d0WYwPRA59A%40mail.gmail.com.

[Niklas Rosencrantz]

I got a connection refused with Docker. It worked with a VM.

I used macOs. I attach the video of what it looked like once it got a connection inside a VM.

I think I can be done with Docker if the system permits it. In my case I didn't need to prove more but maybe it helps someone that it can create evidence of breaking into a vulnerable app. Cheers \n

> To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/MWHPR07MB27842EF76C942C57C0B3FA78A11A9%40MWHPR07MB2784.namprd07.prod.outlook.com.